Edit tour

Windows Analysis Report
bhevLCQYD6.exe

Overview

General Information

Sample name:	bhevLCQYD6.exe renamed because original name is a hash value
Original sample name:	83b5f3c1326831ab20c2d8114e4c324e.exe
Analysis ID:	1417465
MD5:	83b5f3c1326831ab20c2d8114e4c324e
SHA1:	5d0e55293b342f849f2a4a5e71174af52559a466
SHA256:	29b71c3a7f3ae4017bd2e71cee4e9fbecfe5c7693ef30b5c541d27edc3d425b8
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Tries to load missing DLLs

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

bhevLCQYD6.exe (PID: 6956 cmdline: "C:\Users\user\Desktop\bhevLCQYD6.exe" MD5: 83B5F3C1326831AB20C2D8114E4C324E)

RegSvcs.exe (PID: 6752 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

AddInProcess32.exe (PID: 6808 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 1076 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

WerFault.exe (PID: 7176 cmdline: C:\Windows\system32\WerFault.exe -u -p 6956 -s 1212 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.gosportz.in", "Username": "sales@gosportz.in", "Password": "Ss@gosportz"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.4052069622.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4052069622.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.4053823405.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4053823405.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1739589900.000001D792611000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1739589900.000001D792611000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: bhevLCQYD6.exe PID: 6956	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: bhevLCQYD6.exe PID: 6956	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: bhevLCQYD6.exe PID: 6956	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: bhevLCQYD6.exe PID: 6956	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: AddInProcess32.exe PID: 6808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 6808	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.bhevLCQYD6.exe.1d79264ccf8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33521:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33593:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3361d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336af:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33719:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3378b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33821:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338b1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.bhevLCQYD6.exe.1d79264ccf8.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.bhevLCQYD6.exe.1d79264ccf8.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31721:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31793:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3181d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x318af:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31919:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3198b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31a21:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31ab1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.bhevLCQYD6.exe.1d792687740.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.bhevLCQYD6.exe.1d792687740.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.bhevLCQYD6.exe.1d792687740.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31721:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31793:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3181d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x318af:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31919:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3198b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31a21:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31ab1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33521:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33593:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3361d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336af:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33719:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3378b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33821:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338b1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.bhevLCQYD6.exe.1d79264ccf8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.bhevLCQYD6.exe.1d79264ccf8.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.bhevLCQYD6.exe.1d79264ccf8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33521:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df69:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33593:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfdb:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3361d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e065:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336af:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0f7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33719:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e161:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3378b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1d3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33821:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e269:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338b1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2f9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.79.229.7, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, Initiated: true, ProcessId: 6808, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738

Snort Signatures

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:49.924574
SID:	2030171
Source Port:	49773
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:51.057848
SID:	2840032
Source Port:	49762
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:32:41.095141
SID:	2030171
Source Port:	49754
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:30.134284
SID:	2840032
Source Port:	49769
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:30.134207
SID:	2030171
Source Port:	49769
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:32:41.095247
SID:	2840032
Source Port:	49754
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:49.924672
SID:	2840032
Source Port:	49773
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:08.140144
SID:	2851779
Source Port:	49767
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:24.039925
SID:	2030171
Source Port:	49761
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:06.243511
SID:	2851779
Source Port:	49759
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:19.602140
SID:	2851779
Source Port:	49760
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:58.011955
SID:	2855542
Source Port:	49766
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:30.134284
SID:	2851779
Source Port:	49769
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:30:59.881457
SID:	2840032
Source Port:	49738
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:24.039956
SID:	2840032
Source Port:	49761
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:51.057801
SID:	2851779
Source Port:	49762
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:32:51.910656
SID:	2030171
Source Port:	49757
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:16.704777
SID:	2840032
Source Port:	49768
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:32:46.441647
SID:	2851779
Source Port:	49756
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:30:59.881408
SID:	2030171
Source Port:	49738
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Exfil via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:30:59.881457
SID:	2855245
Source Port:	49738
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:51.057801
SID:	2855542
Source Port:	49762
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:30.134284
SID:	2855542
Source Port:	49769
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:32:46.441647
SID:	2855542
Source Port:	49756
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:06.243511
SID:	2855542
Source Port:	49759
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:08.140078
SID:	2030171
Source Port:	49767
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:58.011955
SID:	2851779
Source Port:	49766
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:19.602140
SID:	2030171
Source Port:	49760
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:24.039925
SID:	2851779
Source Port:	49761
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:30:59.881457
SID:	2851779
Source Port:	49738
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:32:46.440503
SID:	2030171
Source Port:	49756
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:32:51.910656
SID:	2851779
Source Port:	49757
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:19.603053
SID:	2840032
Source Port:	49760
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:32:46.445965
SID:	2840032
Source Port:	49756
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:08.140183
SID:	2840032
Source Port:	49767
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:16.704723
SID:	2851779
Source Port:	49768
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:32:51.910656
SID:	2855542
Source Port:	49757
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:24.039925
SID:	2855542
Source Port:	49761
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:16.704723
SID:	2855542
Source Port:	49768
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:32:41.095190
SID:	2851779
Source Port:	49754
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:49.924574
SID:	2851779
Source Port:	49773
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:32:51.910735
SID:	2840032
Source Port:	49757
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:16.704675
SID:	2030171
Source Port:	49768
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:06.243579
SID:	2840032
Source Port:	49759
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:58.011916
SID:	2030171
Source Port:	49766
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:30:59.881457
SID:	2855542
Source Port:	49738
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:06.243391
SID:	2030171
Source Port:	49759
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:58.011990
SID:	2840032
Source Port:	49766
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:19.602140
SID:	2855542
Source Port:	49760
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:49.924574
SID:	2855542
Source Port:	49773
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:32:41.095190
SID:	2855542
Source Port:	49754
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:34:08.140144
SID:	2855542
Source Port:	49767
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 51.79.229.7

Timestamp:	03/29/24-11:33:51.057734
SID:	2030171
Source Port:	49762
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.AddInProcess32.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.gosportz.in", "Username": "sales@gosportz.in", "Password": "Ss@gosportz"}

Multi AV Scanner detection for submitted file

Source: bhevLCQYD6.exe	ReversingLabs: Detection: 36%
Source: bhevLCQYD6.exe	Virustotal: Detection: 44%			Perma Link

Machine Learning detection for sample

Source: bhevLCQYD6.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bhevLCQYD6.exe PID: 6956, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49735 version: TLS 1.2

Source: bhevLCQYD6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\WorkHardKeepTrying\obj\Release\WorkHardKeepTrying.pdb source: bhevLCQYD6.exe
Source:	Binary string: System.Drawing.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: WorkHardKeepTrying.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Xml.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Dynamic.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.pdbH source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.pdbUyJ source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdbP source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA3BE.tmp.dmp.7.dr

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49738 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49738 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49738 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49738 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49738 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49754 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49754 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49754 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49754 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49756 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49756 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49756 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49756 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49757 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49757 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49757 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49757 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49759 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49759 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49759 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49759 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49760 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49760 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49760 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49760 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49761 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49761 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49761 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49761 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49762 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49762 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49762 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49762 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49766 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49766 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49766 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49766 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49767 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49767 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49767 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49767 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49768 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49768 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49768 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49768 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49769 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49769 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49769 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49769 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49773 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49773 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49773 -> 51.79.229.7:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49773 -> 51.79.229.7:587

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 51.79.229.7:587

Source: Joe Sandbox View	IP Address: 51.79.229.7 51.79.229.7
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 51.79.229.7:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: bhevLCQYD6.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: bhevLCQYD6.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: AddInProcess32.exe, 00000003.00000002.4053823405.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002E1A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002CD6000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002ADF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.gosportz.in
Source: bhevLCQYD6.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: AddInProcess32.exe, 00000003.00000002.4053823405.0000000002971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: bhevLCQYD6.exe, 00000000.00000002.1739589900.000001D792611000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4052069622.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: bhevLCQYD6.exe, 00000000.00000002.1739589900.000001D792611000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4052069622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: AddInProcess32.exe, 00000003.00000002.4053823405.0000000002971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: AddInProcess32.exe, 00000003.00000002.4053823405.0000000002971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: bhevLCQYD6.exe	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49735 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, NDL2m67zO.cs	.Net Code: N8XNDo8o
Source: 0.2.bhevLCQYD6.exe.1d79264ccf8.0.raw.unpack, NDL2m67zO.cs	.Net Code: N8XNDo8o

