Edit tour

Windows Analysis Report
rPO_CW00402902400415.exe

Overview

General Information

Sample name:	rPO_CW00402902400415.exe
Analysis ID:	1518169
MD5:	0e509caf00f17b291c24a27e87e9cacc
SHA1:	fa90e2eb0ce15a16ebacb5acac99fda9ef977827
SHA256:	c6f3ede5e924420f0b933fee1beb94cf12fcd3eb1a4a390cbcd6041c19a6fe50
Tags:	exeuser-Porcupine
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rPO_CW00402902400415.exe (PID: 6860 cmdline: "C:\Users\user\Desktop\rPO_CW00402902400415.exe" MD5: 0E509CAF00F17B291C24A27E87E9CACC)

AddInProcess32.exe (PID: 1344 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 3096 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

WerFault.exe (PID: 5000 cmdline: C:\Windows\system32\WerFault.exe -u -p 6860 -s 1040 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alhoneycomb.com", "Username": "blog@alhoneycomb.com", "Password": "          WORTHwill3611!           "}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.4137755318.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4137755318.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1811970397.0000019319F07000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1811970397.0000019319F07000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.4139321179.0000000002421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4139321179.0000000002421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rPO_CW00402902400415.exe PID: 6860	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rPO_CW00402902400415.exe PID: 6860	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rPO_CW00402902400415.exe PID: 6860	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rPO_CW00402902400415.exe PID: 6860	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: AddInProcess32.exe PID: 1344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 1344	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rPO_CW00402902400415.exe.19319f83b50.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rPO_CW00402902400415.exe.19319f83b50.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rPO_CW00402902400415.exe.19319f83b50.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339aa:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a1c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33aa6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b38:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33ba2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c14:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33caa:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d3a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x357aa:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3581c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x358a6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35938:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x359a2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35a14:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35aaa:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35b3a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x357aa:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3581c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x358a6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35938:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x359a2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35a14:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35aaa:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35b3a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rPO_CW00402902400415.exe.19319f46b08.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rPO_CW00402902400415.exe.19319f46b08.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rPO_CW00402902400415.exe.19319f46b08.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339aa:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a1c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33aa6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b38:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33ba2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c14:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33caa:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d3a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rPO_CW00402902400415.exe.19319f46b08.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rPO_CW00402902400415.exe.19319f46b08.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rPO_CW00402902400415.exe.19319f46b08.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x357aa:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x727f2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3581c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72864:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x358a6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x728ee:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35938:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72980:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x359a2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x729ea:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35a14:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72a5c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35aaa:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x72af2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35b3a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x72b82:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 74.119.238.7, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, Initiated: true, ProcessId: 1344, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T13:47:01.460408+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49735	74.119.238.7	587	TCP
2024-09-25T13:47:09.424925+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49738	74.119.238.7	587	TCP
2024-09-25T13:48:43.590012+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49745	74.119.238.7	587	TCP
2024-09-25T13:49:07.670179+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49746	74.119.238.7	587	TCP
2024-09-25T13:49:23.297545+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49747	74.119.238.7	587	TCP
2024-09-25T13:49:31.532720+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49748	74.119.238.7	587	TCP
2024-09-25T13:49:47.914945+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49749	74.119.238.7	587	TCP
2024-09-25T13:50:00.396305+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49751	74.119.238.7	587	TCP
2024-09-25T13:50:00.403942+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49750	74.119.238.7	587	TCP
2024-09-25T13:50:08.939842+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49753	74.119.238.7	587	TCP
2024-09-25T13:50:25.237826+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49754	74.119.238.7	587	TCP
2024-09-25T13:50:37.665189+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49755	74.119.238.7	587	TCP
2024-09-25T13:50:39.578772+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49756	74.119.238.7	587	TCP
2024-09-25T13:50:46.404575+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49757	74.119.238.7	587	TCP
2024-09-25T13:50:55.302341+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49758	74.119.238.7	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T13:47:06.967082+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49735	74.119.238.7	587	TCP
2024-09-25T13:47:09.213303+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49738	74.119.238.7	587	TCP
2024-09-25T13:48:43.573976+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49745	74.119.238.7	587	TCP
2024-09-25T13:49:07.660343+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49746	74.119.238.7	587	TCP
2024-09-25T13:49:23.290985+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49747	74.119.238.7	587	TCP
2024-09-25T13:49:31.524220+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49748	74.119.238.7	587	TCP
2024-09-25T13:49:47.907211+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49749	74.119.238.7	587	TCP
2024-09-25T13:50:00.389766+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49751	74.119.238.7	587	TCP
2024-09-25T13:50:00.393270+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49750	74.119.238.7	587	TCP
2024-09-25T13:50:08.929717+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49753	74.119.238.7	587	TCP
2024-09-25T13:50:25.226860+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49754	74.119.238.7	587	TCP
2024-09-25T13:50:37.656934+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49755	74.119.238.7	587	TCP
2024-09-25T13:50:39.572077+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49756	74.119.238.7	587	TCP
2024-09-25T13:50:46.397475+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49757	74.119.238.7	587	TCP
2024-09-25T13:50:55.295564+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49758	74.119.238.7	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T13:47:06.967082+0200	2855245	1	A Network Trojan was detected	192.168.2.4	49735	74.119.238.7	587	TCP

ETPRO MALWARE Win32/Agent Tesla SMTP Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T13:47:01.460408+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49735	74.119.238.7	587	TCP
2024-09-25T13:47:09.424925+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49738	74.119.238.7	587	TCP
2024-09-25T13:48:43.590012+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49745	74.119.238.7	587	TCP
2024-09-25T13:49:07.670179+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49746	74.119.238.7	587	TCP
2024-09-25T13:49:23.297545+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49747	74.119.238.7	587	TCP
2024-09-25T13:49:31.532720+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49748	74.119.238.7	587	TCP
2024-09-25T13:49:47.914945+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49749	74.119.238.7	587	TCP
2024-09-25T13:50:00.396305+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49751	74.119.238.7	587	TCP
2024-09-25T13:50:00.403942+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49750	74.119.238.7	587	TCP
2024-09-25T13:50:08.939842+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49753	74.119.238.7	587	TCP
2024-09-25T13:50:25.237826+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49754	74.119.238.7	587	TCP
2024-09-25T13:50:37.665189+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49755	74.119.238.7	587	TCP
2024-09-25T13:50:39.578772+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49756	74.119.238.7	587	TCP
2024-09-25T13:50:46.404575+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49757	74.119.238.7	587	TCP
2024-09-25T13:50:55.302341+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49758	74.119.238.7	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T13:47:01.460408+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49735	74.119.238.7	587	TCP
2024-09-25T13:47:09.424925+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49738	74.119.238.7	587	TCP
2024-09-25T13:48:43.590012+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49745	74.119.238.7	587	TCP
2024-09-25T13:49:07.670179+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49746	74.119.238.7	587	TCP
2024-09-25T13:49:23.297545+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49747	74.119.238.7	587	TCP
2024-09-25T13:49:31.532720+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49748	74.119.238.7	587	TCP
2024-09-25T13:49:47.914945+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49749	74.119.238.7	587	TCP
2024-09-25T13:50:00.396305+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49751	74.119.238.7	587	TCP
2024-09-25T13:50:00.403942+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49750	74.119.238.7	587	TCP
2024-09-25T13:50:08.939842+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49753	74.119.238.7	587	TCP
2024-09-25T13:50:25.237826+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49754	74.119.238.7	587	TCP
2024-09-25T13:50:37.665189+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49755	74.119.238.7	587	TCP
2024-09-25T13:50:39.578772+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49756	74.119.238.7	587	TCP
2024-09-25T13:50:46.404575+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49757	74.119.238.7	587	TCP
2024-09-25T13:50:55.302341+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49758	74.119.238.7	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alhoneycomb.com", "Username": "blog@alhoneycomb.com", "Password": " WORTHwill3611! "}

Multi AV Scanner detection for submitted file

Source: rPO_CW00402902400415.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rPO_CW00402902400415.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPO_CW00402902400415.exe PID: 6860, type: MEMORYSTR

Source: rPO_CW00402902400415.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: System.Core.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdbpH{ source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER8D6B.tmp.dmp.5.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49735 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49735 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49745 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49747 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49746 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49738 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49749 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49738 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49738 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49738 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49747 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49747 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49750 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49749 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49749 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49749 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49747 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49745 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49745 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49745 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49746 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49751 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49746 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49746 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49748 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49750 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49750 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49750 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49751 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49751 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49751 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49754 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49754 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49754 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49754 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49755 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49748 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49748 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49748 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49756 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49756 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49756 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49756 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49758 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49755 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49755 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49755 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49758 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49758 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49758 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49757 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49757 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49757 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49757 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49753 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49753 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49753 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49753 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49735 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49735 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49735 -> 74.119.238.7:587

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 74.119.238.7:587

Source: Joe Sandbox View

ASN Name: VPLSNETUS VPLSNETUS

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 74.119.238.7:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.alhoneycomb.com

Source: AddInProcess32.exe, 00000001.00000002.4139321179.0000000002856000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4139321179.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4139321179.00000000026BB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4139321179.0000000002421000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4139321179.0000000002734000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4139321179.00000000025FD000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4139321179.0000000002560000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.alhoneycomb.com
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811970397.0000019319F07000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4137755318.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, SKTzxzsJw.cs	.Net Code: GhwkGV1Ll50
Source: 0.2.rPO_CW00402902400415.exe.19319f46b08.2.raw.unpack, SKTzxzsJw.cs	.Net Code: GhwkGV1Ll50

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 1_2_059ADBC8 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,059AEA70,00000000,00000000

1_2_059ADBC8

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rPO_CW00402902400415.exe.19319f46b08.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rPO_CW00402902400415.exe.19319f46b08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rPO_CW00402902400415.exe

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Code function: 0_2_00007FFD9BAC43C5	0_2_00007FFD9BAC43C5
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Code function: 0_2_00007FFD9BABF3C9	0_2_00007FFD9BABF3C9
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Code function: 0_2_00007FFD9BAB93A8	0_2_00007FFD9BAB93A8
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Code function: 0_2_00007FFD9BACA069	0_2_00007FFD9BACA069
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Code function: 0_2_00007FFD9BAB4D5D	0_2_00007FFD9BAB4D5D
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Code function: 0_2_00007FFD9BB80000	0_2_00007FFD9BB80000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_02294330	1_2_02294330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_02294C00	1_2_02294C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_02293FE8	1_2_02293FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_02291B41	1_2_02291B41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0229BF20	1_2_0229BF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0229BF10	1_2_0229BF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_059A4700	1_2_059A4700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_059A9CAC	1_2_059A9CAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_059AB530	1_2_059AB530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_059A26F0	1_2_059A26F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_059A7CD0	1_2_059A7CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_059A7900	1_2_059A7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_05E69B89	1_2_05E69B89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_05E64BA0	1_2_05E64BA0

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6860 -s 1040

Source: rPO_CW00402902400415.exe

Static PE information: No import functions for PE file found

Source: rPO_CW00402902400415.exe, 00000000.00000000.1670596569.00000193081B8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTransponer.exe6 vs rPO_CW00402902400415.exe
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811970397.0000019319F07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb17b300f-3107-4f0e-bd36-73672dc506a5.exe4 vs rPO_CW00402902400415.exe
Source: rPO_CW00402902400415.exe	Binary or memory string: OriginalFilenameTransponer.exe6 vs rPO_CW00402902400415.exe

Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rPO_CW00402902400415.exe.19319f46b08.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rPO_CW00402902400415.exe.19319f46b08.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@6/5@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6860

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\38d3f890-3016-41b0-a1ab-aaa6e4cce410

Jump to behavior

Source: rPO_CW00402902400415.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rPO_CW00402902400415.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rPO_CW00402902400415.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe

File read: C:\Users\user\Desktop\rPO_CW00402902400415.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rPO_CW00402902400415.exe "C:\Users\user\Desktop\rPO_CW00402902400415.exe"
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6860 -s 1040
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: rPO_CW00402902400415.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rPO_CW00402902400415.exe

Static file information: File size 1849494 > 1048576

Source: rPO_CW00402902400415.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: System.Core.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdbpH{ source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WER8D6B.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER8D6B.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Code function: 0_2_00007FFD9BAB8167 push ebx; ret	0_2_00007FFD9BAB816A
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Code function: 0_2_00007FFD9BAC58BF push ecx; ret	0_2_00007FFD9BAC58C2
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Code function: 0_2_00007FFD9BB80000 push esp; retf 4810h	0_2_00007FFD9BB80312

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: rPO_CW00402902400415.exe PID: 6860, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rPO_CW00402902400415.exe, 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Memory allocated: 193084F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Memory allocated: 19321F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 21B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 21B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199289	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198953	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 3472			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 6331			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99452s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98357s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98238s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -196218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -97970s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -97843s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -97722s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -97582s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99561s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99442s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99199s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -99093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -97999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -1199891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -1199765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -1199643s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -1199422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -1199289s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -1199172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -1199062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6888	Thread sleep time: -1198953s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98357	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98238	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97970	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97722	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97582	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99442	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99199	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199289	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198953	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AddInProcess32.exe, 00000001.00000002.4144764045.0000000005759000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: rPO_CW00402902400415.exe, 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: rPO_CW00402902400415.exe, --.cs	Reference to suspicious API methods: LoadLibrary(_321A(_3196_3227_A97F_322F._318F_319D_31D7_A9BC_A9B3_D7C9))
Source: rPO_CW00402902400415.exe, --.cs	Reference to suspicious API methods: GetProcAddress(intPtr, _321A(_3196_3227_A97F_322F._3190_3212_D7FC))
Source: rPO_CW00402902400415.exe, --.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)enumerable.ToArray().Length, 64u, out var _31C8)
Source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, zOS.cs	Reference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 442000	Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3E5008	Jump to behavior

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"			Jump to behavior
Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"			Jump to behavior

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe	Queries volume information: C:\Users\user\Desktop\rPO_CW00402902400415.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rPO_CW00402902400415.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO_CW00402902400415.exe.19319f46b08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO_CW00402902400415.exe.19319f46b08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4137755318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1811970397.0000019319F07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4139321179.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPO_CW00402902400415.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1344, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO_CW00402902400415.exe.19319f46b08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO_CW00402902400415.exe.19319f46b08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4137755318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1811970397.0000019319F07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4139321179.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPO_CW00402902400415.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1344, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO_CW00402902400415.exe.19319f83b50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO_CW00402902400415.exe.19319f46b08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO_CW00402902400415.exe.19319f46b08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4137755318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1811970397.0000019319F07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4139321179.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPO_CW00402902400415.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1344, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	151 Virtualization/Sandbox Evasion	31 Input Capture	1 Process Discovery	Remote Desktop Protocol	31 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	1 Credentials in Registry	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rPO_CW00402902400415.exe	53%	ReversingLabs	Win64.Spyware.Negasteal
rPO_CW00402902400415.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://mail.alhoneycomb.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.alhoneycomb.com	74.119.238.7	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe	unknown
https://account.dyn.com/	rPO_CW00402902400415.exe, 00000000.00000002.1811970397.0000019319F07000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4137755318.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.alhoneycomb.com	AddInProcess32.exe, 00000001.00000002.4139321179.0000000002856000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4139321179.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4139321179.00000000026BB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4139321179.0000000002421000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4139321179.0000000002734000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4139321179.00000000025FD000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000001.00000002.4139321179.0000000002560000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
74.119.238.7	mail.alhoneycomb.com	United States		35908	VPLSNETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518169
Start date and time:	2024-09-25 13:46:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rPO_CW00402902400415.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@6/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 45 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: rPO_CW00402902400415.exe

Simulations

Behavior and APIs

Time	Type	Description
07:47:03	API Interceptor	9605495x Sleep call for process: AddInProcess32.exe modified
07:47:10	API Interceptor	1x Sleep call for process: WerFault.exe modified
12:46:48	Task Scheduler	Run new task: {8A5B439B-D615-4531-9F05-A57B712A52DA} path:

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VPLSNETUS	LisectAVT_2403002B_466.exe	Get hash	malicious	FormBook	Browse	67.198.129.29
	SecuriteInfo.com.FileRepMalware.25505.20211.exe	Get hash	malicious	Unknown	Browse	66.186.50.50
	arm.elf	Get hash	malicious	Mirai	Browse	67.229.74.119
	bolonetwork.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	184.164.217.225
	95DVgihS4k.elf	Get hash	malicious	Unknown	Browse	67.229.75.73
	hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse	74.119.238.38
	RFQ_372842754579.pdf.exe	Get hash	malicious	AgentTesla	Browse	74.119.238.38
	BEddZjSb7A.elf	Get hash	malicious	Unknown	Browse	174.139.231.30
	wNJM6XQwaZ.elf	Get hash	malicious	Unknown	Browse	98.126.6.63
	czEunnbk7b.elf	Get hash	malicious	Mirai	Browse	98.126.6.34