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.bhevLCQYD6.exe.1d79264ccf8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.bhevLCQYD6.exe.1d792687740.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.bhevLCQYD6.exe.1d79264ccf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Code function: 0_2_00007FFD9B8DF400	0_2_00007FFD9B8DF400
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Code function: 0_2_00007FFD9B8B7C40	0_2_00007FFD9B8B7C40
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Code function: 0_2_00007FFD9B8E1BD8	0_2_00007FFD9B8E1BD8
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Code function: 0_2_00007FFD9B8B29EE	0_2_00007FFD9B8B29EE
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Code function: 0_2_00007FFD9B8DE870	0_2_00007FFD9B8DE870
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Code function: 0_2_00007FFD9B8B28B9	0_2_00007FFD9B8B28B9
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Code function: 0_2_00007FFD9B8B7CC8	0_2_00007FFD9B8B7CC8
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Code function: 0_2_00007FFD9B8B7EC8	0_2_00007FFD9B8B7EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_00D941C8	3_2_00D941C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_00D9E6C9	3_2_00D9E6C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_00D9A960	3_2_00D9A960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_00D94A98	3_2_00D94A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_00D93E80	3_2_00D93E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_00D9D96F	3_2_00D9D96F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_062D7D48	3_2_062D7D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_062D65B8	3_2_062D65B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_062D5598	3_2_062D5598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_062D3060	3_2_062D3060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_062D0040	3_2_062D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_062DC150	3_2_062DC150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_062DB1FA	3_2_062DB1FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_062D7668	3_2_062D7668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_062D5C9F	3_2_062D5C9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_062DE368	3_2_062DE368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_062D2379	3_2_062D2379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_062D0006	3_2_062D0006

Source: C:\Users\user\Desktop\bhevLCQYD6.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6956 -s 1212

Source: bhevLCQYD6.exe

Static PE information: invalid certificate

Source: bhevLCQYD6.exe

Static PE information: No import functions for PE file found

Source: bhevLCQYD6.exe, 00000000.00000000.1593680021.000001D780800000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameApibequfebequle0 vs bhevLCQYD6.exe
Source: bhevLCQYD6.exe, 00000000.00000002.1739589900.000001D792611000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef366647c-b5b7-4abe-a908-a8d3f9bee1f0.exe4 vs bhevLCQYD6.exe
Source: bhevLCQYD6.exe, 00000000.00000002.1739589900.000001D792611000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIrehexeqF vs bhevLCQYD6.exe
Source: bhevLCQYD6.exe	Binary or memory string: OriginalFilenameApibequfebequle0 vs bhevLCQYD6.exe

Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.bhevLCQYD6.exe.1d79264ccf8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.bhevLCQYD6.exe.1d792687740.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.bhevLCQYD6.exe.1d79264ccf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: bhevLCQYD6.exe, Ldloc0MdSigCallingConvention.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, OTWUo99bfyR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, OTWUo99bfyR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, Ui9qhZiA7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, Ui9qhZiA7.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/5@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6956

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d334fb74-c17d-4400-8f57-4860fe335d8c

Jump to behavior

Source: bhevLCQYD6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\bhevLCQYD6.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AddInProcess32.exe, 00000003.00000002.4052677096.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: select * from Win32_OperatingSystem);

Source: bhevLCQYD6.exe	ReversingLabs: Detection: 36%
Source: bhevLCQYD6.exe	Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\bhevLCQYD6.exe

File read: C:\Users\user\Desktop\bhevLCQYD6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bhevLCQYD6.exe "C:\Users\user\Desktop\bhevLCQYD6.exe"
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6956 -s 1212
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bhevLCQYD6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\bhevLCQYD6.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: bhevLCQYD6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: bhevLCQYD6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: bhevLCQYD6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Xml.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\WorkHardKeepTrying\obj\Release\WorkHardKeepTrying.pdb source: bhevLCQYD6.exe
Source:	Binary string: System.Drawing.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: WorkHardKeepTrying.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Xml.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Dynamic.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.pdbH source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.pdbUyJ source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdbP source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WERA3BE.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA3BE.tmp.dmp.7.dr

Source: bhevLCQYD6.exe

Static PE information: 0x994824D9 [Thu Jun 29 09:01:13 2051 UTC]

Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Code function: 0_2_00007FFD9B8B5638 push cs; retn 5F50h	0_2_00007FFD9B8CE13F
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Code function: 0_2_00007FFD9B8B7933 push ebx; retf	0_2_00007FFD9B8B796A
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Code function: 0_2_00007FFD9B8B057D push ebx; iretd	0_2_00007FFD9B8B058A
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Code function: 0_2_00007FFD9B9E0C7B push esp; retf 4810h	0_2_00007FFD9B9E0D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_00D90C3D push edi; ret	3_2_00D90CC2

Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: bhevLCQYD6.exe PID: 6956, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: bhevLCQYD6.exe, 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: bhevLCQYD6.exe, 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Memory allocated: 1D780B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Memory allocated: 1D79A600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 26B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 1404			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 8455			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -98417s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -98093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -97437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -97327s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -97218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -96890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -96781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -96670s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -96562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -96453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -96343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -96234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -96125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -96015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -95906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -95797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -95687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -95578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -95468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -95359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -95250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -95140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -95030s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -94922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -94797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -94687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7264	Thread sleep time: -94578s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98417	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 94922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 94797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 94687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 94578	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: bhevLCQYD6.exe, 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: bhevLCQYD6.exe, 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: bhevLCQYD6.exe, 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: bhevLCQYD6.exe, 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: bhevLCQYD6.exe, 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AddInProcess32.exe, 00000003.00000002.4058631804.0000000005C10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: bhevLCQYD6.exe, 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: bhevLCQYD6.exe, 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: bhevLCQYD6.exe, 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: bhevLCQYD6.exe, 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: bhevLCQYD6.exe, 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: bhevLCQYD6.exe, 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\bhevLCQYD6.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: bhevLCQYD6.exe, Ldloc0MdSigCallingConvention.cs	Reference to suspicious API methods: ((Func3FileStandardInformation)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(TotalAvailableMemoryBytesMyComputer.EncoderFallbackBufferOnlyOnFaulted("getIsSignatureTypeReadLinesAsync")), TotalAvailableMemoryBytesMyComputer.EncoderFallbackBufferOnlyOnFaulted("IEquatable1CodeBase")), typeof(Func3FileStandardInformation)))(getParameterValueAsUint, getSerializationGuardgetUtcNow, EnumEqualityComparer1EventPayload, out Item2getASCII)
Source: bhevLCQYD6.exe, Ldloc0MdSigCallingConvention.cs	Reference to suspicious API methods: ((Func3FileStandardInformation)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(TotalAvailableMemoryBytesMyComputer.EncoderFallbackBufferOnlyOnFaulted("getIsSignatureTypeReadLinesAsync")), TotalAvailableMemoryBytesMyComputer.EncoderFallbackBufferOnlyOnFaulted("IEquatable1CodeBase")), typeof(Func3FileStandardInformation)))(getParameterValueAsUint, getSerializationGuardgetUtcNow, EnumEqualityComparer1EventPayload, out Item2getASCII)
Source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, W4ip.cs	Reference to suspicious API methods: ve645LMXEKU.OpenProcess(lUA9OgW.DuplicateHandle, bInheritHandle: true, (uint)aT9Qdac.ProcessID)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\bhevLCQYD6.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 74C008	Jump to behavior

Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Users\user\Desktop\bhevLCQYD6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bhevLCQYD6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\bhevLCQYD6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bhevLCQYD6.exe.1d79264ccf8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bhevLCQYD6.exe.1d792687740.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bhevLCQYD6.exe.1d79264ccf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4052069622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4053823405.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1739589900.000001D792611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bhevLCQYD6.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6808, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bhevLCQYD6.exe.1d79264ccf8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bhevLCQYD6.exe.1d792687740.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bhevLCQYD6.exe.1d79264ccf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4052069622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4053823405.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1739589900.000001D792611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bhevLCQYD6.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6808, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bhevLCQYD6.exe.1d79264ccf8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bhevLCQYD6.exe.1d792687740.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bhevLCQYD6.exe.1d792687740.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bhevLCQYD6.exe.1d79264ccf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4052069622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4053823405.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1739589900.000001D792611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bhevLCQYD6.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6808, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	211 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	1 Credentials in Registry	231 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	1 Process Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	151 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bhevLCQYD6.exe	37%	ReversingLabs	Win64.Spyware.Negasteal
bhevLCQYD6.exe	44%	Virustotal		Browse
bhevLCQYD6.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
mail.gosportz.in	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
http://mail.gosportz.in	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse
http://mail.gosportz.in	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	1%	Virustotal		Browse
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.gosportz.in	51.79.229.7	true	true	0%, Virustotal, Browse	unknown
api.ipify.org	104.26.13.205	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	bhevLCQYD6.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.dyn.com/	bhevLCQYD6.exe, 00000000.00000002.1739589900.000001D792611000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4052069622.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	bhevLCQYD6.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false		high
http://www.fontbureau.com/designers	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	AddInProcess32.exe, 00000003.00000002.4053823405.0000000002971000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	bhevLCQYD6.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	bhevLCQYD6.exe, 00000000.00000002.1739589900.000001D792611000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4052069622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002971000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	bhevLCQYD6.exe	false	URL Reputation: safe	unknown
http://mail.gosportz.in	AddInProcess32.exe, 00000003.00000002.4053823405.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002E1A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002CD6000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4053823405.0000000002ADF000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AddInProcess32.exe, 00000003.00000002.4053823405.0000000002971000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	bhevLCQYD6.exe, 00000000.00000002.1743509855.000001D79BFD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.79.229.7	mail.gosportz.in	Canada		16276	OVHFR	true
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417465
Start date and time:	2024-03-29 11:30:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bhevLCQYD6.exe renamed because original name is a hash value
Original Sample Name:	83b5f3c1326831ab20c2d8114e4c324e.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/5@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 52% Number of executed functions: 67 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:30:52	API Interceptor	12276582x Sleep call for process: AddInProcess32.exe modified
11:31:01	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51.79.229.7	https://apiservices.krxd.net/click_tracker/track?kxconfid=whjxbtb0h&_knopii=1&kxcampaignid=P.C.C-Class.W206.L.MI&kxplacementid=module2findmycar&kxbrand=MB&clk=http://mppl11.com/lobatan/goaway.spammer@loser.com	Get hash	malicious	Unknown	Browse	mppl11.com/favicon.ico
104.26.13.205	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.RATX-gen.31127.4101.exe	Get hash	malicious	PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.gosportz.in	New Order 3118.xlsx	Get hash	malicious	AgentTesla	Browse	51.79.229.7
	New Order 3118.doc	Get hash	malicious	AgentTesla	Browse	51.79.229.7
	yR5xIsCFuq.exe	Get hash	malicious	AgentTesla	Browse	51.79.229.7
	EhPeM5ilb8.exe	Get hash	malicious	AgentTesla	Browse	51.79.229.7
	bt0dMehItq.exe	Get hash	malicious	AgentTesla	Browse	51.79.229.7
	SecuriteInfo.com.Win32.PWSX-gen.22236.2799.exe	Get hash	malicious	AgentTesla	Browse	51.79.229.7
	NjS1bK9vVF.exe	Get hash	malicious	AgentTesla	Browse	51.79.229.7
api.ipify.org	TBC#01 Rev.A3 - lnexa.xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	DHL_LHER000678175.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	SecuriteInfo.com.Win32.PWSX-gen.9732.1319.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	ocrev ns.ordine 290520280324.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	CANKO DMC IMPORT ENQUIRY.PDF.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Transaction Advice_280324-WS-394-1247.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	YPT23-117419 numaral#U0131 Dekont-20240328.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	FedEx_AWB#53203024643.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	BL-SHIPPING INVOICE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	RFQ.doc	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	InjectToolInstaller.exe	Get hash	malicious	PureLog Stealer	Browse	104.26.4.15
	Stealer.exe	Get hash	malicious	Eternity Stealer	Browse	172.67.34.170
	MXpl6HFisn.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	https://airdrop-online-altlayer-anniversary.s3.us-east-2.amazonaws.com/posten.html?cid=freetomfr@hotmail.com	Get hash	malicious	Phisher	Browse	172.64.150.248
	7ITPeT3VWW.exe	Get hash	malicious	LummaC	Browse	104.21.38.98
	l2ZKczbGRq.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	104.26.4.15
	XqC4Zcp8qg.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	3MdZ1WiAYP.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	7GofFHQDvk.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	TBC#01 Rev.A3 - lnexa.xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
OVHFR	uk1HIyOQbk.exe	Get hash	malicious	Unknown	Browse	51.91.30.159
	uk1HIyOQbk.exe	Get hash	malicious	Unknown	Browse	51.91.30.159
	Mcb5K3TOWT.exe	Get hash	malicious	Unknown	Browse	91.121.160.6
	SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe	Get hash	malicious	Unknown	Browse	198.50.129.180
	Facture_160087511.html	Get hash	malicious	ScreenConnect Tool	Browse	158.69.9.165
	SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe	Get hash	malicious	Unknown	Browse	51.38.43.18
	assento 555 pro-Model-2.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	144.217.159.195
	awb_shipping_doc_23642.vbs	Get hash	malicious	FormBook, GuLoader	Browse	188.165.61.82
	https://www.rewardgateway.com/	Get hash	malicious	HTMLPhisher	Browse	51.222.241.100
	http://www.rewardgateway.com	Get hash	malicious	HTMLPhisher	Browse	51.222.241.145

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	TBC#01 Rev.A3 - lnexa.xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	package80171530600.jpg.lnk	Get hash	malicious	XWorm	Browse	104.26.13.205
	DHL_LHER000678175.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	inpau292101.js	Get hash	malicious	FormBook	Browse	104.26.13.205
	SecuriteInfo.com.Win32.PWSX-gen.9732.1319.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	ocrev ns.ordine 290520280324.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	CANKO DMC IMPORT ENQUIRY.PDF.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Transaction Advice_280324-WS-394-1247.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	YPT23-117419 numaral#U0131 Dekont-20240328.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	FedEx_AWB#53203024643.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bhevLCQYD6.exe_8827a0dbb697e60d3eedbe15e2e4538eca41c0_4be6e095_ef33ba46-e919-4d22-a920-a353ca617ed5\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.128599824478426
Encrypted:	false
SSDEEP:	192:AD+7kWBu50UnU9aWz3OlTwyZFqCAzuiFZZ24lO8Y:z7XBDUnU9a4oizuiFZY4lO8Y
MD5:	BD1BC7A18685AF081D68CF690FDDC3C9
SHA1:	D4FDF438D62CF73470311AF850AE509F62F9FD30
SHA-256:	53CE435B7417A631C9378E1CFE9741A5C419BAFFA1512F279E102C84BDCF7C04
SHA-512:	F4BE2C38C208D58DE789433A9A9DED6562A314FFFDCAD9F4D35F3A84CBBCC7B6DF143E1261876272B687CA22375675A6E4361EB27CA1312F3122338E941438A4
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.6.1.8.1.8.5.1.5.4.5.2.7.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.6.1.8.1.8.5.2.3.7.3.3.8.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.3.3.b.a.4.6.-.e.9.1.9.-.4.d.2.2.-.a.9.2.0.-.a.3.5.3.c.a.6.1.7.e.d.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.0.6.c.3.d.e.-.0.a.5.8.-.4.a.d.d.-.8.a.c.8.-.3.6.0.4.b.8.8.6.d.8.0.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.b.h.e.v.L.C.Q.Y.D.6...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.p.i.b.e.q.u.f.e.b.e.q.u.l.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.2.c.-.0.0.0.1.-.0.0.1.4.-.c.6.2.7.-.5.2.2.a.c.4.8.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.6.2.1.a.3.d.c.6.3.b.4.d.4.1.a.c.7.9.1.1.c.0.2.a.3.6.8.2.e.c.8.0.0.0.0.0.0.0.0.!.0.0.0.0.5.d.0.e.5.5.2.9.3.b.3.4.2.f.8.4.9.f.2.a.4.a.5.e.7.1.1.7.4.a.f.5.2.5.5.9.a.4.6.6.!.b.h.e.v.L.C.Q.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3BE.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri Mar 29 10:30:51 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	541539
Entropy (8bit):	3.5853850456050185
Encrypted:	false
SSDEEP:	3072:hdVIidoyvBnb3oC4e5mK5sn+oRamliWfl4pKoHePNJecS5EjBj1CCqQ+FJ3+vCyK:rKyvlUC4XK5snZ3aKrSKpqP3Qvf/M
MD5:	3DFFADED25AECB633DEE0B983FEBEC5E
SHA1:	AAC4B22532EA49F0A46E7F648D38E6746A6A3446
SHA-256:	1C917CDC746A8F00971BCB32C07F69BC6362F1C317B325E00BF91488778DD9E2
SHA-512:	33D3FD58B3F06D9237260A2EB35CA2399F1CDB7176B03E465517E77D856AF46A20130840D0CEAA82BEC82963D754715FFCE2D2B030EC5ECB8FEDB8F49E5E4D7B
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......[..f............D...............d.......$....!...... >..,!......................l.......8...........T............/..............L_..........8a..............................................................................eJ.......a......Lw......................T.......,...X..f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA594.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8862
Entropy (8bit):	3.7128611176645934
Encrypted:	false
SSDEEP:	192:R6l7wVeJRwlk6Y9VD4jC5gmfR6Jzprt89bboifVJm:R6lXJ2lk6Y/k25gmfRiEbtfy
MD5:	851CD9F2C5151A2E58264348EED578A4
SHA1:	D9372F662A5B1B44C2C3803EC0723326427DE006
SHA-256:	00B29CEBC5D0BBFCC16C2F2F2971E794E1D6C6B1396BC1D239F71FF4C20ED8EB
SHA-512:	2EF5DFD1ABF3C59B9F4693590588B6379D10D281CD27EE2C11544A9F98801EFA22C47E3CB9E7973D88E064BE15B4B39E4A261BD6993BBB3C1942F7FB8D1D74EB
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5D4.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4772
Entropy (8bit):	4.527655150679993
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg771I9cXWpW8VYWYm8M4J+/KAFlqyq85q/trB0T0wd:uIjfTI7fm7VGJZPra4wd
MD5:	5A02932174E5F7D9EA4DA145138A13BE
SHA1:	31C5D52B864FF38799DB2E649827C0F961CAFD99
SHA-256:	9C5F10A218712449AA1F2B7453D7A1BA6EA1EA27E6A90780E45DDC621C4EC86E
SHA-512:	34D36EFBF0F15758EF77121B358ABD03D894234FF6A13E391250ED2C1FC2BF4B86A5544BC6A46C4A92293294F178ADF96E5166787DEAF944BAB99B75C7D84573
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="256413" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465962915971092
Encrypted:	false
SSDEEP:	6144:nIXfpi67eLPU9skLmb0b47WSPKaJG8nAgejZMMhA2gX4WABl0uNIdwBCswSbp:IXD947WlLZMM6YFHi+p
MD5:	2F675F823D464E1880BD2F2755168892
SHA1:	ED042A5D3A2BA1355461CE5A4C331D9D2B76BAE8
SHA-256:	5221EA4C8A0E0C8C013F80AF52FA6AC813C1E41DD24B463F587F63C2CE1D67D4
SHA-512:	DEFADBC4ED7F02BC5842A224A26B25507EFAA4BC4EE7A35161782CDA419231E089567F02529AB23F77FFD3C4E4638F5FF6111D7C1606D518C0CBCA8F6DDDD9D4
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm>@.,...............................................................................................................................................................................................................................................................................................................................................\[..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.889636783099047
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bhevLCQYD6.exe
File size:	661'864 bytes
MD5:	83b5f3c1326831ab20c2d8114e4c324e
SHA1:	5d0e55293b342f849f2a4a5e71174af52559a466
SHA256:	29b71c3a7f3ae4017bd2e71cee4e9fbecfe5c7693ef30b5c541d27edc3d425b8
SHA512:	2148ac63bdafa9eda5c2e11ae97d7bde1930142d93b3b38dde16d09059ff9ce8d51c387928f4a16243c1e85050c327c79e6e49a5c79efb303bbdc8e67d5cbb66
SSDEEP:	12288:i2WIm0FEUjrw3i/03o7BcD1Q38vYWYNwmDSOaqaJez7bKaNoVsnjBf/LT3pCj:i2W70F7jL03GcDyeYjwqSOvaJezaaNsF
TLSH:	92E42260B3D5E922F3DE13748E16E2FA12716E219C6BD20778E17F1F3E3768041966A1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....$H..........."...0.\|j...t........... ....@...... ....................... ............`................................