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rPO_CW0040290240_3337ff837319f9c3d7f3ada581f0997a8cb9321c_4b0452fd_c1c7692c-f1ab-48eb-a03e-dae1a522c1a4\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9883881010331115
Encrypted:	false
SSDEEP:	192:smdbi2FK50UnUlaWB9fCzuiFGZ24lO86:hM2FnUnUlam9azuiFGY4lO86
MD5:	94F38BC6503573F1C23DE0BC4FA6AD3D
SHA1:	D53AB5BC3FE1F1220AF58258B6780CD4718DEBD9
SHA-256:	54A3024B1298DD79085CA7D68A8CD710F90AD37A05CA9A77F0BBC3BAA4D7C2CA
SHA-512:	109F872F6B7D07EA2ABC412288A210DDF5D029CE444999CF628A61A0F2C40014331FCA55ACFB985A6B626556688D386F9264E37608AAA1E5C065B4642E522255
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.3.8.4.1.8.4.3.6.7.1.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.3.8.4.2.0.3.2.7.3.5.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.1.c.7.6.9.2.c.-.f.1.a.b.-.4.8.e.b.-.a.0.3.e.-.d.a.e.1.a.5.2.2.c.1.a.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.0.8.9.4.e.5.-.6.0.5.7.-.4.4.0.4.-.a.9.e.5.-.5.f.3.7.f.9.9.d.9.7.e.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.P.O._.C.W.0.0.4.0.2.9.0.2.4.0.0.4.1.5...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.T.r.a.n.s.p.o.n.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.c.c.-.0.0.0.1.-.0.0.1.4.-.a.6.4.e.-.c.8.9.f.4.0.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.8.7.8.5.3.e.9.0.f.6.0.5.6.a.0.6.1.c.8.9.8.f.b.9.d.3.d.a.1.c.a.0.0.0.0.0.0.0.0.!.0.0.0.0.f.a.9.0.e.2.e.b.0.c.e.1.5.a.1.6.e.b.a.c.b.5.a.c.a.c.9.9.f.d.a.9.e.f.9.7.7.8.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D6B.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Wed Sep 25 11:46:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	387776
Entropy (8bit):	3.2532903907701263
Encrypted:	false
SSDEEP:	3072:u4KIIuf8zUztj4blgagcSdoB1CCqOW03+vTo3brEIJ:uCMSFIqb03QTo88
MD5:	CDB31EB7AA5F9CC04C1335103D1BB4A2
SHA1:	088A1018ECFAF4945852D18A9D7C283FD0356FA4
SHA-256:	68E45B67E61B52138A416E71286B66E566E6EE646D0350F1AC81AA74C38016F0
SHA-512:	5299844FFC832416B66F01CA9B25B266918D1E4B5FB46E6C3BE1C0230762582343EE7FE1ECA50BE3B59D4B19D612DB8D78B4512DA890BC03D14A0AA6D9A60D5B
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......3..f....................................$...........`...........tE..,t..........l.......8...........T............(...............7...........9..............................................................................eJ.......9......Lw......................T...........1..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93B5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8638
Entropy (8bit):	3.702482003755678
Encrypted:	false
SSDEEP:	192:R6l7wVeJWhYy2f6Y9b+OVigmfoO6Jlprj89br88fBZm:R6lXJoYdf6YhhVigmfvisr/fu
MD5:	BD1B730E7E8A22ED13271BC915E17648
SHA1:	766CB57BD0B058FD2A375A1F19DC1D19A5A85B56
SHA-256:	3C881C7AA4F05038BBB845EEDAB00E7C696389534A517DB9425E51367ACB5BDC
SHA-512:	B4946DCD3AD3FF26D484F51C3281928BAD5192AD035CB196EE9AD9AAF9460D447261E6A2F519EF0BC09C4FDB3F90893DD66DC148B0C292E62083D63CFB25D66D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93F4.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4808
Entropy (8bit):	4.520253134841157
Encrypted:	false
SSDEEP:	48:cvIwWl8zsp+Jg771I9ClWpW8VYjNPYm8M4J5kXAFOIyq85VEWz7WSeWvd:uIjfp0I7dU7VxJ302Svvd
MD5:	C6E9FBEE00352549D2651BA40A7F9B35
SHA1:	C107B87C81C4D171526C12714D031D5AA858210E
SHA-256:	4D9AE970F621F7066DF8719DB0BEC81C7561CD94A0152D4E00AA0AF22CF4B731
SHA-512:	0B2634DDADD4B614A6A01150CC11C87D88402DA9FE4A54A400E545F0E8E80522563BCA5621BF58A6936EA641926616D9516D354085ABB243C81F72145633F440
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515689" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465734888271991
Encrypted:	false
SSDEEP:	6144:uIXfpi67eLPU9skLmb0b4mWSPKaJG8nAgejZMMhA2gX4WABl0uNIdwBCswSbgy:jXD94mWlLZMM6YFH++gy
MD5:	948B4EF3E1E790EC54AE7DAF7A01C99C
SHA1:	0B92EA550D0CF2E99E70A6F89538193DB70CE565
SHA-256:	53BD01760ACD60B08C3109C6CE037E9F6A4FFAD90886FA1840281A8BD5FEC687
SHA-512:	41D867BFAE045934D6E94FA294405B3830B4A5CDE228C8E33A34B2B8BBAF1EC1025F2D3837B5808C0F6FA1E9BC28E4723AF1B42F572F9FD61E5B404601A3C7E3
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm*.@................................................................................................................................................................................................................................................................................................................................................a..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.3336408452956645
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	rPO_CW00402902400415.exe
File size:	1'849'494 bytes
MD5:	0e509caf00f17b291c24a27e87e9cacc
SHA1:	fa90e2eb0ce15a16ebacb5acac99fda9ef977827
SHA256:	c6f3ede5e924420f0b933fee1beb94cf12fcd3eb1a4a390cbcd6041c19a6fe50
SHA512:	23d2b6b222f571a339c5385a8bdc2be3eeee37fc047b8c2ccb18a53cbcfc044736ac37744e557fb23730d4c1ef494b42cc24c26f5587169fcbcdd093cbd7bb51
SSDEEP:	12288:PDo56nVCOiH4p6rJDYq0adTWyiFOI/jAlI11Krtkv2+dH/4g1pc+4/AVP0+saK9V:b46rncr1LavsI112kvHdRpNH7eV
TLSH:	068522A6B2575D47FE008972D2E275F440FCAD8376F2A08FEF90AE3225905BD8501DB6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."...0..A............... ....@...... ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F19604 [Mon Sep 23 16:23:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x5ea	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x41c4	0x4200	ba77e0d6963330031ff5b64061006513	False	0.6039891098484849	data	6.35621370856705	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x5ea	0x600	6607d61143a669c71136267a0b616d6c	False	0.421875	data	4.148329262417721	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x80a0	0x360	data			0.41087962962962965
RT_MANIFEST	0x8400	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-25T13:47:01.460408+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49735	74.119.238.7	587	TCP
2024-09-25T13:47:01.460408+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49735	74.119.238.7	587	TCP
2024-09-25T13:47:01.460408+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49735	74.119.238.7	587	TCP
2024-09-25T13:47:06.967082+0200	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.4	49735	74.119.238.7	587	TCP
2024-09-25T13:47:06.967082+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49735	74.119.238.7	587	TCP
2024-09-25T13:47:09.213303+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49738	74.119.238.7	587	TCP
2024-09-25T13:47:09.424925+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49738	74.119.238.7	587	TCP
2024-09-25T13:47:09.424925+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49738	74.119.238.7	587	TCP
2024-09-25T13:47:09.424925+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49738	74.119.238.7	587	TCP
2024-09-25T13:48:43.573976+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49745	74.119.238.7	587	TCP
2024-09-25T13:48:43.590012+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49745	74.119.238.7	587	TCP
2024-09-25T13:48:43.590012+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49745	74.119.238.7	587	TCP
2024-09-25T13:48:43.590012+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49745	74.119.238.7	587	TCP
2024-09-25T13:49:07.660343+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49746	74.119.238.7	587	TCP
2024-09-25T13:49:07.670179+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49746	74.119.238.7	587	TCP
2024-09-25T13:49:07.670179+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49746	74.119.238.7	587	TCP
2024-09-25T13:49:07.670179+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49746	74.119.238.7	587	TCP
2024-09-25T13:49:23.290985+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49747	74.119.238.7	587	TCP
2024-09-25T13:49:23.297545+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49747	74.119.238.7	587	TCP
2024-09-25T13:49:23.297545+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49747	74.119.238.7	587	TCP
2024-09-25T13:49:23.297545+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49747	74.119.238.7	587	TCP
2024-09-25T13:49:31.524220+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49748	74.119.238.7	587	TCP
2024-09-25T13:49:31.532720+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49748	74.119.238.7	587	TCP
2024-09-25T13:49:31.532720+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49748	74.119.238.7	587	TCP
2024-09-25T13:49:31.532720+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49748	74.119.238.7	587	TCP
2024-09-25T13:49:47.907211+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49749	74.119.238.7	587	TCP
2024-09-25T13:49:47.914945+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49749	74.119.238.7	587	TCP
2024-09-25T13:49:47.914945+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49749	74.119.238.7	587	TCP
2024-09-25T13:49:47.914945+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49749	74.119.238.7	587	TCP
2024-09-25T13:50:00.389766+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49751	74.119.238.7	587	TCP
2024-09-25T13:50:00.393270+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49750	74.119.238.7	587	TCP
2024-09-25T13:50:00.396305+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49751	74.119.238.7	587	TCP
2024-09-25T13:50:00.396305+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49751	74.119.238.7	587	TCP
2024-09-25T13:50:00.396305+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49751	74.119.238.7	587	TCP
2024-09-25T13:50:00.403942+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49750	74.119.238.7	587	TCP
2024-09-25T13:50:00.403942+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49750	74.119.238.7	587	TCP
2024-09-25T13:50:00.403942+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49750	74.119.238.7	587	TCP
2024-09-25T13:50:08.929717+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49753	74.119.238.7	587	TCP
2024-09-25T13:50:08.939842+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49753	74.119.238.7	587	TCP
2024-09-25T13:50:08.939842+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49753	74.119.238.7	587	TCP
2024-09-25T13:50:08.939842+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49753	74.119.238.7	587	TCP
2024-09-25T13:50:25.226860+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49754	74.119.238.7	587	TCP
2024-09-25T13:50:25.237826+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49754	74.119.238.7	587	TCP
2024-09-25T13:50:25.237826+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49754	74.119.238.7	587	TCP
2024-09-25T13:50:25.237826+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49754	74.119.238.7	587	TCP
2024-09-25T13:50:37.656934+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49755	74.119.238.7	587	TCP
2024-09-25T13:50:37.665189+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49755	74.119.238.7	587	TCP
2024-09-25T13:50:37.665189+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49755	74.119.238.7	587	TCP
2024-09-25T13:50:37.665189+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49755	74.119.238.7	587	TCP
2024-09-25T13:50:39.572077+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49756	74.119.238.7	587	TCP
2024-09-25T13:50:39.578772+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49756	74.119.238.7	587	TCP
2024-09-25T13:50:39.578772+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49756	74.119.238.7	587	TCP
2024-09-25T13:50:39.578772+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49756	74.119.238.7	587	TCP
2024-09-25T13:50:46.397475+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49757	74.119.238.7	587	TCP
2024-09-25T13:50:46.404575+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49757	74.119.238.7	587	TCP
2024-09-25T13:50:46.404575+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49757	74.119.238.7	587	TCP
2024-09-25T13:50:46.404575+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49757	74.119.238.7	587	TCP
2024-09-25T13:50:55.295564+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49758	74.119.238.7	587	TCP
2024-09-25T13:50:55.302341+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49758	74.119.238.7	587	TCP
2024-09-25T13:50:55.302341+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49758	74.119.238.7	587	TCP
2024-09-25T13:50:55.302341+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49758	74.119.238.7	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 13:47:04.941143036 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:04.947170973 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:04.947247028 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:05.638761997 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:05.641513109 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:05.647032976 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:05.804575920 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:05.805526972 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:05.810698986 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.182398081 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.182692051 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:06.183689117 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.183737040 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:06.188745975 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.460321903 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.468729973 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:06.474056959 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.627687931 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.631253958 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:06.636177063 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.803392887 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.803546906 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:06.808424950 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.962250948 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.966983080 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:06.967082024 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:06.967082024 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:06.967082977 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:06.971940994 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.971976042 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.972003937 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:06.972014904 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:07.232748032 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:07.276155949 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:07.281500101 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:07.636418104 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:07.636528015 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:07.636596918 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:07.636596918 CEST	49735	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:07.637392044 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:07.644391060 CEST	587	49735	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:07.644407034 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:07.644489050 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:08.248948097 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:08.249205112 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:08.254487991 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:08.405469894 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:08.405621052 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:08.411079884 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:08.562674046 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:08.562902927 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:08.568892002 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:08.722192049 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:08.722336054 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:08.728849888 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:08.885415077 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:08.885658979 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:08.892091036 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:09.055907965 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:09.056024075 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:09.060971022 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:09.211589098 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:09.213254929 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:09.213254929 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:09.213303089 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:09.213303089 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:09.213402033 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:09.213444948 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:09.213444948 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:09.213465929 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:09.213574886 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:47:09.217986107 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:09.218029976 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:09.218040943 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:09.218190908 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:09.218235016 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:09.218388081 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:09.218436003 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:09.378366947 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:47:09.424925089 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:41.413129091 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:41.418138981 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:41.770004988 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:41.770095110 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:41.770109892 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:41.770143986 CEST	49738	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:41.773382902 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:41.775302887 CEST	587	49738	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:41.778518915 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:41.778580904 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:42.429656029 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:42.429876089 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:42.434732914 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:42.588143110 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:42.591605902 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:42.597374916 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:42.753504992 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:42.754079103 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:42.759125948 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.041888952 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.045347929 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.050334930 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.210947990 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.217628002 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.222508907 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.397593975 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.398029089 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.402879953 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.556334019 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.573771000 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.573878050 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.573976040 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.574147940 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.578815937 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.578830957 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.578855991 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.579092026 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.584904909 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.589942932 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.589961052 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.589982033 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.589993000 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.590003967 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.590012074 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.590017080 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.590080976 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.590080976 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.590161085 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.590286016 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.590385914 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.594899893 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.594981909 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.594994068 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.595038891 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.595068932 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.595101118 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.595164061 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.595221996 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.595305920 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.595334053 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.595400095 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.599903107 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600006104 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.600009918 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600024939 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600095034 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.600110054 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600128889 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600192070 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.600238085 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600249052 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600284100 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600295067 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600344896 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600357056 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600368977 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600378990 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600398064 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600544930 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600557089 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600568056 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600578070 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600588083 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600596905 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600606918 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600616932 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600626945 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600637913 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600647926 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600657940 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.600667953 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.604872942 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.604906082 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.604917049 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.604926109 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.604939938 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.604988098 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.605003119 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.605041027 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.605051041 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.605062008 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.605072021 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.605092049 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.605103970 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.605144978 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.605154991 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.605175018 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.605185032 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.632170916 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.632217884 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:48:43.637087107 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:43.976730108 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:48:44.018790960 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:05.575747013 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:05.580760002 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:05.938637018 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:05.938741922 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:05.938780069 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:05.938813925 CEST	49745	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:05.939769983 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:05.943615913 CEST	587	49745	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:05.944550991 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:05.944614887 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:06.551584959 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:06.552933931 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:06.557744980 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:06.707174063 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:06.707376957 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:06.713840008 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:06.866311073 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:06.866539001 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:06.871463060 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.027324915 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.027512074 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.032411098 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.181534052 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.181715012 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.186533928 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.501878977 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.503649950 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.509244919 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.659615040 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.659961939 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.660307884 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.660342932 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.660429955 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.663245916 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.666346073 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.666654110 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.666810036 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.666824102 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.666858912 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.670124054 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.670140028 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.670152903 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.670167923 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.670178890 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.670181990 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.670221090 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.670242071 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.670245886 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.670255899 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.670270920 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.670286894 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.670299053 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.670311928 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.670319080 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.670337915 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.672003031 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.672544003 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.678136110 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.678165913 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.678179979 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.678193092 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.678206921 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.678220987 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.678224087 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.678364992 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.679250002 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.679303885 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.684400082 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.684493065 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.685157061 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685172081 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685184002 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685197115 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685210943 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685214996 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.685224056 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685237885 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685250044 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:07.685254097 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685297966 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685311079 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685323000 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685642004 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685656071 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685668945 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.685813904 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.686281919 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.686295033 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.686306953 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.686414003 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691148996 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691164970 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691294909 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691308022 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691703081 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691715956 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691844940 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691858053 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691869020 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691881895 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691894054 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691905975 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691916943 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691983938 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:07.691996098 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:08.032486916 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:08.254695892 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:08.254781961 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:21.234174967 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:21.241043091 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:21.593621016 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:21.593802929 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:21.593820095 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:21.593904972 CEST	49746	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:21.594926119 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:21.598743916 CEST	587	49746	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:21.600220919 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:21.600909948 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:22.205683947 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:22.205909014 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:22.211136103 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:22.366255045 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:22.366671085 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:22.371615887 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:22.526968002 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:22.527296066 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:22.532105923 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:22.701180935 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:22.727858067 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:22.732644081 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:22.889359951 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:22.890943050 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:22.895781994 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.065275908 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.130258083 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.135190010 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.290498018 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.290745020 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.290936947 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.290985107 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.291100025 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.292448044 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.295610905 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.295819998 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.295876026 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.295905113 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.295933962 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.297370911 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.297436953 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.297482014 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.297514915 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.297544956 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.297570944 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.297588110 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.297616959 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.297643900 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.297646046 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.297669888 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.297697067 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.297707081 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.297735929 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.297764063 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.297791958 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.297818899 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.300753117 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.300816059 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.302557945 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.302649975 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.302675962 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.302705050 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.302736998 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.302752972 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.302778006 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.302803040 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.302944899 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.303004026 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.303014994 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.303034067 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.303061962 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.305772066 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.305902958 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.307574987 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.307627916 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.307679892 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.307698965 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.307732105 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.307784081 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.307790995 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.307887077 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.307954073 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:23.307964087 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.307991028 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308020115 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308072090 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308101892 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308154106 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308182955 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308209896 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308238029 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308264971 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308294058 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308345079 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308372974 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308401108 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308429003 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308455944 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308489084 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.308516026 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.310862064 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.310909986 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.310995102 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.311023951 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.312552929 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.312660933 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.312720060 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313333035 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313366890 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313448906 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313518047 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313546896 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313580990 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313632011 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313661098 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313688993 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313716888 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313744068 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313796043 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313824892 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.313853025 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.685333967 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:23.810970068 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:29.596510887 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:29.601624966 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:29.959502935 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:29.959583044 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:29.959614038 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:29.959702969 CEST	49747	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:29.960841894 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:29.964437008 CEST	587	49747	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:29.965696096 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:29.965761900 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:30.576704979 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:30.576945066 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:30.581801891 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:30.733571053 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:30.733803034 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:30.738758087 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:30.889780045 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:30.889980078 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:30.894763947 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.045902967 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.046174049 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.050986052 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.202318907 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.202510118 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.208841085 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.368489027 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.368673086 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.373548031 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.523530960 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.524116993 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.524116993 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.524219990 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.524272919 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.526911020 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.529982090 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.530010939 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.530025005 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.530095100 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.530158997 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.532635927 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.532720089 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.532876015 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.533065081 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.535655022 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.535738945 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.537611961 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.537714005 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.537792921 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.537895918 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.537966013 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.538009882 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.538072109 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.538084984 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.538093090 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.538120031 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.538161993 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.540632963 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.540661097 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.540710926 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.542851925 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543090105 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.543093920 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543108940 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543185949 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.543288946 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543303013 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543349981 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543416023 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:31.543422937 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543478012 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543521881 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543561935 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543627977 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543732882 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543801069 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543813944 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543951035 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.543963909 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.545566082 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.547348976 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.547363043 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.547399998 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.547414064 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.547439098 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.547451973 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.547465086 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.547843933 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.547939062 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548011065 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548058987 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548077106 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548105001 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548163891 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548193932 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548209906 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548350096 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548363924 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548418999 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548433065 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548546076 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548558950 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548583031 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548625946 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548676014 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548688889 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548719883 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.548784971 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.895278931 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:31.940773964 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:45.752015114 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:45.759465933 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:46.110486984 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:46.110502005 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:46.110572100 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:46.110635996 CEST	49748	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:46.111805916 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:46.117537022 CEST	587	49748	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:46.118876934 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:46.118979931 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:46.750304937 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:46.753251076 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:46.758193016 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:46.909567118 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:46.913117886 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:46.919363976 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.071275949 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.074176073 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.079103947 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.424681902 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.425062895 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.431792021 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.580908060 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.581587076 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.586452961 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.751648903 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.752006054 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.756985903 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.906538963 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.907012939 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.907161951 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.907211065 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.907326937 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.909926891 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.909972906 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.911911964 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.912034988 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.912102938 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.912168980 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.912174940 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.914710045 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.914764881 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.914885044 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.914926052 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.914931059 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.914943933 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.914944887 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.914990902 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.915008068 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.915014029 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.915210962 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.916986942 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.917079926 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.919673920 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.919735909 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.919750929 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.919807911 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.919830084 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.919848919 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.919898033 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.919913054 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.919950008 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.919965982 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.920068979 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.920079947 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.920128107 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.920193911 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.920277119 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.922116041 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.922159910 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.922389030 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.922460079 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.924655914 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.924666882 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.924731016 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.924742937 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.924782038 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.924814939 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.924840927 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.925251961 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.925313950 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:47.925364971 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.927042961 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.927048922 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.927064896 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.927179098 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.927227020 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.927232027 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.927283049 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.927289009 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929543018 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929548979 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929585934 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929610968 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929617882 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929630041 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929656982 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929675102 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929785967 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929790974 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929837942 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929845095 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929857969 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929868937 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929881096 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.929886103 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.930046082 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.930147886 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.930282116 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:47.930288076 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:48.290328026 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:48.378370047 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:58.181993008 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:58.231596947 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:58.582319975 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:58.582456112 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:58.582478046 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:58.582524061 CEST	49749	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:58.583367109 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:58.587297916 CEST	587	49749	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:58.588150978 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:58.588239908 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:58.595824003 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:58.600630045 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:58.600714922 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:59.241594076 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.242506027 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:59.247370005 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.252166033 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.252357960 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:59.257186890 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.402936935 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.405088902 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:59.409955978 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.410754919 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.411117077 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:59.415894985 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.565506935 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.565967083 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:59.570787907 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.573605061 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.573916912 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:59.578773975 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.737960100 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.738229990 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:59.742007971 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.742249012 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:49:59.743063927 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:49:59.747060061 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.053877115 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.053893089 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.054053068 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.054117918 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.058837891 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.058845997 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.227026939 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.227157116 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.231909037 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.232218981 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.232332945 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.237134933 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.389353991 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.389750957 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.389750957 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.389765978 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.389822960 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.391439915 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.392995119 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.393172979 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.393234968 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.393270016 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.393313885 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.394495010 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.394556999 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.394567966 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.394613981 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.394803047 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.396251917 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.396262884 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.396305084 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.396323919 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.396326065 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.396332979 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.396342039 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.396369934 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.396378040 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.396397114 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.396409035 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.398766041 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.399235010 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.399298906 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.399300098 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.399310112 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.399319887 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.399339914 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.399348974 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.399358034 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.399358034 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.399398088 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.399411917 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.401139975 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.401185989 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.401210070 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.401221037 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.401274920 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.401335955 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.401355982 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.401388884 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.401396036 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.401412010 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.401446104 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.403552055 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.403597116 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.403902054 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.403942108 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.404012918 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.404028893 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.404057980 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.404073000 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.404078960 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.404086113 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.404097080 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.404098034 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.404124975 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.404145002 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.405880928 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.405934095 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.405944109 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.405955076 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.405962944 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.405981064 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.405994892 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.406032085 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.406038046 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.406065941 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.406091928 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.406135082 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.406145096 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.406177998 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.406183958 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.406186104 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.406249046 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.408531904 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.408653975 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.408663988 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.408699036 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.408761024 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.408817053 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.408899069 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.408912897 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.409041882 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.409102917 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.410648108 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.410731077 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.410742044 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.410785913 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.410797119 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.410805941 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.410823107 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.410866976 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.410891056 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.410902023 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.410912991 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.410928011 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.410960913 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.410991907 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.411000967 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.411004066 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.411010027 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.411053896 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.413186073 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413197994 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413209915 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413219929 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413237095 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413338900 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413360119 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413369894 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413378954 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413388014 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413399935 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413408995 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413425922 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413466930 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413476944 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413496017 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413505077 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413513899 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413523912 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413533926 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413583994 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.413604021 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.414036036 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.414096117 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.414227962 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.414278984 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.414401054 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.414449930 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.415620089 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.415699959 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.415935040 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.415992975 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.416188955 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416198969 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416208029 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416218996 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416300058 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416310072 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416318893 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416429043 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416438103 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416564941 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416639090 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416693926 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416778088 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416786909 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.416795969 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.418637991 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.418981075 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.418991089 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.419001102 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.419009924 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.419148922 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.419157028 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.419186115 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.419193983 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.419397116 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.419459105 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.419466972 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.419473886 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.420552969 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.420562029 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.420599937 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.420608997 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.420823097 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.420898914 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.420989037 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.425702095 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.778933048 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.792026997 CEST	587	49750	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:00.832926989 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:00.880932093 CEST	49750	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:05.027139902 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:05.031888008 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:05.386956930 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:05.387082100 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:05.387130022 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:05.387197018 CEST	49751	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:05.388113976 CEST	49752	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:05.393732071 CEST	587	49751	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:05.394720078 CEST	587	49752	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:05.394802094 CEST	49752	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:05.973901033 CEST	587	49752	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:05.974323034 CEST	49752	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:05.979195118 CEST	587	49752	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:06.132379055 CEST	587	49752	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:06.132653952 CEST	49752	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:06.137473106 CEST	587	49752	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:06.293986082 CEST	587	49752	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:06.294264078 CEST	49752	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:06.299154997 CEST	587	49752	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:06.409703016 CEST	49752	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:06.414729118 CEST	587	49752	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:06.414823055 CEST	49752	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:06.463974953 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:06.468796968 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:06.469096899 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:07.018098116 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:07.018239975 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:07.023318052 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:07.174287081 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:07.174484015 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:07.182461023 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:07.333709955 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:07.333957911 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:07.338860035 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:07.496124029 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:07.496342897 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:07.504725933 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:07.651818037 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:07.653286934 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:07.658775091 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.762449026 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.762592077 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.764682055 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.764812946 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.764875889 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.764920950 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.764940023 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.764982939 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.772217035 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.929207087 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.929596901 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.929647923 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.929717064 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.929760933 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.932602882 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.939563036 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.939636946 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.939646006 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.939692974 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.939762115 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.939771891 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.939779043 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.939841986 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.939851999 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.939860106 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.939868927 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.939879894 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.939894915 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.939927101 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.940309048 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.940318108 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.940325975 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.940351963 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.940373898 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.944577932 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.944632053 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.944665909 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.944710016 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.944763899 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.944772005 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.944825888 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.944827080 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.944855928 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.944885969 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.944895029 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.944919109 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.944927931 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.945255041 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.945308924 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.945334911 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.945378065 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.945779085 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.945856094 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.950248957 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.950304985 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.950310946 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.950362921 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.950623989 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.950664997 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:08.950666904 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.950675011 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.950768948 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.950794935 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.950803995 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.950814962 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.951030970 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.951071978 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.951078892 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.951162100 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.951170921 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.951179028 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.951416016 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.951426029 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.951435089 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.951443911 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.951459885 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.951467991 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.951473951 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955394983 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955404043 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955419064 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955430031 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955461979 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955471039 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955480099 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955518961 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955528021 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955638885 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955647945 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955655098 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955662966 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955672026 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955679893 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955688000 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955846071 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955854893 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:08.955863953 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:09.313504934 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:09.362756968 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:23.019412994 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:23.024591923 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:23.383440971 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:23.383744955 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:23.383835077 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:23.384032965 CEST	49753	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:23.385293007 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:23.391105890 CEST	587	49753	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:23.391591072 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:23.391664028 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:23.998385906 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:23.998862028 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:24.004646063 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:24.164786100 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:24.164992094 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:24.169970989 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:24.460604906 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:24.460874081 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:24.474308014 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:24.747060061 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:24.747394085 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:24.752368927 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:24.901597023 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:24.901721954 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:24.907450914 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.070724964 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.070873022 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.075985909 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.225476980 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.225938082 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.226756096 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.226860046 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.226860046 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.231966019 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.232980967 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.232991934 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.232995987 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.233005047 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.233057022 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.237771034 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.237821102 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.237826109 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.237873077 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.237883091 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.237886906 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.237895012 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.237898111 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.237936974 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.238010883 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.238014936 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.238076925 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.242738962 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.242835999 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.242854118 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.242916107 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.242965937 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.243040085 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.243191957 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.243196964 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.243206024 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.243269920 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.243504047 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.243509054 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.243516922 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.243580103 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.243643045 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.243741989 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.247678995 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.247729063 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.247796059 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.247826099 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.247879982 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.247973919 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.247978926 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.247988939 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248030901 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.248117924 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248177052 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248303890 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248308897 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248317957 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248370886 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248486042 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248490095 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248500109 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248503923 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248514891 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248569965 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248574972 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248616934 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248725891 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248730898 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248739958 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248859882 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248864889 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248878956 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.248883009 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.252739906 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.252744913 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.252891064 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.252895117 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.252898932 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.252907991 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.253036976 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.253041029 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.253050089 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.253175974 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.253180981 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.253184080 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.253187895 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.253196955 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.253223896 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.253304958 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:25.270606041 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.603751898 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:25.644023895 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:35.649914980 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:35.654870033 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:36.006119967 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:36.006263018 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:36.006318092 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:36.006581068 CEST	49754	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:36.007138014 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:36.011138916 CEST	587	49754	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:36.011921883 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:36.012372017 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:36.649435043 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:36.649646997 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:36.654627085 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:36.812257051 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:36.812500954 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:36.817867994 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:36.977385044 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:36.977621078 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:36.982462883 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.160439014 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.160615921 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.165463924 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.319883108 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.320086002 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.324924946 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.493993998 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.494132996 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.500015020 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.656573057 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.656842947 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.656904936 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.656934023 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.656982899 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.658235073 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.663114071 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.663219929 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.663259983 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.663310051 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.664093971 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.665128946 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.665189028 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.665292025 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.665330887 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.665338993 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.665385962 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.668137074 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.668185949 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.670069933 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.670119047 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.670169115 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.670177937 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.670233965 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.670268059 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.670312881 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.670331001 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.670377970 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.670444012 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.670485973 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.670526028 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.670574903 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.673079014 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.673127890 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.673130989 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.673176050 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.674972057 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.675018072 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.675057888 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.675101042 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.675107002 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.675143957 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.675225019 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.675251961 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.675283909 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.675302982 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.675328016 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.675421953 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.675456047 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.675523996 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.675563097 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.675929070 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.675937891 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.675991058 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.676000118 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.676008940 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.676023960 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.679430008 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.679439068 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.679445028 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.679461002 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.679532051 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.679539919 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.679577112 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.679972887 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681168079 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681175947 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681231976 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681240082 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681288004 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681296110 