File Icon


Icon Hash:	a2aba2abab03abc0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x994824D9 [Thu Jun 29 09:01:13 2051 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	28/03/2024 13:51:09 28/03/2025 13:51:09
Subject Chain	C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
Version:	3
Thumbprint MD5:	AF43B38396E0148F4B8F8CE69C74190D
Thumbprint SHA-1:	A1F3F0CE0EC2D6A4FE094B9D8445582CDD9550BE
Thumbprint SHA-256:	7211D1B4DA4FFABC4A34573E18EC97B8352505577566B6CED252B218292EAC73
Serial:	00A1C20FCF63876110BDB00FFDAF35AE7A

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x73c2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa0088	0x18e0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x89b4	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6a7c	0x6c00	5715a5e27d2d58ff8e6bbcfe473fc15c	False	0.5087167245370371	data	5.866953296877542	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x73c2	0x7400	2325bde099a30553d43dcc251480b6d2	False	0.046875	data	1.5146428557157101	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xa21c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0			0.007557864903164856
RT_ICON	0xe444	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.017823639774859287
RT_ICON	0xf4ec	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0			0.025819672131147543
RT_ICON	0xfe74	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0			0.03604651162790698
RT_ICON	0x1052c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.05053191489361702
RT_GROUP_ICON	0x10994	0x4c	data			0.8026315789473685
RT_VERSION	0x109e0	0x3fc	data			0.4931372549019608
RT_VERSION	0x10ddc	0x3fc	data	English	United States	0.4950980392156863
RT_MANIFEST	0x111d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/29/24-11:34:49.924574	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49773	587	192.168.2.4	51.79.229.7
03/29/24-11:33:51.057848	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49762	587	192.168.2.4	51.79.229.7
03/29/24-11:32:41.095141	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49754	587	192.168.2.4	51.79.229.7
03/29/24-11:34:30.134284	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49769	587	192.168.2.4	51.79.229.7
03/29/24-11:34:30.134207	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49769	587	192.168.2.4	51.79.229.7
03/29/24-11:32:41.095247	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49754	587	192.168.2.4	51.79.229.7
03/29/24-11:34:49.924672	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49773	587	192.168.2.4	51.79.229.7
03/29/24-11:34:08.140144	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49767	587	192.168.2.4	51.79.229.7
03/29/24-11:33:24.039925	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49761	587	192.168.2.4	51.79.229.7
03/29/24-11:33:06.243511	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49759	587	192.168.2.4	51.79.229.7
03/29/24-11:33:19.602140	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49760	587	192.168.2.4	51.79.229.7
03/29/24-11:33:58.011955	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49766	587	192.168.2.4	51.79.229.7
03/29/24-11:34:30.134284	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49769	587	192.168.2.4	51.79.229.7
03/29/24-11:30:59.881457	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49738	587	192.168.2.4	51.79.229.7
03/29/24-11:33:24.039956	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49761	587	192.168.2.4	51.79.229.7
03/29/24-11:33:51.057801	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49762	587	192.168.2.4	51.79.229.7
03/29/24-11:32:51.910656	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49757	587	192.168.2.4	51.79.229.7
03/29/24-11:34:16.704777	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49768	587	192.168.2.4	51.79.229.7
03/29/24-11:32:46.441647	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49756	587	192.168.2.4	51.79.229.7
03/29/24-11:30:59.881408	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49738	587	192.168.2.4	51.79.229.7
03/29/24-11:30:59.881457	TCP	2855245	ETPRO TROJAN Agent Tesla Exfil via SMTP	49738	587	192.168.2.4	51.79.229.7
03/29/24-11:33:51.057801	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49762	587	192.168.2.4	51.79.229.7
03/29/24-11:34:30.134284	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49769	587	192.168.2.4	51.79.229.7
03/29/24-11:32:46.441647	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49756	587	192.168.2.4	51.79.229.7
03/29/24-11:33:06.243511	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49759	587	192.168.2.4	51.79.229.7
03/29/24-11:34:08.140078	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49767	587	192.168.2.4	51.79.229.7
03/29/24-11:33:58.011955	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49766	587	192.168.2.4	51.79.229.7
03/29/24-11:33:19.602140	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49760	587	192.168.2.4	51.79.229.7
03/29/24-11:33:24.039925	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49761	587	192.168.2.4	51.79.229.7
03/29/24-11:30:59.881457	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49738	587	192.168.2.4	51.79.229.7
03/29/24-11:32:46.440503	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49756	587	192.168.2.4	51.79.229.7
03/29/24-11:32:51.910656	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49757	587	192.168.2.4	51.79.229.7
03/29/24-11:33:19.603053	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49760	587	192.168.2.4	51.79.229.7
03/29/24-11:32:46.445965	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49756	587	192.168.2.4	51.79.229.7
03/29/24-11:34:08.140183	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49767	587	192.168.2.4	51.79.229.7
03/29/24-11:34:16.704723	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49768	587	192.168.2.4	51.79.229.7
03/29/24-11:32:51.910656	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49757	587	192.168.2.4	51.79.229.7
03/29/24-11:33:24.039925	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49761	587	192.168.2.4	51.79.229.7
03/29/24-11:34:16.704723	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49768	587	192.168.2.4	51.79.229.7
03/29/24-11:32:41.095190	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49754	587	192.168.2.4	51.79.229.7
03/29/24-11:34:49.924574	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49773	587	192.168.2.4	51.79.229.7
03/29/24-11:32:51.910735	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49757	587	192.168.2.4	51.79.229.7
03/29/24-11:34:16.704675	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49768	587	192.168.2.4	51.79.229.7
03/29/24-11:33:06.243579	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49759	587	192.168.2.4	51.79.229.7
03/29/24-11:33:58.011916	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49766	587	192.168.2.4	51.79.229.7
03/29/24-11:30:59.881457	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49738	587	192.168.2.4	51.79.229.7
03/29/24-11:33:06.243391	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49759	587	192.168.2.4	51.79.229.7
03/29/24-11:33:58.011990	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49766	587	192.168.2.4	51.79.229.7
03/29/24-11:33:19.602140	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49760	587	192.168.2.4	51.79.229.7
03/29/24-11:34:49.924574	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49773	587	192.168.2.4	51.79.229.7
03/29/24-11:32:41.095190	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49754	587	192.168.2.4	51.79.229.7
03/29/24-11:34:08.140144	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49767	587	192.168.2.4	51.79.229.7
03/29/24-11:33:51.057734	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49762	587	192.168.2.4	51.79.229.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 11:30:52.780472994 CET	49735	443	192.168.2.4	104.26.13.205
Mar 29, 2024 11:30:52.780515909 CET	443	49735	104.26.13.205	192.168.2.4
Mar 29, 2024 11:30:52.780584097 CET	49735	443	192.168.2.4	104.26.13.205
Mar 29, 2024 11:30:52.791181087 CET	49735	443	192.168.2.4	104.26.13.205
Mar 29, 2024 11:30:52.791199923 CET	443	49735	104.26.13.205	192.168.2.4
Mar 29, 2024 11:30:52.993832111 CET	443	49735	104.26.13.205	192.168.2.4
Mar 29, 2024 11:30:52.993911982 CET	49735	443	192.168.2.4	104.26.13.205
Mar 29, 2024 11:30:52.997706890 CET	49735	443	192.168.2.4	104.26.13.205
Mar 29, 2024 11:30:52.997729063 CET	443	49735	104.26.13.205	192.168.2.4
Mar 29, 2024 11:30:52.998050928 CET	443	49735	104.26.13.205	192.168.2.4
Mar 29, 2024 11:30:53.050164938 CET	49735	443	192.168.2.4	104.26.13.205
Mar 29, 2024 11:30:53.125649929 CET	49735	443	192.168.2.4	104.26.13.205
Mar 29, 2024 11:30:53.168245077 CET	443	49735	104.26.13.205	192.168.2.4
Mar 29, 2024 11:30:53.302434921 CET	443	49735	104.26.13.205	192.168.2.4
Mar 29, 2024 11:30:53.302495956 CET	443	49735	104.26.13.205	192.168.2.4
Mar 29, 2024 11:30:53.302552938 CET	49735	443	192.168.2.4	104.26.13.205
Mar 29, 2024 11:30:53.349200964 CET	49735	443	192.168.2.4	104.26.13.205
Mar 29, 2024 11:30:54.417860985 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:30:54.748786926 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:30:54.749253988 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:30:57.053921938 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:30:57.057949066 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:30:57.388297081 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:30:57.390759945 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:30:57.721575975 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:30:57.722280979 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:30:58.093048096 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:30:58.374062061 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:30:58.374439955 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:30:58.704823017 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:30:58.705063105 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:30:59.076364994 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:30:59.550096035 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:30:59.550374985 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:30:59.880866051 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:30:59.880887985 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:30:59.881407976 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:30:59.881457090 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:30:59.881475925 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:30:59.881491899 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:31:00.211637020 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:31:00.211740017 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:31:00.217231035 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:31:00.268898010 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:29.404280901 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:29.405026913 CET	49752	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:29.732148886 CET	587	49752	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:29.732259035 CET	49752	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:29.735270023 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:29.735364914 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:29.735364914 CET	49738	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:30.066039085 CET	587	49738	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:32.236251116 CET	587	49752	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:32.237797976 CET	49752	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:32.550750971 CET	49752	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:32.564769983 CET	587	49752	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:32.564827919 CET	49752	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:32.627751112 CET	49753	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:32.877808094 CET	587	49752	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:32.877851963 CET	49752	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:32.878129005 CET	587	49752	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:32.878169060 CET	49752	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:32.955130100 CET	587	49753	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:32.955200911 CET	49753	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:34.562933922 CET	587	49753	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:34.563081980 CET	49753	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:34.890671968 CET	587	49753	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:34.890929937 CET	49753	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:35.218631029 CET	587	49753	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:35.218811989 CET	49753	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:35.586850882 CET	587	49753	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:35.866506100 CET	587	49753	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:35.866699934 CET	49753	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:36.194207907 CET	587	49753	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:36.196078062 CET	49753	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:36.564419031 CET	587	49753	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:36.847512007 CET	587	49753	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:36.847636938 CET	49753	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:37.019331932 CET	49753	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:37.072119951 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:37.175080061 CET	587	49753	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:37.175096989 CET	587	49753	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:37.175143957 CET	49753	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:37.346690893 CET	587	49753	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:37.346738100 CET	49753	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:37.346936941 CET	587	49753	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:37.346977949 CET	49753	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:37.395770073 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:37.395838022 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:38.623836040 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:38.623965979 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:38.947662115 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:38.947809935 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:39.271543980 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:39.271771908 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:39.602577925 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:39.606076956 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:39.929730892 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:39.929933071 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:40.293746948 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:40.769996881 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:40.770112038 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.093662024 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.093678951 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.095038891 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.095140934 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.095190048 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.095247030 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.096564054 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.418705940 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.418862104 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.419625998 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.419639111 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.419680119 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.419704914 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.419713974 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.419755936 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.419763088 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.419807911 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.419831991 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.419877052 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.483545065 CET	49755	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.742923021 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.742938042 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.743057013 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.743067980 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.743077040 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.743104935 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.743149042 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.743196964 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.743218899 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.743261099 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.743288040 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.743352890 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.743402004 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.744153976 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:41.810864925 CET	587	49755	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:41.810956001 CET	49755	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:42.066533089 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.066549063 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.066620111 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.066802979 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.066982031 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.067116976 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.067183018 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.067353010 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.067378998 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.067468882 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.067496061 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.067542076 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.067584038 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.070473909 CET	587	49754	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.070563078 CET	49754	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:42.906980038 CET	587	49755	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:42.907212973 CET	49755	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:42.941041946 CET	49755	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:42.991761923 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:43.234561920 CET	587	49755	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:43.234647036 CET	49755	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:43.268547058 CET	587	49755	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:43.268640995 CET	49755	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:43.268832922 CET	587	49755	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:43.268910885 CET	49755	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:43.320117950 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:43.320200920 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:43.809849024 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:43.831559896 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:44.160342932 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:44.165663004 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:44.494664907 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:44.534625053 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:44.598853111 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:44.934900999 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:44.935012102 