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681349039 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681358099 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681432009 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681440115 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681497097 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681505919 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681560040 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681569099 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681653023 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681709051 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.681809902 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.956645966 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:37.961968899 CEST	587	49755	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:37.962091923 CEST	49755	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:38.029000998 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:38.033986092 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:38.034132957 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:38.620735884 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:38.621220112 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:38.626091003 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:38.778038025 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:38.778238058 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:38.783032894 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:38.932553053 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:38.932806969 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:38.937674046 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.091675997 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.091835976 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.096636057 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.248099089 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.248241901 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.253062963 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.416466951 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.416601896 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.421758890 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.571702957 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.571942091 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.572077036 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.572077036 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.572077036 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.573286057 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.578668118 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.578679085 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.578685999 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.578696966 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.578768015 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.578772068 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.578810930 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.579566956 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.579579115 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.579586983 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.579632044 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.586067915 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.586076975 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.586085081 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.586093903 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.586102009 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.586114883 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.586124897 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.586132050 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.586133003 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.586194992 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.591237068 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591283083 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.591326952 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591367006 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.591406107 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591453075 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.591494083 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591514111 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591531992 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.591552973 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.591577053 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591588020 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591624975 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591629028 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.591645002 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591655970 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591669083 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591702938 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591732025 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591741085 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591763973 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591773033 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591833115 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591841936 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591850996 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591861010 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591878891 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.591887951 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596190929 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596199989 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596220970 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596230030 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596236944 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596292973 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596302032 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596333027 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596342087 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596357107 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596365929 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596417904 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596426964 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596481085 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596488953 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596498966 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596575975 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596637011 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596646070 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596667051 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596676111 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596692085 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.596699953 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.597026110 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:39.603168964 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:39.954680920 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:40.007222891 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:44.476958990 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:44.482016087 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:44.833487034 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:44.833585978 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:44.833677053 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:44.833724976 CEST	49756	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:44.835038900 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:44.838390112 CEST	587	49756	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:44.839852095 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:44.839934111 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:45.431463003 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:45.431663036 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:45.436624050 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:45.587785006 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:45.587929010 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:45.592967033 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:45.742717981 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:45.749026060 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:45.753880024 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:45.905823946 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:45.909248114 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:45.914274931 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.076251030 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.076435089 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.081231117 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.242641926 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.242796898 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.247657061 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.397072077 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.397414923 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.397475004 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.397475004 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.399493933 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.399494886 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.402358055 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.402369022 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.402378082 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.402709961 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.404339075 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.404433012 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.404536963 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.404575109 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.404620886 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.404762030 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.407109976 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.409141064 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.409456968 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.409532070 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.409565926 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.409583092 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.409610987 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.409616947 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.409620047 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.409636021 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.409720898 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.409784079 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.414074898 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.414163113 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.414457083 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.414525032 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.414532900 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.414634943 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.414681911 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.414711952 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.414738894 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.414778948 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:46.414871931 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.414984941 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.414994955 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.415045023 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.415081024 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.415091991 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.415127993 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.415164948 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.415234089 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.415244102 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.415252924 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.415285110 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419339895 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419352055 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419393063 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419445038 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419456005 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419529915 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419538975 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419548988 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419552088 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419555902 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419733047 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419743061 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419754028 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419764042 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419771910 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419781923 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419795036 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419804096 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419895887 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419905901 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419986010 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.419996977 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.420006037 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.420026064 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.420037985 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.420047998 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.420527935 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.769469023 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:46.815928936 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:53.363420963 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:53.368350029 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:53.721290112 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:53.721318007 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:53.721381903 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:53.721468925 CEST	49757	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:53.722533941 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:53.728471994 CEST	587	49757	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:53.731021881 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:53.731103897 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:54.321702957 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:54.321829081 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:54.326699972 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:54.479259014 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:54.479471922 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:54.486901045 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:54.634932995 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:54.635214090 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:54.640644073 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:54.808525085 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:54.811163902 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:54.815896988 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:54.970104933 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:54.971170902 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:54.976516008 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.138227940 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.138401985 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.143718958 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.294939041 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.295418978 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.295494080 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.295563936 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.295691967 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.297202110 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.300311089 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.300524950 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.300586939 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.300808907 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.301021099 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.302186012 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.302288055 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.302292109 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.302299976 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.302340984 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.302428961 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.306006908 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.306081057 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.307651043 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.311131954 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.311319113 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.311378956 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.311625957 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.318816900 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.318866968 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.318923950 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.318944931 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.319020033 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.319060087 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.319094896 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.319188118 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.319190979 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.319248915 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.319408894 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:50:55.319488049 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.319544077 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.319628000 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.319632053 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.319683075 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.319816113 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.319819927 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.319833040 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.319835901 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.319844961 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.320111990 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.320194006 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.320203066 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.320205927 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327465057 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327470064 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327538967 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327543020 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327550888 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327584028 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327670097 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327855110 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327927113 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327930927 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327939987 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327943087 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327982903 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.327987909 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.328128099 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.328131914 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.328171015 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.328265905 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.328871965 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.328898907 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.328902006 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.329005957 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.329010010 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.679059982 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:50:55.815956116 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:51:06.196638107 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:51:06.201678991 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:06.552942991 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:06.553153992 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:06.553189039 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:51:06.553354979 CEST	49758	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:51:06.554009914 CEST	49759	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:51:06.558132887 CEST	587	49758	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:06.559103966 CEST	587	49759	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:06.559262037 CEST	49759	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:51:07.175956964 CEST	587	49759	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:07.178899050 CEST	49759	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:51:07.185142040 CEST	587	49759	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:07.338933945 CEST	587	49759	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:07.339180946 CEST	49759	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:51:07.345643044 CEST	587	49759	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:07.498276949 CEST	587	49759	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:07.500010967 CEST	49759	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:51:07.504838943 CEST	587	49759	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:07.657423019 CEST	587	49759	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:07.659315109 CEST	49759	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:51:07.664289951 CEST	587	49759	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:07.928787947 CEST	587	49759	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:07.928975105 CEST	49759	587	192.168.2.4	74.119.238.7
Sep 25, 2024 13:51:07.940243006 CEST	587	49759	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:08.096441984 CEST	587	49759	74.119.238.7	192.168.2.4
Sep 25, 2024 13:51:08.144228935 CEST	49759	587	192.168.2.4	74.119.238.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 13:47:04.618244886 CEST	51752	53	192.168.2.4	1.1.1.1
Sep 25, 2024 13:47:04.933150053 CEST	53	51752	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 25, 2024 13:47:04.618244886 CEST	192.168.2.4	1.1.1.1	0xcaad	Standard query (0)	mail.alhoneycomb.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 25, 2024 13:47:04.933150053 CEST	1.1.1.1	192.168.2.4	0xcaad	No error (0)	mail.alhoneycomb.com		74.119.238.7	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 25, 2024 13:47:05.638761997 CEST	587	49735	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:17:05 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:47:05.641513109 CEST	49735	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:47:05.804575920 CEST	587	49735	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:47:05.805526972 CEST	49735	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:47:06.182398081 CEST	587	49735	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:47:06.183689117 CEST	587	49735	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:47:06.460321903 CEST	587	49735	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:47:06.468729973 CEST	49735	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:47:06.627687931 CEST	587	49735	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:47:06.631253958 CEST	49735	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:47:06.803392887 CEST	587	49735	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:47:06.803546906 CEST	49735	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:47:06.962250948 CEST	587	49735	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:47:06.967082977 CEST	49735	587	192.168.2.4	74.119.238.7	.
Sep 25, 2024 13:47:07.232748032 CEST	587	49735	74.119.238.7	192.168.2.4	250 OK id=1stQU6-003nie-2o
Sep 25, 2024 13:47:07.276155949 CEST	49735	587	192.168.2.4	74.119.238.7	QUIT
Sep 25, 2024 13:47:07.636418104 CEST	587	49735	74.119.238.7	192.168.2.4	221 md-la-5.webhostbox.net closing connection
Sep 25, 2024 13:47:08.248948097 CEST	587	49738	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:17:08 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:47:08.249205112 CEST	49738	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:47:08.405469894 CEST	587	49738	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:47:08.405621052 CEST	49738	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:47:08.562674046 CEST	587	49738	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:47:08.722192049 CEST	587	49738	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:47:08.722336054 CEST	49738	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:47:08.885415077 CEST	587	49738	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:47:08.885658979 CEST	49738	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:47:09.055907965 CEST	587	49738	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:47:09.056024075 CEST	49738	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:47:09.211589098 CEST	587	49738	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:47:09.213574886 CEST	49738	587	192.168.2.4	74.119.238.7	.
Sep 25, 2024 13:47:09.378366947 CEST	587	49738	74.119.238.7	192.168.2.4	250 OK id=1stQU9-003nk4-0P
Sep 25, 2024 13:48:41.413129091 CEST	49738	587	192.168.2.4	74.119.238.7	QUIT
Sep 25, 2024 13:48:41.770004988 CEST	587	49738	74.119.238.7	192.168.2.4	221 md-la-5.webhostbox.net closing connection
Sep 25, 2024 13:48:42.429656029 CEST	587	49745	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:18:42 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:48:42.429876089 CEST	49745	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:48:42.588143110 CEST	587	49745	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:48:42.591605902 CEST	49745	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:48:42.753504992 CEST	587	49745	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:48:43.041888952 CEST	587	49745	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:48:43.045347929 CEST	49745	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:48:43.210947990 CEST	587	49745	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:48:43.217628002 CEST	49745	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:48:43.397593975 CEST	587	49745	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:48:43.398029089 CEST	49745	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:48:43.556334019 CEST	587	49745	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:48:43.632217884 CEST	49745	587	192.168.2.4	74.119.238.7	.
Sep 25, 2024 13:48:43.976730108 CEST	587	49745	74.119.238.7	192.168.2.4	250 OK id=1stQVf-003p9u-1V
Sep 25, 2024 13:49:05.575747013 CEST	49745	587	192.168.2.4	74.119.238.7	QUIT
Sep 25, 2024 13:49:05.938637018 CEST	587	49745	74.119.238.7	192.168.2.4	221 md-la-5.webhostbox.net closing connection
Sep 25, 2024 13:49:06.551584959 CEST	587	49746	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:19:06 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:49:06.552933931 CEST	49746	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:49:06.707174063 CEST	587	49746	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:49:06.707376957 CEST	49746	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:49:06.866311073 CEST	587	49746	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:49:07.027324915 CEST	587	49746	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:49:07.027512074 CEST	49746	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:49:07.181534052 CEST	587	49746	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:49:07.181715012 CEST	49746	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:49:07.501878977 CEST	587	49746	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:49:07.503649950 CEST	49746	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:49:07.659615040 CEST	587	49746	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:49:08.032486916 CEST	587	49746	74.119.238.7	192.168.2.4	250 OK id=1stQW3-003pTR-1q
Sep 25, 2024 13:49:08.254695892 CEST	587	49746	74.119.238.7	192.168.2.4	250 OK id=1stQW3-003pTR-1q
Sep 25, 2024 13:49:21.234174967 CEST	49746	587	192.168.2.4	74.119.238.7	QUIT
Sep 25, 2024 13:49:21.593621016 CEST	587	49746	74.119.238.7	192.168.2.4	221 md-la-5.webhostbox.net closing connection
Sep 25, 2024 13:49:22.205683947 CEST	587	49747	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:19:22 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:49:22.205909014 CEST	49747	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:49:22.366255045 CEST	587	49747	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:49:22.366671085 CEST	49747	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:49:22.526968002 CEST	587	49747	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:49:22.701180935 CEST	587	49747	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:49:22.727858067 CEST	49747	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:49:22.889359951 CEST	587	49747	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:49:22.890943050 CEST	49747	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:49:23.065275908 CEST	587	49747	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:49:23.130258083 CEST	49747	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:49:23.290498018 CEST	587	49747	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:49:23.685333967 CEST	587	49747	74.119.238.7	192.168.2.4	250 OK id=1stQWJ-003peB-0e
Sep 25, 2024 13:49:29.596510887 CEST	49747	587	192.168.2.4	74.119.238.7	QUIT
Sep 25, 2024 13:49:29.959502935 CEST	587	49747	74.119.238.7	192.168.2.4	221 md-la-5.webhostbox.net closing connection
Sep 25, 2024 13:49:30.576704979 CEST	587	49748	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:19:30 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:49:30.576945066 CEST	49748	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:49:30.733571053 CEST	587	49748	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:49:30.733803034 CEST	49748	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:49:30.889780045 CEST	587	49748	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:49:31.045902967 CEST	587	49748	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:49:31.046174049 CEST	49748	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:49:31.202318907 CEST	587	49748	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:49:31.202510118 CEST	49748	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:49:31.368489027 CEST	587	49748	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:49:31.368673086 CEST	49748	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:49:31.523530960 CEST	587	49748	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:49:31.895278931 CEST	587	49748	74.119.238.7	192.168.2.4	250 OK id=1stQWR-003pqD-1Q
Sep 25, 2024 13:49:45.752015114 CEST	49748	587	192.168.2.4	74.119.238.7	QUIT
Sep 25, 2024 13:49:46.110486984 CEST	587	49748	74.119.238.7	192.168.2.4	221 md-la-5.webhostbox.net closing connection
Sep 25, 2024 13:49:46.750304937 CEST	587	49749	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:19:46 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:49:46.753251076 CEST	49749	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:49:46.909567118 CEST	587	49749	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:49:46.913117886 CEST	49749	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:49:47.071275949 CEST	587	49749	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:49:47.424681902 CEST	587	49749	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:49:47.425062895 CEST	49749	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:49:47.580908060 CEST	587	49749	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:49:47.581587076 CEST	49749	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:49:47.751648903 CEST	587	49749	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:49:47.752006054 CEST	49749	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:49:47.906538963 CEST	587	49749	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:49:48.290328026 CEST	587	49749	74.119.238.7	192.168.2.4	250 OK id=1stQWh-003q0C-2e
Sep 25, 2024 13:49:58.181993008 CEST	49749	587	192.168.2.4	74.119.238.7	QUIT
Sep 25, 2024 13:49:58.582319975 CEST	587	49749	74.119.238.7	192.168.2.4	221 md-la-5.webhostbox.net closing connection
Sep 25, 2024 13:49:59.241594076 CEST	587	49750	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:19:59 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:49:59.242506027 CEST	49750	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:49:59.252166033 CEST	587	49751	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:19:59 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:49:59.252357960 CEST	49751	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:49:59.402936935 CEST	587	49750	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:49:59.405088902 CEST	49750	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:49:59.410754919 CEST	587	49751	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:49:59.411117077 CEST	49751	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:49:59.565506935 CEST	587	49750	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:49:59.573605061 CEST	587	49751	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:49:59.737960100 CEST	587	49750	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:49:59.738229990 CEST	49750	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:49:59.742007971 CEST	587	49751	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:49:59.742249012 CEST	49751	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:00.053877115 CEST	587	49750	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:50:00.053893089 CEST	587	49751	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:50:00.054053068 CEST	49750	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:00.054117918 CEST	49751	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:00.227026939 CEST	587	49751	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:50:00.227157116 CEST	49751	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:50:00.232218981 CEST	587	49750	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:50:00.232332945 CEST	49750	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:50:00.389353991 CEST	587	49751	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:50:00.392995119 CEST	587	49750	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:50:00.413604021 CEST	49751	587	192.168.2.4	74.119.238.7	.
Sep 25, 2024 13:50:00.420898914 CEST	49750	587	192.168.2.4	74.119.238.7	.
Sep 25, 2024 13:50:00.778933048 CEST	587	49751	74.119.238.7	192.168.2.4	250 OK id=1stQWu-003q7n-0y
Sep 25, 2024 13:50:00.792026997 CEST	587	49750	74.119.238.7	192.168.2.4	250 OK id=1stQWu-003q7m-0y
Sep 25, 2024 13:50:05.027139902 CEST	49751	587	192.168.2.4	74.119.238.7	QUIT
Sep 25, 2024 13:50:05.386956930 CEST	587	49751	74.119.238.7	192.168.2.4	221 md-la-5.webhostbox.net closing connection
Sep 25, 2024 13:50:05.973901033 CEST	587	49752	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:20:05 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:50:05.974323034 CEST	49752	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:50:06.132379055 CEST	587	49752	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:50:06.132653952 CEST	49752	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:50:06.293986082 CEST	587	49752	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:50:07.018098116 CEST	587	49753	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:20:06 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:50:07.018239975 CEST	49753	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:50:07.174287081 CEST	587	49753	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:50:07.174484015 CEST	49753	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:50:07.333709955 CEST	587	49753	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:50:07.496124029 CEST	587	49753	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:50:07.496342897 CEST	49753	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:07.651818037 CEST	587	49753	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:50:07.653286934 CEST	49753	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:08.762449026 CEST	587	49753	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:50:08.762592077 CEST	49753	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:50:08.764682055 CEST	587	49753	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:50:08.764875889 CEST	587	49753	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:50:08.764920950 CEST	587	49753	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:50:08.929207087 CEST	587	49753	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:50:09.313504934 CEST	587	49753	74.119.238.7	192.168.2.4	250 OK id=1stQX2-003qEU-2i
Sep 25, 2024 13:50:23.019412994 CEST	49753	587	192.168.2.4	74.119.238.7	QUIT
Sep 25, 2024 13:50:23.383440971 CEST	587	49753	74.119.238.7	192.168.2.4	221 md-la-5.webhostbox.net closing connection
Sep 25, 2024 13:50:23.998385906 CEST	587	49754	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:20:23 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:50:23.998862028 CEST	49754	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:50:24.164786100 CEST	587	49754	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:50:24.164992094 CEST	49754	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:50:24.460604906 CEST	587	49754	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:50:24.747060061 CEST	587	49754	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:50:24.747394085 CEST	49754	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:24.901597023 CEST	587	49754	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:50:24.901721954 CEST	49754	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:25.070724964 CEST	587	49754	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:50:25.070873022 CEST	49754	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:50:25.225476980 CEST	587	49754	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:50:25.253304958 CEST	49754	587	192.168.2.4	74.119.238.7	.
Sep 25, 2024 13:50:25.603751898 CEST	587	49754	74.119.238.7	192.168.2.4	250 OK id=1stQXJ-003qd0-0S
Sep 25, 2024 13:50:35.649914980 CEST	49754	587	192.168.2.4	74.119.238.7	QUIT
Sep 25, 2024 13:50:36.006119967 CEST	587	49754	74.119.238.7	192.168.2.4	221 md-la-5.webhostbox.net closing connection
Sep 25, 2024 13:50:36.649435043 CEST	587	49755	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:20:36 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:50:36.649646997 CEST	49755	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:50:36.812257051 CEST	587	49755	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:50:36.812500954 CEST	49755	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:50:36.977385044 CEST	587	49755	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:50:37.160439014 CEST	587	49755	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:50:37.160615921 CEST	49755	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:37.319883108 CEST	587	49755	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:50:37.320086002 CEST	49755	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:37.493993998 CEST	587	49755	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:50:37.494132996 CEST	49755	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:50:37.656573057 CEST	587	49755	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:50:38.620735884 CEST	587	49756	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:20:38 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:50:38.621220112 CEST	49756	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:50:38.778038025 CEST	587	49756	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:50:38.778238058 CEST	49756	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:50:38.932553053 CEST	587	49756	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:50:39.091675997 CEST	587	49756	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:50:39.091835976 CEST	49756	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:39.248099089 CEST	587	49756	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:50:39.248241901 CEST	49756	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:39.416466951 CEST	587	49756	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:50:39.416601896 CEST	49756	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:50:39.571702957 CEST	587	49756	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:50:39.597026110 CEST	49756	587	192.168.2.4	74.119.238.7	.
Sep 25, 2024 13:50:39.954680920 CEST	587	49756	74.119.238.7	192.168.2.4	250 OK id=1stQXX-003qs3-1Z
Sep 25, 2024 13:50:44.476958990 CEST	49756	587	192.168.2.4	74.119.238.7	QUIT
Sep 25, 2024 13:50:44.833487034 CEST	587	49756	74.119.238.7	192.168.2.4	221 md-la-5.webhostbox.net closing connection
Sep 25, 2024 13:50:45.431463003 CEST	587	49757	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:20:45 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:50:45.431663036 CEST	49757	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:50:45.587785006 CEST	587	49757	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:50:45.587929010 CEST	49757	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:50:45.742717981 CEST	587	49757	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:50:45.905823946 CEST	587	49757	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:50:45.909248114 CEST	49757	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:46.076251030 CEST	587	49757	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:50:46.076435089 CEST	49757	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:46.242641926 CEST	587	49757	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:50:46.242796898 CEST	49757	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:50:46.397072077 CEST	587	49757	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:50:46.769469023 CEST	587	49757	74.119.238.7	192.168.2.4	250 OK id=1stQXe-003qxS-10
Sep 25, 2024 13:50:53.363420963 CEST	49757	587	192.168.2.4	74.119.238.7	QUIT
Sep 25, 2024 13:50:53.721290112 CEST	587	49757	74.119.238.7	192.168.2.4	221 md-la-5.webhostbox.net closing connection
Sep 25, 2024 13:50:54.321702957 CEST	587	49758	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:20:54 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:50:54.321829081 CEST	49758	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:50:54.479259014 CEST	587	49758	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:50:54.479471922 CEST	49758	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:50:54.634932995 CEST	587	49758	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:50:54.808525085 CEST	587	49758	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:50:54.811163902 CEST	49758	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:54.970104933 CEST	587	49758	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:50:54.971170902 CEST	49758	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:50:55.138227940 CEST	587	49758	74.119.238.7	192.168.2.4	250 Accepted
Sep 25, 2024 13:50:55.138401985 CEST	49758	587	192.168.2.4	74.119.238.7	DATA
Sep 25, 2024 13:50:55.294939041 CEST	587	49758	74.119.238.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Sep 25, 2024 13:50:55.679059982 CEST	587	49758	74.119.238.7	192.168.2.4	250 OK id=1stQXn-003r3Z-0f
Sep 25, 2024 13:51:06.196638107 CEST	49758	587	192.168.2.4	74.119.238.7	QUIT
Sep 25, 2024 13:51:06.552942991 CEST	587	49758	74.119.238.7	192.168.2.4	221 md-la-5.webhostbox.net closing connection
Sep 25, 2024 13:51:07.175956964 CEST	587	49759	74.119.238.7	192.168.2.4	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 17:21:07 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 13:51:07.178899050 CEST	49759	587	192.168.2.4	74.119.238.7	EHLO 051829
Sep 25, 2024 13:51:07.338933945 CEST	587	49759	74.119.238.7	192.168.2.4	250-md-la-5.webhostbox.net Hello 051829 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 25, 2024 13:51:07.339180946 CEST	49759	587	192.168.2.4	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Sep 25, 2024 13:51:07.498276949 CEST	587	49759	74.119.238.7	192.168.2.4	334 UGFzc3dvcmQ6
Sep 25, 2024 13:51:07.657423019 CEST	587	49759	74.119.238.7	192.168.2.4	235 Authentication succeeded
Sep 25, 2024 13:51:07.659315109 CEST	49759	587	192.168.2.4	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Sep 25, 2024 13:51:07.928787947 CEST	587	49759	74.119.238.7	192.168.2.4	250 OK
Sep 25, 2024 13:51:07.928975105 CEST	49759	587	192.168.2.4	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Sep 25, 2024 13:51:08.096441984 CEST	587	49759	74.119.238.7	192.168.2.4	250 Accepted

Target ID:	0
Start time:	07:46:57
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\rPO_CW00402902400415.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\rPO_CW00402902400415.exe"
Imagebase:	0x193081b0000
File size:	1'849'494 bytes
MD5 hash:	0E509CAF00F17B291C24A27E87E9CACC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1811254005.000001930A253000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1811970397.0000019319F07000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1811970397.0000019319F07000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:46:58
Start date:	25/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x20000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4137755318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4137755318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4139321179.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4139321179.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:46:58
Start date:	25/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x980000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:46:58
Start date:	25/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6860 -s 1040
Imagebase:	0x7ff6afcf0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BAB4D5D Relevance: 3.0, Strings: 2, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFD9BAB4DC0
^, xrefs: 00007FFD9BAB4D6A

Memory Dump Source

Source File: 00000000.00000002.1819919168.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_rPO_CW00402902400415.jbxd

Similarity

API ID:
String ID: ^$fish
API String ID: 0-2906118863
Opcode ID: 22d1648a0442f8cbed123aa592ccb4a61f1432c450161f1a73e164c0c4e798bb
Instruction ID: dd0e0c93045edf041614eab799cad894a834775f50cc7499ca4527b0b952df44
Opcode Fuzzy Hash: 22d1648a0442f8cbed123aa592ccb4a61f1432c450161f1a73e164c0c4e798bb
Instruction Fuzzy Hash: 02D16C3171DB4E0FE76DAB6898754B977E1EF96310F05027EE49BC71E2DD28A8028781

Function 00007FFD9BB80000 Relevance: 2.0, Instructions: 2040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821156603.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bb80000_rPO_CW00402902400415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9cdd91f66de84422370782edd9698b45c1874cb1fab80d4bfc3472f6f8b4fea
Instruction ID: 01694197a01c56166d8cc79f3cf894002b722b27766aa63b9ee291d15a8bfa63
Opcode Fuzzy Hash: a9cdd91f66de84422370782edd9698b45c1874cb1fab80d4bfc3472f6f8b4fea
Instruction Fuzzy Hash: D3D23732A0FBC94FD766DB6888655A47FE0FF56304F4A01FAD089CB1E2DA786906C741

Function 00007FFD9BABF3C9 Relevance: 1.6, Instructions: 1588
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1819919168.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_rPO_CW00402902400415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d47e0ead6c1be30da7014b4a6bd6468523b7f98f4a3e00475d9fc510861384
Instruction ID: 91dddad0a46fd9c8d1bf0c98fd9aadd811b2980ea27135ecf07c44ae70682c7f
Opcode Fuzzy Hash: 40d47e0ead6c1be30da7014b4a6bd6468523b7f98f4a3e00475d9fc510861384
Instruction Fuzzy Hash: E3B28A30A0DB594FD329DB28C4A04B5B7E1FF85301F0546BEE49AC72A6DE35E946CB81

Function 00007FFD9BAB93A8 Relevance: .9, Instructions: 929COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819919168.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_rPO_CW00402902400415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1370afc66226891567537ffd09a093c395214a256459b685706d2325207e6426
Instruction ID: 229c6095a40afa7d2544b60a675ce40e065174fe11d001c42c1f3d903e1b34ca
Opcode Fuzzy Hash: 1370afc66226891567537ffd09a093c395214a256459b685706d2325207e6426
Instruction Fuzzy Hash: 83521830B0DA1D4FEB68DF68C46567977E1EF59301F1501BEE09EC72A2CE64AD428B81

Function 00007FFD9BACA069 Relevance: .9, Instructions: 898COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819919168.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_rPO_CW00402902400415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848b09a41bbc1b365f49c88d8c6da2492a5dac166c0c71b972a0584873858897
Instruction ID: f7c91b14ce992e6ba23eeef2f199f9cf14b2e90b04dd0933dafbf6342d88fecb
Opcode Fuzzy Hash: 848b09a41bbc1b365f49c88d8c6da2492a5dac166c0c71b972a0584873858897
Instruction Fuzzy Hash: F252CB30A0EA4E4FE768EB28C4615B577E1FF81300B1445BEE09BC71E6DE79A946C780

Function 00007FFD9BAC43C5 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819919168.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_rPO_CW00402902400415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f162e5e6db02d6ca186129b29fa98c9a7e91b7b7959ec275653c805a250e87f
Instruction ID: bde9657388368feda3d79cc50e394ec07d213154166a3e514a85138d1d3b0d0e
Opcode Fuzzy Hash: 8f162e5e6db02d6ca186129b29fa98c9a7e91b7b7959ec275653c805a250e87f
Instruction Fuzzy Hash: 47124A31B1E94D4FE378EBAC88261B477D1EF85320B1602BDD44DC71B6DEA86D068785

Function 00007FFD9BAB396A Relevance: 1.6, APIs: 1, Instructions: 136
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9BAB3A41

Memory Dump Source

Source File: 00000000.00000002.1819919168.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_rPO_CW00402902400415.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 892f6ef2613fc30e0e6c81ed7c4e9621643ea502c991c1e9d01125b511769d9c
Instruction ID: 0af3b1deb9f235e21d40a8f623d7aa17ceb527e7a7eb7642b070de77e86ca010
Opcode Fuzzy Hash: 892f6ef2613fc30e0e6c81ed7c4e9621643ea502c991c1e9d01125b511769d9c
Instruction Fuzzy Hash: 5D414A3190DB884FDB19DBA898166E9BFF0EF56321F0402AFD059C31A3CF646856CB91

Function 00007FFD9BAB0618 Relevance: 1.6, APIs: 1, Instructions: 126
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9BAB3A41

Memory Dump Source

Source File: 00000000.00000002.1819919168.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_rPO_CW00402902400415.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 71d0670a7a7a1626e8c08a0f652097853165bafa8278cd9ce94ff6d3f5000545
Instruction ID: 844eaaf0e242c685996d2a82fdc116adbcefe1ea307ab26d4e5287608bc36155
Opcode Fuzzy Hash: 71d0670a7a7a1626e8c08a0f652097853165bafa8278cd9ce94ff6d3f5000545
Instruction Fuzzy Hash: F5312531A0CA1C8FDB18EB9898556F97BE1EF99325F04427FE059C31A2DF746846CB81

Function 00007FFD9BAC8BF9 Relevance: 1.6, APIs: 1, Instructions: 121
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9BAC8CA1

Memory Dump Source

Source File: 00000000.00000002.1819919168.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_rPO_CW00402902400415.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 17be76b67f3a646a5d4c3e72f923f5dcfb93286874cb1942a2f51dc4d5eb4557
Instruction ID: d0c8f63d4098124f7e9bc111dd98a85ddee10ce06fd053185277defed58b1e74
Opcode Fuzzy Hash: 17be76b67f3a646a5d4c3e72f923f5dcfb93286874cb1942a2f51dc4d5eb4557
Instruction Fuzzy Hash: 1431E631A0CB5C8FDB18EFA898466F97BF1FB65321F04426FD049D3192DB606856CB81

Function 00007FFD9BABA034 Relevance: 1.6, APIs: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9BAC8CA1

Memory Dump Source

Source File: 00000000.00000002.1819919168.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_rPO_CW00402902400415.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5884c8ee9a5e59a246e101e2f760a6420d899b070fbc45f0275585ec53ff99ce
Instruction ID: 8a4c78ae8139737f021cf4eb326e7217da41cd1e0f469d0d3d3424c2dabf1fd2
Opcode Fuzzy Hash: 5884c8ee9a5e59a246e101e2f760a6420d899b070fbc45f0275585ec53ff99ce
Instruction Fuzzy Hash: 3F31C731A0CA1C8FDB1CEF9898456F9B7E5FBA5321F00422FD049D3292DB646852CB81

Function 00007FFD9BB810C9 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821156603.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bb80000_rPO_CW00402902400415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c16a83e10448fac341a4bd96f83a5fdaa18954622c924cfa8ecbd1d165841f
Instruction ID: 090ce363c12f27f244780d760ca9a99555b8afd526576d7a974989b3b5858d69
Opcode Fuzzy Hash: b1c16a83e10448fac341a4bd96f83a5fdaa18954622c924cfa8ecbd1d165841f
Instruction Fuzzy Hash: A6412631A0EA8D4FDB56DF64C8644E87BF0FF59304B0A01EAD04ACB5A2DA74A841C740

Function 00007FFD9BB80363 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821156603.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bb80000_rPO_CW00402902400415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa2157dfb828b43575427f113c3ffc1dbaa2325fe8fa9719eb07841c3bb74e5
Instruction ID: a3bee0d768627d7bccc74331d36cecdbf316a2784dcafc36112750c0fe87e149
Opcode Fuzzy Hash: 7aa2157dfb828b43575427f113c3ffc1dbaa2325fe8fa9719eb07841c3bb74e5
Instruction Fuzzy Hash: EFF09A72B0995C8FDF50DA9CD896AACB7F0FB9A744F4000B6D09ED7152CE30B90A8B41

Analysis Process: AddInProcess32.exePID: 1344, Parent PID: 6860COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.7%
Total number of Nodes:	418
Total number of Limit Nodes:	39

Executed Functions

Function 059ADBC8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,059AEA70,00000000,00000000), ref: 059AEC83