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:45.263410091 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:45.263545990 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:45.632975101 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:46.104513884 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:46.104655027 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:46.433034897 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:46.433049917 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:46.440392971 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:46.440502882 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:46.441647053 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:46.445965052 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:46.459706068 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:46.768724918 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:46.773957968 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:46.774007082 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:46.787991047 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:46.788003922 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:46.788049936 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:46.788060904 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:46.788072109 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:46.788116932 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:46.788198948 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:46.788248062 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:47.116444111 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.116460085 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.116538048 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:47.116636038 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.116672993 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.116686106 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:47.116727114 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:47.116822958 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.116873026 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:47.116887093 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.116911888 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.116960049 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:47.157979012 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.444926023 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.444963932 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.444976091 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.444987059 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.444997072 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.445096016 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.445173025 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.445291042 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.445358038 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.445432901 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.445542097 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.445590973 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.445651054 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.445672989 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.445853949 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.445866108 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.445929050 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.446006060 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.446017027 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.446115971 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.450308084 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:47.534677029 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:47.739995003 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:48.069359064 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:48.069454908 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:48.069488049 CET	49756	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:48.070313931 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:48.397731066 CET	587	49756	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:48.401360035 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:48.401448011 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:49.205162048 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:49.205331087 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:49.536838055 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:49.537081957 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:49.868706942 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:49.868908882 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:50.207633972 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:50.207811117 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:50.539326906 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:50.539484978 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:50.912317038 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:51.578958988 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:51.579442024 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:51.910361052 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:51.910372972 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:51.910603046 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:51.910655975 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:51.910655975 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:51.910734892 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:51.911758900 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:52.241637945 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.241903067 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:52.242908001 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.242925882 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.243032932 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:52.574244022 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.574265957 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.574275970 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.574337959 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.574342966 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:52.574404001 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:52.574423075 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.574459076 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:52.906110048 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.906125069 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.906132936 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.906142950 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.906265974 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.906275034 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.906282902 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.906361103 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:52.908586025 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:53.128380060 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:59.633996010 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:59.966006041 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:32:59.966097116 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:59.966186047 CET	49757	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:32:59.967271090 CET	49758	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:00.297240019 CET	587	49757	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:00.298640013 CET	587	49758	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:00.298727036 CET	49758	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:01.933011055 CET	587	49758	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:01.965972900 CET	49758	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:02.296955109 CET	587	49758	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:02.297213078 CET	49758	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:02.628475904 CET	587	49758	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:02.628909111 CET	49758	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:02.691014051 CET	49758	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:02.740760088 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:02.967454910 CET	587	49758	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:02.967530966 CET	49758	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:03.022068977 CET	587	49758	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:03.022151947 CET	49758	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:03.022474051 CET	587	49758	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:03.022511959 CET	49758	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:03.067881107 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:03.067936897 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:03.556862116 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:03.562078953 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:03.889468908 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:03.890111923 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:04.217725992 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:04.218096972 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:04.553942919 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:04.558012009 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:04.885474920 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:04.886534929 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:05.255237103 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:05.915577888 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:05.915775061 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.243113995 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:06.243138075 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:06.243391037 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.243391037 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.243510962 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.243578911 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.245996952 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.570837021 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:06.570895910 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.573617935 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:06.573693991 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.900929928 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:06.900973082 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:06.901009083 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.901036978 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:06.901046038 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.901079893 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.901092052 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:06.901128054 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:06.901141882 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.901181936 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.901199102 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:06.901248932 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:06.942290068 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228174925 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228255033 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228333950 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228395939 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228508949 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228519917 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228600979 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228610992 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228651047 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228672981 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228743076 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228753090 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228805065 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228851080 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.228909016 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.232022047 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:07.284734011 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:15.448297977 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:15.776487112 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:15.778091908 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:15.778223991 CET	49759	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:15.779098988 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:16.105384111 CET	587	49759	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:16.107618093 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:16.107706070 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:16.597810984 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:16.598009109 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:16.926455021 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:16.927232981 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:17.256053925 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:17.291434050 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:17.627615929 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:17.676091909 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:17.817698002 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:18.146157026 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:18.192049980 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:18.334162951 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:18.703576088 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:19.177416086 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:19.237891912 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:19.273478031 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:19.601774931 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:19.601792097 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:19.602139950 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:19.602139950 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:19.602139950 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:19.603053093 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:19.603053093 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:19.930983067 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:19.931041956 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:19.931941032 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:19.932018042 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:19.932339907 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:19.932404995 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:20.095182896 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:20.260291100 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.260327101 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.260440111 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:20.260447025 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.260499954 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.260567904 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:20.260611057 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.424385071 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.424458027 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:20.589194059 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.589210987 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.589226007 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.589375973 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.589546919 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.589557886 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.589682102 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.589814901 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.589912891 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.590176105 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.590315104 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.590415001 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.596304893 CET	587	49760	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:20.596355915 CET	49760	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:21.724108934 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:21.724339008 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:22.056971073 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:22.057145119 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:22.386478901 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:22.386661053 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:22.723340988 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:22.723507881 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:23.052629948 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:23.052793026 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:23.422614098 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:23.705164909 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:23.710088968 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:24.039448977 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:24.039536953 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:24.039865017 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:24.039925098 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:24.039925098 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:24.039956093 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:24.046008110 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:24.369035959 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:24.369162083 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:24.375164032 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:24.375271082 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:24.375319004 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:24.375473022 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:24.705231905 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:24.705360889 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:25.035013914 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.035115957 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:25.035393000 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.035455942 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.035645008 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.035741091 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.035809994 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.035985947 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.036227942 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.036283016 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.036423922 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.036571980 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.036775112 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.036947012 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.364557028 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.368417978 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:25.409651995 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:46.591531992 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:46.929729939 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:46.929788113 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:48.343677044 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:48.343837023 