Strings

+ZR4, xrefs: 059AEC22

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID: HookWindows
String ID: +ZR4
API String ID: 2559412058-2657457958
Opcode ID: 1601a9e0034c2c632ad11c9aa5b47aa289a0049ea9b90ad526d57c50e821d69e
Instruction ID: 979956166daff80fffc3a1fc07beadf8f2250807345d8b3c371b72bd2abd47d6
Opcode Fuzzy Hash: 1601a9e0034c2c632ad11c9aa5b47aa289a0049ea9b90ad526d57c50e821d69e
Instruction Fuzzy Hash: 472115B2904209DFDB14DF99C944BEEFBF9FB88310F10842AE459A7250C775A944CFA5

Function 05E69B89 Relevance: 1.8, APIs: 1, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4146174511.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4e63ed513825f1335b9e7e47559b79de1aa59211ff6fd8dd1b53a5b73c72f2
Instruction ID: 0216c2c41fc1aef87a3914cca53704c8daa2cbafe8385d531c235650e3130399
Opcode Fuzzy Hash: 3d4e63ed513825f1335b9e7e47559b79de1aa59211ff6fd8dd1b53a5b73c72f2
Instruction Fuzzy Hash: DAD15F30A40219CFEB14DFA5C848BADBBF2BF44388F159564E449EF2A6DB71E945CB40

Function 02299D9A Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 02299F2F

Strings

Hbq, xrefs: 0229A190
+ZR4, xrefs: 02299DCA
Hbq, xrefs: 0229A14B

Memory Dump Source

Source File: 00000001.00000002.4138979821.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_AddInProcess32.jbxd

Similarity

API ID: ActiveWindow
String ID: +ZR4$Hbq$Hbq
API String ID: 2558294473-2430806922
Opcode ID: c82e6933dd262bfc05acd5462a60adf450714ffb68cb0c9cd7abe42bd456bd63
Instruction ID: 58d01b49d5be1d5156ded117031a0d0fc7e6a3783a777ef33a128434c9774e7c
Opcode Fuzzy Hash: c82e6933dd262bfc05acd5462a60adf450714ffb68cb0c9cd7abe42bd456bd63
Instruction Fuzzy Hash: 1CC19D30B102568FDB48AFB8941476E7AE7EF88310F148868D506EB398DF389D46CB51

Function 059AB244 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059AB362

Strings

+ZR4, xrefs: 059AB27E
+ZR4, xrefs: 059AB29E

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID: CreateWindow
String ID: +ZR4$+ZR4
API String ID: 716092398-2190121733
Opcode ID: a5e984dcbf8a12c229312dfa7a7c3ec548e7b5c0b711b60910795d8acbdc4630
Instruction ID: d7fdb74263bf61bcdbdc00b7175ebecd0790a8df2a6587758428e81c869474ad
Opcode Fuzzy Hash: a5e984dcbf8a12c229312dfa7a7c3ec548e7b5c0b711b60910795d8acbdc4630
Instruction Fuzzy Hash: 5751C2B1D013099FDB14CF99C884ADEBBB6FF48310F24812AE819AB250D7759885CF91

Function 059AB250 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059AB362

Strings

+ZR4, xrefs: 059AB27E
+ZR4, xrefs: 059AB29E

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID: CreateWindow
String ID: +ZR4$+ZR4
API String ID: 716092398-2190121733
Opcode ID: a2ff2f7dee62c0f6d6f912c5ec994ebee0a02bcec03dc39d1c4552448b7ff81f
Instruction ID: 36518af5f3278990c838e68a48b306d28b51b93c66473363bd8e214d18bd1b39
Opcode Fuzzy Hash: a2ff2f7dee62c0f6d6f912c5ec994ebee0a02bcec03dc39d1c4552448b7ff81f
Instruction Fuzzy Hash: 3441B3B1D11349DFDB14CF99C884ADEBBB5FF48310F24812AE819AB250D7719845CF91

Function 059AA7F0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 059AAB86

Strings

+ZR4, xrefs: 059AAB3F

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID: HandleModule
String ID: +ZR4
API String ID: 4139908857-2657457958
Opcode ID: b7de821919c417205f71e5030fcaf6615a4b130f7b91cc413c427d017c96343b
Instruction ID: 4688c210c4a79c21e180a90d709eb6cc965995f929b42cc5ab52079b5bbb472e
Opcode Fuzzy Hash: b7de821919c417205f71e5030fcaf6615a4b130f7b91cc413c427d017c96343b
Instruction Fuzzy Hash: 6EB17871A007059FCB14EF69C884A6EBBF6FF88310B00896AD44ADB755DB74E945CBA0

Function 059A4B98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+ZR4, xrefs: 059A4C8F

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: +ZR4
API String ID: 0-2657457958
Opcode ID: 8eff1c0a15593b6ec9b74218c12015180cf03d8ce324da924e3f2658d163eae0
Instruction ID: 827b6f756499bcdc1f186bf708c32d978023df8fcd1bdc77d37dc1678001a33b
Opcode Fuzzy Hash: 8eff1c0a15593b6ec9b74218c12015180cf03d8ce324da924e3f2658d163eae0
Instruction Fuzzy Hash: 3D413272E043598FCB04CFB9D8447AEBBF4AF89210F14856AD408E7281DB74A884CBE0

Function 059A9D9C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 059AC429

Strings

+ZR4, xrefs: 059AC37F

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID: CallProcWindow
String ID: +ZR4
API String ID: 2714655100-2657457958
Opcode ID: 2c050d6fa6018f981b07a614ddfb55fe92ec6615e1ade2d108ddc91eccb15ff6
Instruction ID: 81b7e88d4f1dfaa305f0e2a3e854db65275af613c3fdf09fc05a9387cc9f020e
Opcode Fuzzy Hash: 2c050d6fa6018f981b07a614ddfb55fe92ec6615e1ade2d108ddc91eccb15ff6
Instruction Fuzzy Hash: 83413DB5A00305CFDB14CF59C488AAABBF5FF88314F14C859E519AB321D774A845CFA0

Function 059AC9AC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 059AD048

Strings

+ZR4, xrefs: 059ACFE2

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID: Clipboard
String ID: +ZR4
API String ID: 220874293-2657457958
Opcode ID: 3ebb0fcefdea12b81bbe36e4a359fd8fd8862ae169e72492425a41ef3ca60a56
Instruction ID: e7233e435b74a716d100bcd0a5078201f89d0e967dbbdbcd4a42f8e32afc8fd4
Opcode Fuzzy Hash: 3ebb0fcefdea12b81bbe36e4a359fd8fd8862ae169e72492425a41ef3ca60a56
Instruction Fuzzy Hash: A73122B1D05318DFDB10DFA9C984B8EBBF5AF48304F208019E405BB294D7B5A985CBA5

Function 059ACFB4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 059AD048

Strings

+ZR4, xrefs: 059ACFE2

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID: Clipboard
String ID: +ZR4
API String ID: 220874293-2657457958
Opcode ID: aa21aa8f0c6f0a3647569ace651387bf36be4449e601ba3d8ade03ed03937717
Instruction ID: e2805301d7c748916418715a0ef23533d93cbf28797de727bb61fb24365764b8
Opcode Fuzzy Hash: aa21aa8f0c6f0a3647569ace651387bf36be4449e601ba3d8ade03ed03937717
Instruction Fuzzy Hash: 243101B1901318DFDB10DFA9C985BCDBBF5BF48314F608019E404AB294D7B56986CBA1

Function 0229B97F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,0229CD10,034260D8,02446194), ref: 0229CDA1

Strings

+ZR4, xrefs: 0229CD4A

Memory Dump Source

Source File: 00000001.00000002.4138979821.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_AddInProcess32.jbxd

Similarity

API ID: EnumThreadWindows
String ID: +ZR4
API String ID: 2941952884-2657457958
Opcode ID: 9caf184222b43123ea9baabf038ebe053e7a9c2e36455234f56efce46b5b3f65
Instruction ID: 54f127900f969601c0f5de7d3b88cda136f99e462cf2cd23e2c47c3c9b9f7b2f
Opcode Fuzzy Hash: 9caf184222b43123ea9baabf038ebe053e7a9c2e36455234f56efce46b5b3f65
Instruction Fuzzy Hash: D62159B1D102498FDB10CFAAC845BEEFBF4EB88324F04842AE454A7251C774A945CFA5

Function 0229B04B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0229B0D7

Strings

+ZR4, xrefs: 0229B06F

Memory Dump Source

Source File: 00000001.00000002.4138979821.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID: +ZR4
API String ID: 3793708945-2657457958
Opcode ID: ba175ebcb4871160a1d89ea32947614632c08d3d5d664b00a9ce7745dbce2289
Instruction ID: 05e83c94b600ddbfa61244a4af0bfdb170beb0d13b9ad1262ed4f7e066a40509
Opcode Fuzzy Hash: ba175ebcb4871160a1d89ea32947614632c08d3d5d664b00a9ce7745dbce2289
Instruction Fuzzy Hash: 8921E3B59012499FDB10CFAAD584ADEBBF4FB48314F14801AE958A7250D375A941CFA1

Function 0229CD28 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,0229CD10,034260D8,02446194), ref: 0229CDA1

Strings

+ZR4, xrefs: 0229CD4A

Memory Dump Source

Source File: 00000001.00000002.4138979821.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_AddInProcess32.jbxd

Similarity

API ID: EnumThreadWindows
String ID: +ZR4
API String ID: 2941952884-2657457958
Opcode ID: b7dfe1478ddfaf421b203fa5c6f0e4fc9830f55caec234611ef5e780863c6678
Instruction ID: dec4cb1bf842f88ee90df1351b286c3cd72922cf1b80b56f131ef9b43c469896
Opcode Fuzzy Hash: b7dfe1478ddfaf421b203fa5c6f0e4fc9830f55caec234611ef5e780863c6678
Instruction Fuzzy Hash: 1D215BB1D002098FDB10CFAAC845BEEFBF5EF88310F10842AD458A7250D778A945CFA1

Function 0229B050 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0229B0D7

Strings

+ZR4, xrefs: 0229B06F

Memory Dump Source

Source File: 00000001.00000002.4138979821.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID: +ZR4
API String ID: 3793708945-2657457958
Opcode ID: da1c8f42b163452dc372cd857fb259390464b0c831bdfc864bbdb4df2533606b
Instruction ID: 23f41f068deb9b2a0baafb4b9429eef5bc09571d4a7b49457539b4c062044d45
Opcode Fuzzy Hash: da1c8f42b163452dc372cd857fb259390464b0c831bdfc864bbdb4df2533606b
Instruction Fuzzy Hash: 1621E4B59002089FDB10CFAAD584ADEFBF4FB48314F14801AE914A3350C375A940CFA5

Function 0229B98C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,0229CD10,034260D8,02446194), ref: 0229CDA1

Strings

+ZR4, xrefs: 0229CD4A

Memory Dump Source

Source File: 00000001.00000002.4138979821.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_AddInProcess32.jbxd

Similarity

API ID: EnumThreadWindows
String ID: +ZR4
API String ID: 2941952884-2657457958
Opcode ID: ada1e66ae4c683d66075c7246c2c40d34f471827d50697ce5ce918bf99c0fd01
Instruction ID: 0c96298062767d77e6e798203ae80568464c721d81c6c1e73d57b191df4bfd8c
Opcode Fuzzy Hash: ada1e66ae4c683d66075c7246c2c40d34f471827d50697ce5ce918bf99c0fd01
Instruction Fuzzy Hash: AE2158B1D102198FDB10DF9AC844BEEFBF4EB88324F10842AE458A7350D774A944CFA5

Function 0229D4B9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 0229D53D

Strings

+ZR4, xrefs: 0229D4E2

Memory Dump Source

Source File: 00000001.00000002.4138979821.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_AddInProcess32.jbxd

Similarity

API ID: Message
String ID: +ZR4
API String ID: 2030045667-2657457958
Opcode ID: 3c9a731e7f998b4a7600b908da31a3dab60f46425505c0e849312c2fb9dfefff
Instruction ID: 7967a7f415818fb0d383d2f817bb43c566e0bdabb3ee96b8827d478e45863126
Opcode Fuzzy Hash: 3c9a731e7f998b4a7600b908da31a3dab60f46425505c0e849312c2fb9dfefff
Instruction Fuzzy Hash: 162104B59013499FDB10DF9AD884ADEFBF5FB48314F14852ED419A7200C375A545CFA1

Function 059AEC01 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,059AEA70,00000000,00000000), ref: 059AEC83

Strings

+ZR4, xrefs: 059AEC22

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID: HookWindows
String ID: +ZR4
API String ID: 2559412058-2657457958
Opcode ID: e736a85f078f909533f593c93b24df8c2ad8cc94f35b0cf0f9560303ec44b687
Instruction ID: c394d4c51a8741fab0b4b129222b4bc380f3d7bf792b246e048ba96c95904e96
Opcode Fuzzy Hash: e736a85f078f909533f593c93b24df8c2ad8cc94f35b0cf0f9560303ec44b687
Instruction Fuzzy Hash: 502147B2D002099FCB14DF99C844BDEFBF9FB88320F10842AD419A7250C774A940CFA5

Function 0229D4C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 0229D53D

Strings

+ZR4, xrefs: 0229D4E2

Memory Dump Source

Source File: 00000001.00000002.4138979821.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_AddInProcess32.jbxd

Similarity

API ID: Message
String ID: +ZR4
API String ID: 2030045667-2657457958
Opcode ID: fa8fff0409f03f9fd6dc821245d4b3522ae222c9ae42ecddd22332de10415251
Instruction ID: 42cfe6dcb89c8efa60118949da05a85e9ad8dc041f08e84bc66741966c858aa1
Opcode Fuzzy Hash: fa8fff0409f03f9fd6dc821245d4b3522ae222c9ae42ecddd22332de10415251
Instruction Fuzzy Hash: D821EFB69013499FCB10DF9AD884ADEFBB5FB48318F10852AE919A7200C375A944CFA5