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:48.681770086 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:48.681910038 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:49.020174980 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:49.020421982 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:49.399347067 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:49.712979078 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:49.717989922 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:50.055988073 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:50.056225061 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:50.435487032 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:50.719082117 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:50.719218016 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.057389021 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.057405949 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.057670116 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.057734013 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.057801008 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.057847977 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.059207916 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.371807098 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.395664930 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.395723104 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.397027969 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.397089005 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.397207975 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.397267103 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.397327900 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.397368908 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.397692919 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.397741079 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.701870918 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.704339027 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.704339027 CET	49761	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.708118916 CET	49763	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.735075951 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.735378027 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.735394955 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.735455990 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.735559940 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.735598087 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.735716105 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.735778093 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:51.735838890 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.735964060 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:51.736017942 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.033389091 CET	587	49761	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.036114931 CET	587	49763	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.036189079 CET	49763	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.073316097 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.073328972 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.073450089 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.073719025 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.073771000 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.073895931 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.073990107 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.074177980 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.074292898 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.074398994 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.074474096 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.074585915 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.074678898 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.074749947 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.074795008 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.074857950 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.074923992 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.074995041 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.075249910 CET	587	49762	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.076119900 CET	49762	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.097280025 CET	49763	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.153836966 CET	49764	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.425422907 CET	587	49763	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.479208946 CET	587	49764	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.480228901 CET	49764	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.526532888 CET	587	49763	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.526546955 CET	587	49763	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.526609898 CET	49763	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.526609898 CET	49763	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.526853085 CET	587	49763	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.527044058 CET	49763	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.566188097 CET	49764	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.628999949 CET	49765	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.891339064 CET	587	49764	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.963637114 CET	587	49765	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.963704109 CET	49765	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.966814041 CET	587	49764	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.966840982 CET	587	49764	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.966895103 CET	49764	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.967156887 CET	587	49764	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:52.967185020 CET	49764	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:52.967205048 CET	49764	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:53.892549992 CET	587	49765	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:53.894192934 CET	49765	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:54.229209900 CET	587	49765	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:54.229417086 CET	49765	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:54.565218925 CET	587	49765	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:54.570250988 CET	49765	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:54.816246986 CET	49765	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:54.888421059 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:54.912740946 CET	587	49765	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:54.912800074 CET	49765	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:55.151262045 CET	587	49765	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:55.151310921 CET	49765	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:55.151571989 CET	587	49765	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:55.151628971 CET	49765	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:55.216442108 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:55.218138933 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:55.708498955 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:55.709254026 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:56.036773920 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:56.036978960 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:56.364911079 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:56.365103006 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:56.700086117 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:56.700246096 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:57.027564049 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:57.027707100 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:57.396076918 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:57.679044008 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:57.684030056 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.011626959 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.011641026 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.011915922 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.011915922 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.011955023 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.011990070 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.013016939 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.340037107 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.340960979 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.341083050 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.341109991 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.341202021 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.341203928 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.341315031 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.381902933 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.382036924 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.669101000 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.669117928 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.669132948 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.669156075 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.669205904 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.669229031 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.669269085 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.669281960 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.669292927 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.669316053 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.669325113 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.669346094 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.669362068 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.669363022 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.669384956 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.669413090 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.669442892 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:58.709198952 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.996630907 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.996646881 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.996659040 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.996689081 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.997606993 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.997657061 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.997667074 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.997700930 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.997747898 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.997812986 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.997823954 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.997843981 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.997869968 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.997934103 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.997944117 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.997952938 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.998001099 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.998040915 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.998053074 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.998094082 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.998105049 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:58.998187065 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:59.315931082 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:59.325177908 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:59.327943087 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:33:59.378446102 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:33:59.643106937 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:03.646014929 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:03.973010063 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:03.973320961 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:03.974015951 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:03.976102114 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:03.976102114 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:03.982003927 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:04.300314903 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:04.302050114 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:04.303376913 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:04.305635929 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:04.305758953 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:04.627490044 CET	587	49766	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:04.627545118 CET	49766	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:05.859705925 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:05.860129118 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:06.184118986 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:06.184314966 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:06.508233070 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:06.512458086 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:06.843652964 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:06.843823910 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:07.167639017 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:07.167783022 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:07.531861067 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:07.815110922 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:07.816261053 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:08.139795065 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:08.139830112 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:08.140047073 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:08.140078068 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:08.140144110 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:08.140182972 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:08.144038916 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:08.463613987 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:08.463716030 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:08.467561960 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:08.467933893 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:08.468007088 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:08.468046904 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:08.468154907 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:08.468177080 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:08.468302011 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:08.791743040 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:08.791836023 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:08.791841984 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:08.791848898 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:08.791889906 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:08.791908026 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:09.115530014 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:09.115658998 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:09.115670919 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:09.115680933 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:09.115691900 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:09.115709066 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:09.115748882 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:09.115830898 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:09.115909100 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:09.115957022 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:09.121484041 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:09.175335884 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:13.030797958 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:13.355309010 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:13.355412006 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:13.355412006 CET	49767	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:13.356550932 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:13.679497957 CET	587	49767	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:13.688112020 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:13.696001053 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:14.189565897 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:14.192274094 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:14.524430037 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:14.526124954 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:14.858160973 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:14.858397961 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:15.197937965 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:15.198147058 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:15.530333996 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:15.530488014 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:15.902359962 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:16.371783018 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:16.372304916 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:16.704197884 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:16.704224110 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:16.704585075 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:16.704674959 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:16.704722881 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:16.704777002 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:16.705939054 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.036765099 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.036828995 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.038408041 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.038455963 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.038516998 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.079452991 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.079511881 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.368920088 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.368999004 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.370532036 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.370573997 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.370604038 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.370604992 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.370630980 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.370649099 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.370691061 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.370728016 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.370738029 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.370770931 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.370795965 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.370835066 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.370896101 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.370906115 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.370939016 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.370959997 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.371011972 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.371056080 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.371073008 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.371145964 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:17.411792994 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.700849056 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.702336073 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.702368021 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.702414036 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.702461958 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.703104973 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.703208923 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.703298092 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.703358889 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.703459024 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.703521967 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.703558922 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.705933094 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:17.756050110 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:26.630986929 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:26.963865995 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:26.963933945 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:26.963994980 CET	49768	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:26.965231895 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:27.295672894 CET	587	49768	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:27.297367096 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:27.297435999 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:27.790985107 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:27.794133902 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:28.127245903 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:28.128165007 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:28.461091995 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:28.464168072 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:28.804677963 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:28.811490059 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:29.143872976 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:29.144042969 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:29.516944885 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:29.799726963 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:29.801211119 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.133912086 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.133930922 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.134162903 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.134207010 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.134284019 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.134284019 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.135294914 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.466784000 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.467648029 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.467700958 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.467798948 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.467900038 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.467936993 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.468008995 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.468139887 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.800415993 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.800432920 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.800481081 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.800570965 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.800582886 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.800605059 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.800622940 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.800637960 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.800685883 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.800832033 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.800875902 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.800966024 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.801004887 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.802081108 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.802128077 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.802190065 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:30.802228928 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:30.842264891 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133325100 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133342981 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133353949 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133364916 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133378029 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133496046 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133507013 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133517981 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133527994 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133538961 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133663893 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133711100 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133721113 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133784056 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133800983 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133846045 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133970022 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133980989 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.133991003 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.134095907 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.134145021 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.134207964 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.134284973 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.134294987 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.134377956 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:31.456589937 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:31.466543913 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.470031977 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:31.519097090 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:31.789016962 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:40.630558014 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:40.956602097 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:40.962979078 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:40.963645935 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:40.963695049 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:40.963767052 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:40.964863062 CET	49770	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:41.284739017 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:41.289103031 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:41.295883894 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:41.300066948 CET	587	49770	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:41.300162077 CET	49770	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:41.616775990 CET	587	49769	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:41.616821051 CET	49769	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:41.796077967 CET	587	49770	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:41.798223019 CET	49770	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:42.133290052 CET	587	49770	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:42.133563042 CET	49770	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:42.469429016 CET	587	49770	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:42.470230103 CET	49770	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:42.813056946 CET	587	49770	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:42.813230038 CET	49770	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:43.148365021 CET	587	49770	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:43.148509979 CET	49770	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:43.524221897 CET	587	49770	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:43.628587961 CET	49770	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:43.691706896 CET	49771	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:43.807437897 CET	587	49770	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:43.814016104 CET	49770	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:43.964032888 CET	587	49770	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:43.964158058 CET	49770	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:43.964504004 CET	587	49770	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:43.964628935 CET	49770	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:44.018493891 CET	587	49771	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:44.018630981 CET	49771	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:44.667638063 CET	587	49771	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:44.667804003 CET	49771	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:44.995027065 CET	587	49771	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:44.995183945 CET	49771	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:45.323563099 CET	587	49771	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:45.323905945 CET	49771	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:45.519196033 CET	49771	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:45.567610979 CET	49772	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:45.659008980 CET	587	49771	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:45.659101963 CET	49771	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:45.846625090 CET	587	49771	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:45.846971035 CET	587	49771	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:45.847033024 CET	49771	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:45.847033024 CET	49771	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:45.895037889 CET	587	49772	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:45.898113012 CET	49772	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:46.698137045 CET	587	49772	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:46.708982944 CET	49772	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:46.722526073 CET	49772	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:46.841892958 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:47.036694050 CET	587	49772	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:47.036778927 CET	49772	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:47.050024986 CET	587	49772	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:47.050069094 CET	49772	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:47.050242901 CET	587	49772	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:47.050287962 CET	49772	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:47.165134907 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:47.165227890 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:47.650085926 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:47.650243998 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:47.973659992 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:47.974162102 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:48.297979116 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:48.298187017 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:48.629096985 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:48.630151987 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:48.953470945 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:48.953615904 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:49.317302942 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:49.600481033 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:49.600617886 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:49.924232006 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:49.924263954 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:49.924520969 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:49.924573898 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:49.924573898 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:49.924671888 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:49.925775051 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:50.248092890 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.248266935 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:50.249373913 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.249547005 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:50.573121071 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.573137045 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.573218107 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.573255062 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.573282003 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:50.573379993 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:50.896516085 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.896531105 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.896575928 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:50.896612883 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.896687984 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.896748066 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.896790981 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.896831989 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.896948099 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.896985054 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.897007942 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.897058010 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.897098064 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.897146940 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:50.897298098 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:51.082184076 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:51.143570900 CET	49774	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:51.221853018 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:51.225039959 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:51.225090981 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:51.405668974 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:51.405714035 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:51.406045914 CET	587	49773	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:51.406085968 CET	49773	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:51.473921061 CET	587	49774	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:51.473988056 CET	49774	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:51.966362000 CET	587	49774	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:51.973031044 CET	49774	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:52.304411888 CET	587	49774	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:52.306179047 CET	49774	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:52.637283087 CET	587	49774	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:52.645045996 CET	49774	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:53.016381025 CET	587	49774	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:53.284852982 CET	49774	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:53.328732967 CET	587	49774	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:53.328787088 CET	49774	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:53.370712996 CET	49775	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:53.615247011 CET	587	49774	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:53.615300894 CET	49774	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:53.615459919 CET	587	49774	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:53.615505934 CET	49774	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:53.696557045 CET	587	49775	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:53.696666956 CET	49775	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:54.184283972 CET	587	49775	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:54.184521914 CET	49775	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:54.510925055 CET	587	49775	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:54.511113882 CET	49775	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:54.837763071 CET	587	49775	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:54.838098049 CET	49775	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:55.172066927 CET	587	49775	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:55.172291994 CET	49775	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:55.498246908 CET	587	49775	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:55.573195934 CET	49775	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:56.973143101 CET	49775	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:56.973241091 CET	49775	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:57.054467916 CET	49776	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:57.341006041 CET	587	49775	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:57.382307053 CET	587	49776	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:57.382394075 CET	49776	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:57.622916937 CET	587	49775	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:57.622935057 CET	587	49775	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:57.623001099 CET	49775	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:57.623001099 CET	49775	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:57.623313904 CET	587	49775	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:57.623359919 CET	49775	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:57.871319056 CET	587	49776	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:57.871436119 CET	49776	587	192.168.2.4	51.79.229.7
Mar 29, 2024 11:34:58.199166059 CET	587	49776	51.79.229.7	192.168.2.4
Mar 29, 2024 11:34:58.253501892 CET	49776	587	192.168.2.4	51.79.229.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 11:30:52.671713114 CET	65263	53	192.168.2.4	1.1.1.1
Mar 29, 2024 11:30:52.767791986 CET	53	65263	1.1.1.1	192.168.2.4
Mar 29, 2024 11:30:53.942142963 CET	61959	53	192.168.2.4	1.1.1.1
Mar 29, 2024 11:30:54.416799068 CET	53	61959	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 29, 2024 11:30:52.671713114 CET	192.168.2.4	1.1.1.1	0x59a1	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Mar 29, 2024 11:30:53.942142963 CET	192.168.2.4	1.1.1.1	0xf74a	Standard query (0)	mail.gosportz.in	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 29, 2024 11:30:52.767791986 CET	1.1.1.1	192.168.2.4	0x59a1	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Mar 29, 2024 11:30:52.767791986 CET	1.1.1.1	192.168.2.4	0x59a1	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Mar 29, 2024 11:30:52.767791986 CET	1.1.1.1	192.168.2.4	0x59a1	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Mar 29, 2024 11:30:54.416799068 CET	1.1.1.1	192.168.2.4	0xf74a	No error (0)	mail.gosportz.in	51.79.229.7	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	104.26.13.205	443	6808	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-29 10:30:53 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-03-29 10:30:53 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 29 Mar 2024 10:30:53 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 86bf2fe6582e3952-IAD
2024-03-29 10:30:53 UTC	13	IN	Data Raw: 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 Data Ascii: 102.165.48.43

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Mar 29, 2024 11:30:57.053921938 CET	587	49738	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:00:55 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:30:57.057949066 CET	49738	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:30:57.388297081 CET	587	49738	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:30:57.390759945 CET	49738	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:30:57.721575975 CET	587	49738	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:30:58.374062061 CET	587	49738	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:30:58.374439955 CET	49738	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:30:58.704823017 CET	587	49738	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:30:58.705063105 CET	49738	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:30:59.550096035 CET	587	49738	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:30:59.550374985 CET	49738	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:30:59.880887985 CET	587	49738	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:30:59.881491899 CET	49738	587	192.168.2.4	51.79.229.7	.
Mar 29, 2024 11:31:00.217231035 CET	587	49738	51.79.229.7	192.168.2.4	250 OK id=1rq9Va-00C0Jc-Lw
Mar 29, 2024 11:32:29.404280901 CET	49738	587	192.168.2.4	51.79.229.7	QUIT
Mar 29, 2024 11:32:29.735270023 CET	587	49738	51.79.229.7	192.168.2.4	221 ns5005362.ip-51-79-229.net closing connection
Mar 29, 2024 11:32:32.236251116 CET	587	49752	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:02:31 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:32:32.237797976 CET	49752	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:32:32.564769983 CET	587	49752	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:32:32.877808094 CET	587	49752	51.79.229.7	192.168.2.4	421 ns5005362.ip-51-79-229.net lost input connection
Mar 29, 2024 11:32:34.562933922 CET	587	49753	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:02:33 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:32:34.563081980 CET	49753	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:32:34.890671968 CET	587	49753	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:32:34.890929937 CET	49753	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:32:35.218631029 CET	587	49753	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:32:35.866506100 CET	587	49753	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:32:35.866699934 CET	49753	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:32:36.194207907 CET	587	49753	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:32:36.196078062 CET	49753	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:32:36.847512007 CET	587	49753	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:32:36.847636938 CET	49753	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:32:37.175096989 CET	587	49753	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:32:37.346690893 CET	587	49753	51.79.229.7	192.168.2.4	421 Lost incoming connection
Mar 29, 2024 11:32:38.623836040 CET	587	49754	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:02:37 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:32:38.623965979 CET	49754	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:32:38.947662115 CET	587	49754	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:32:38.947809935 CET	49754	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:32:39.271543980 CET	587	49754	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:32:39.602577925 CET	587	49754	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:32:39.606076956 CET	49754	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:32:39.929730892 CET	587	49754	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:32:39.929933071 CET	49754	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:32:40.769996881 CET	587	49754	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:32:40.770112038 CET	49754	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:32:41.093678951 CET	587	49754	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:32:42.906980038 CET	587	49755	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:02:41 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:32:42.907212973 CET	49755	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:32:43.234561920 CET	587	49755	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:32:43.268547058 CET	587	49755	51.79.229.7	192.168.2.4	421 ns5005362.ip-51-79-229.net lost input connection
Mar 29, 2024 11:32:43.809849024 CET	587	49756	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:02:42 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:32:43.831559896 CET	49756	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:32:44.160342932 CET	587	49756	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:32:44.165663004 CET	49756	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:32:44.494664907 CET	587	49756	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:32:44.934900999 CET	587	49756	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:32:44.935012102 CET	49756	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:32:45.263410091 CET	587	49756	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:32:45.263545990 CET	49756	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:32:46.104513884 CET	587	49756	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:32:46.104655027 CET	49756	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:32:46.433049917 CET	587	49756	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:32:47.450308084 CET	587	49756	51.79.229.7	192.168.2.4	250 OK id=1rq9XJ-00C0sO-7V
Mar 29, 2024 11:32:47.739995003 CET	49756	587	192.168.2.4	51.79.229.7	QUIT
Mar 29, 2024 11:32:48.069359064 CET	587	49756	51.79.229.7	192.168.2.4	221 ns5005362.ip-51-79-229.net closing connection
Mar 29, 2024 11:32:49.205162048 CET	587	49757	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:02:48 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:32:49.205331087 CET	49757	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:32:49.536838055 CET	587	49757	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:32:49.537081957 CET	49757	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:32:49.868706942 CET	587	49757	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:32:50.207633972 CET	587	49757	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:32:50.207811117 CET	49757	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:32:50.539326906 CET	587	49757	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:32:50.539484978 CET	49757	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:32:51.578958988 CET	587	49757	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:32:51.579442024 CET	49757	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:32:51.910372972 CET	587	49757	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:32:52.908586025 CET	587	49757	51.79.229.7	192.168.2.4	250 OK id=1rq9XO-00C0sl-Mj
Mar 29, 2024 11:32:59.633996010 CET	49757	587	192.168.2.4	51.79.229.7	QUIT
Mar 29, 2024 11:32:59.966006041 CET	587	49757	51.79.229.7	192.168.2.4	221 ns5005362.ip-51-79-229.net closing connection
Mar 29, 2024 11:33:01.933011055 CET	587	49758	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:03:00 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:33:01.965972900 CET	49758	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:33:02.296955109 CET	587	49758	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:33:02.297213078 CET	49758	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:33:02.628475904 CET	587	49758	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:33:02.967454910 CET	587	49758	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:33:03.022068977 CET	587	49758	51.79.229.7	192.168.2.4	421 ns5005362.ip-51-79-229.net lost input connection
Mar 29, 2024 11:33:03.556862116 CET	587	49759	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:03:02 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:33:03.562078953 CET	49759	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:33:03.889468908 CET	587	49759	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:33:03.890111923 CET	49759	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:33:04.217725992 CET	587	49759	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:33:04.553942919 CET	587	49759	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:33:04.558012009 CET	49759	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:33:04.885474920 CET	587	49759	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:33:04.886534929 CET	49759	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:33:05.915577888 CET	587	49759	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:33:05.915775061 CET	49759	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:33:06.243138075 CET	587	49759	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:33:07.232022047 CET	587	49759	51.79.229.7	192.168.2.4	250 OK id=1rq9Xd-00C0ui-1I
Mar 29, 2024 11:33:15.448297977 CET	49759	587	192.168.2.4	51.79.229.7	QUIT
Mar 29, 2024 11:33:15.776487112 CET	587	49759	51.79.229.7	192.168.2.4	221 ns5005362.ip-51-79-229.net closing connection
Mar 29, 2024 11:33:16.597810984 CET	587	49760	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:03:15 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:33:16.598009109 CET	49760	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:33:16.926455021 CET	587	49760	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:33:16.927232981 CET	49760	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:33:17.256053925 CET	587	49760	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:33:17.627615929 CET	587	49760	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:33:17.817698002 CET	49760	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:33:18.146157026 CET	587	49760	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:33:18.334162951 CET	49760	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:33:19.177416086 CET	587	49760	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:33:19.273478031 CET	49760	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:33:19.601792097 CET	587	49760	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:33:21.724108934 CET	587	49761	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:03:20 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:33:21.724339008 CET	49761	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:33:22.056971073 CET	587	49761	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:33:22.057145119 CET	49761	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:33:22.386478901 CET	587	49761	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:33:22.723340988 CET	587	49761	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:33:22.723507881 CET	49761	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:33:23.052629948 CET	587	49761	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:33:23.052793026 CET	49761	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:33:23.705164909 CET	587	49761	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:33:23.710088968 CET	49761	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:33:24.039536953 CET	587	49761	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:33:25.368417978 CET	587	49761	51.79.229.7	192.168.2.4	250 OK id=1rq9Xu-00C0xQ-Qw
Mar 29, 2024 11:33:48.343677044 CET	587	49762	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:03:47 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:33:48.343837023 CET	49762	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:33:48.681770086 CET	587	49762	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:33:48.681910038 CET	49762	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:33:49.020174980 CET	587	49762	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:33:49.712979078 CET	587	49762	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:33:49.717989922 CET	49762	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:33:50.055988073 CET	587	49762	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:33:50.056225061 CET	49762	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:33:50.719082117 CET	587	49762	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:33:50.719218016 CET	49762	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:33:51.057405949 CET	587	49762	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:33:51.371807098 CET	49761	587	192.168.2.4	51.79.229.7	QUIT
Mar 29, 2024 11:33:51.701870918 CET	587	49761	51.79.229.7	192.168.2.4	221 ns5005362.ip-51-79-229.net closing connection
Mar 29, 2024 11:33:52.074923992 CET	587	49762	51.79.229.7	192.168.2.4	421 Lost incoming connection
Mar 29, 2024 11:33:52.526532888 CET	587	49763	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:03:51 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:33:52.526546955 CET	587	49763	51.79.229.7	192.168.2.4	421 ns5005362.ip-51-79-229.net lost input connection
Mar 29, 2024 11:33:52.966814041 CET	587	49764	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:03:51 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:33:52.966840982 CET	587	49764	51.79.229.7	192.168.2.4	421 ns5005362.ip-51-79-229.net lost input connection
Mar 29, 2024 11:33:53.892549992 CET	587	49765	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:03:52 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:33:53.894192934 CET	49765	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:33:54.229209900 CET	587	49765	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:33:54.229417086 CET	49765	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:33:54.565218925 CET	587	49765	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:33:54.912740946 CET	587	49765	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:33:55.151262045 CET	587	49765	51.79.229.7	192.168.2.4	421 ns5005362.ip-51-79-229.net lost input connection
Mar 29, 2024 11:33:55.708498955 CET	587	49766	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:03:54 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:33:55.709254026 CET	49766	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:33:56.036773920 CET	587	49766	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:33:56.036978960 CET	49766	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:33:56.364911079 CET	587	49766	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:33:56.700086117 CET	587	49766	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:33:56.700246096 CET	49766	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:33:57.027564049 CET	587	49766	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:33:57.027707100 CET	49766	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:33:57.679044008 CET	587	49