Function 059A3F7C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,059A4BEA), ref: 059A4CD7

Strings

+ZR4, xrefs: 059A4C8F

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: +ZR4
API String ID: 1890195054-2657457958
Opcode ID: cb13c16ad6f57539ea5350b7809d09a4258d1009569e53058dff23c7fbc26bdb
Instruction ID: da704acd6260b084b5a640d70d1136c627be92a4e11bcbdadbdbdec396ac04e6
Opcode Fuzzy Hash: cb13c16ad6f57539ea5350b7809d09a4258d1009569e53058dff23c7fbc26bdb
Instruction Fuzzy Hash: BB1144B2C006599BDB10DF9AC544BDEFBF4FB08320F10812AD818A7240D378A940CFE5

Function 059AAB18 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 059AAB86

Strings

+ZR4, xrefs: 059AAB3F

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID: HandleModule
String ID: +ZR4
API String ID: 4139908857-2657457958
Opcode ID: 4b8fac61b9e2e1110fd986385a47adf6957bf0720d9cd60b33bd8cc11b82c107
Instruction ID: 4ca6dd21db26eeb874b1015032a0272eb6394f77b7a52390e20ea79bd0aea56b
Opcode Fuzzy Hash: 4b8fac61b9e2e1110fd986385a47adf6957bf0720d9cd60b33bd8cc11b82c107
Instruction Fuzzy Hash: DA110FB6C003498FDB10DF9AD484ADEFBF9AB89320F10842AD429A7210C375A545CFA5

Function 0229BE78 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0229BED5

Strings

+ZR4, xrefs: 0229BE9A

Memory Dump Source

Source File: 00000001.00000002.4138979821.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID: +ZR4
API String ID: 2538663250-2657457958
Opcode ID: 03f1c7c14645bc75a2d322df3642849ef1c8fae37ecc05730f6cfdcee88c8fb1
Instruction ID: 3980715e0319d78a212513239a880526f38f0944c6afda52cc836b4e04ffe9ee
Opcode Fuzzy Hash: 03f1c7c14645bc75a2d322df3642849ef1c8fae37ecc05730f6cfdcee88c8fb1
Instruction Fuzzy Hash: 131145B4D002498FDB20DFAAD485BDEFFF8EB48324F10842AD558A3210C378A584CFA5

Function 059AC698 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,059AC675), ref: 059AC6FF

Strings

+ZR4, xrefs: 059AC6BA

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: +ZR4
API String ID: 2492992576-2657457958
Opcode ID: f92fb2118dad14c5fb57716526780bfbfee53e87a6caf0099ab51e58414bd780
Instruction ID: 5ef78a6f23559509ec7973dff98571504281d80a1c80e0861005e9198eb6ccb3
Opcode Fuzzy Hash: f92fb2118dad14c5fb57716526780bfbfee53e87a6caf0099ab51e58414bd780
Instruction Fuzzy Hash: 2F1145B5800248CFCB10DF9AD489BDEFFF8EB48324F20841AE559A7250C374A944CFA5

Function 059A9DF4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,059AC675), ref: 059AC6FF

Strings

+ZR4, xrefs: 059AC6BA

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: +ZR4
API String ID: 2492992576-2657457958
Opcode ID: 1c952c5572bb53937d66e2dfcf76dfaa70f4577fe96e645c65509b56914f5882
Instruction ID: f2780d78f58b8ff5599d0635978d05e49de0b6c679af6ee772752e320c1ac9d5
Opcode Fuzzy Hash: 1c952c5572bb53937d66e2dfcf76dfaa70f4577fe96e645c65509b56914f5882
Instruction Fuzzy Hash: 6C1115B5800349CFCB10DF9AD485BDEFBF8EB48324F20845AE559A7250D375A944CFA5

Function 05E6A839 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 05E6A89D

Strings

+ZR4, xrefs: 05E6A85F

Memory Dump Source

Source File: 00000001.00000002.4146174511.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5e60000_AddInProcess32.jbxd

Similarity

API ID: DispatchMessage
String ID: +ZR4
API String ID: 2061451462-2657457958
Opcode ID: 937823e9151838a51544d97bf458e96bffcfc481f48515e36d7c48e558db086d
Instruction ID: e23af6d7dbac6adfb2c04af279fddac7de4a2188084c42eaec63a953475305ab
Opcode Fuzzy Hash: 937823e9151838a51544d97bf458e96bffcfc481f48515e36d7c48e558db086d
Instruction Fuzzy Hash: AE11E0B1C006488FCB10DF9AD445B8EFBF4EB48314F10846AD559A7250D374A545CFA5

Function 0229B920 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0229BED5

Strings

+ZR4, xrefs: 0229BE9A

Memory Dump Source

Source File: 00000001.00000002.4138979821.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID: +ZR4
API String ID: 2538663250-2657457958
Opcode ID: e3e935d8268e186b727703a8ee5fddaff03f31e6c5dbf0394900fc6ec75210be
Instruction ID: 9b49f484ebc86f41de4e64e73563823bc8b52029200ad820e9aeca7a34946de5
Opcode Fuzzy Hash: e3e935d8268e186b727703a8ee5fddaff03f31e6c5dbf0394900fc6ec75210be
Instruction Fuzzy Hash: F11145B49003488FCB20DF9AD484BDEFBF8EB48328F108459D659A7210C374A944CFA5

Function 05E6A840 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 05E6A89D

Strings

+ZR4, xrefs: 05E6A85F

Memory Dump Source

Source File: 00000001.00000002.4146174511.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5e60000_AddInProcess32.jbxd

Similarity

API ID: DispatchMessage
String ID: +ZR4
API String ID: 2061451462-2657457958
Opcode ID: dcc2c396bc0b46877f848af14902cdd6a538b8f1da7ab762ac6c03486859f648
Instruction ID: 464c61988003cba000ed1ad0f7d4475547e6d20832276e6cdf4d17acecc92ac5
Opcode Fuzzy Hash: dcc2c396bc0b46877f848af14902cdd6a538b8f1da7ab762ac6c03486859f648
Instruction Fuzzy Hash: DE11FBB1C00648CFCB20DF9AD488ACEFBF4EB48324F10846AE859A3250D378A544CFA5

Function 059AC72C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,059AC675), ref: 059AC6FF

Memory Dump Source

Source File: 00000001.00000002.4145817742.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_59a0000_AddInProcess32.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 66c8d96fb4b02551bc0c434e6c62d29b30dd7a7bc4ac3182ecf7732af8b56547
Instruction ID: 913f7cab5f35eae82fab447fa096fd8d2d494807a25f5c49a02ff5c522239bad
Opcode Fuzzy Hash: 66c8d96fb4b02551bc0c434e6c62d29b30dd7a7bc4ac3182ecf7732af8b56547
Instruction Fuzzy Hash: 23F0F0B3808380CEDB11CB99C4593DABFF0EB51308F18808AD19A9B261D3799545CBA1

Function 0212D0F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4138734746.000000000212D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0212D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_212d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b68eddb014ad2dd53881db10ef905826873e577561d2075639075a2254e373
Instruction ID: 96852a32a390875daa27e44a18445c369619d0a8532ea00433fed8f6a71ce5e9
Opcode Fuzzy Hash: b8b68eddb014ad2dd53881db10ef905826873e577561d2075639075a2254e373
Instruction Fuzzy Hash: 6C212671684224DFDB04DF24E9C0B26BBA5FB88314F20C56DF8494B796C336D46ACB61

Function 0212D2B8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4138734746.000000000212D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0212D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_212d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c052e80f6bfbb93ac6b74779f94ec173d0d72e7d8ef0a4d362dd661037828e93
Instruction ID: 37e3ef4a6bc2b3b34e2892dc2493e448a4571658e15e1c5f88e8909e9c48dc84
Opcode Fuzzy Hash: c052e80f6bfbb93ac6b74779f94ec173d0d72e7d8ef0a4d362dd661037828e93
Instruction Fuzzy Hash: 922105B1584244DFDB04DF14FAC4B2BBBA5FB88324F24C569F8494B355C33AD46ACAA1

Function 0212D468 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4138734746.000000000212D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0212D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_212d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c1fad6e570cfa6accb7d23ac755312d717cd760a43db51bdf4ff7b1f997570
Instruction ID: eda8b4c7e3df113ce9f4a72b17cd5ec4ce6a9f0bf6f62a425d35a0f76d5bbbff
Opcode Fuzzy Hash: f3c1fad6e570cfa6accb7d23ac755312d717cd760a43db51bdf4ff7b1f997570
Instruction Fuzzy Hash: 9A212971584240EFDB08DF24E5C4B16BBB5FB84318F24C56DF8094B256C37AD45ACB61

Function 0212D2B3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4138734746.000000000212D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0212D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_212d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: 43c9c5350c250734b87d530a2feefba3b610a5c2eeee19605f838f91b80051a2
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: B311C8B5544244CFDB11CF14E5C4B1AFF71FB84314F24C5AAD8494B656C33AD41ACB91

Function 0212D463 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4138734746.000000000212D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0212D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_212d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 849e0d805daeffb35edd65e676488a7f6e7f2156ef34251ef9588d291f7ec9c4
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 3C11DD76544280CFCB01CF20E5C4B15BFB1FB84318F28C6AEE8094B296C37AD41ACB62

Function 0212D0EB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4138734746.000000000212D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0212D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_212d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: a58197afdbdd8718c2df98eda95f41fdc0388c078ddf1410f8af50b7d119bd3e
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: A311DD75544280CFDB01CF10E9C4B15FFB2FB88318F24C6AAE8494B656C33AD45ACB62

Non-executed Functions

Function 0229D290 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 192windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0229D301
GetFocus.USER32 ref: 0229D367

Strings

+ZR4, xrefs: 0229D2AF

Memory Dump Source

Source File: 00000001.00000002.4138979821.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_AddInProcess32.jbxd

Similarity

API ID: ActiveFocusWindow
String ID: +ZR4
API String ID: 2022189218-2657457958
Opcode ID: f96cb81a148b907827b428f0321f39ffd208bab670c71ed96565fe61a2973f2e
Instruction ID: e3471c9171be87eb707ea1e2b15dcd74c7e04a76ba97f87ca1fb2b872022628d
Opcode Fuzzy Hash: f96cb81a148b907827b428f0321f39ffd208bab670c71ed96565fe61a2973f2e
Instruction Fuzzy Hash: 4B7159B4A1020A8FDB14EFA9C584AAEBBF5EF49304F1584A9E804EB355C734ED41CF61

Function 05E6C050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000050), ref: 05E6C0E3

Strings

+ZR4, xrefs: 05E6C07F
4'^q, xrefs: 05E6C09C

Memory Dump Source

Source File: 00000001.00000002.4146174511.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5e60000_AddInProcess32.jbxd

Similarity

API ID: MetricsSystem
String ID: +ZR4$4'^q
API String ID: 4116985748-2094718428
Opcode ID: 4b20a0a13a95e53233f321a8ed5fa2c2d680d088a50e86577397403e269ef4a6
Instruction ID: fd4aec20f0d6bad744932fc4d8e8be61df933df8fca05e9d7adf1461b5cda4b4
Opcode Fuzzy Hash: 4b20a0a13a95e53233f321a8ed5fa2c2d680d088a50e86577397403e269ef4a6
Instruction Fuzzy Hash: D52134B1D002098FDB00DFA9D8466EEBBF4EB08324F10895AD859B7381C779A945CFA5

Function 05E6C060 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000050), ref: 05E6C0E3

Strings

+ZR4, xrefs: 05E6C07F
4'^q, xrefs: 05E6C09C

Memory Dump Source

Source File: 00000001.00000002.4146174511.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5e60000_AddInProcess32.jbxd

Similarity

API ID: MetricsSystem
String ID: +ZR4$4'^q
API String ID: 4116985748-2094718428
Opcode ID: 31b2a62b44fd439f7198dc2d87b40b12aefc555f19ec649e140d530516e1bd74
Instruction ID: aa4307457d28bff7f1ca294933ab406e13bcab1b78433036ae13e010636fb4df
Opcode Fuzzy Hash: 31b2a62b44fd439f7198dc2d87b40b12aefc555f19ec649e140d530516e1bd74
Instruction Fuzzy Hash: 022123B0D00209CFCB10DFA9D8456EEBBF4EB08324F10855AD869B7280C7796944CFA5

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rPO_CW00402902400415.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rPO_CW0040290240_3337ff837319f9c3d7f3ada581f0997a8cb9321c_4b0452fd_c1c7692c-f1ab-48eb-a03e-dae1a522c1a4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D6B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93B5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93F4.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
rPO_CW00402902400415.exe

Function 00007FFD9BAB4D5D Relevance: 3.0, Strings: 2, Instructions: 483
COMMON

Function 00007FFD9BABF3C9 Relevance: 1.6, Instructions: 1588
COMMON

Function 00007FFD9BAB396A Relevance: 1.6, APIs: 1, Instructions: 136
memoryCOMMON

Function 00007FFD9BAB0618 Relevance: 1.6, APIs: 1, Instructions: 126
memoryCOMMON

Function 00007FFD9BAC8BF9 Relevance: 1.6, APIs: 1, Instructions: 121
memoryCOMMON

Function 00007FFD9BABA034 Relevance: 1.6, APIs: 1, Instructions: 111
memoryCOMMON

Function 02299D9A Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 328
COMMON

Function 059AB244 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
COMMON

Function 059AB250 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Function 059AA7F0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 293
COMMON

Function 059A4B98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
COMMON

Function 059A9D9C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Function 059AC9AC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
comclipboardCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre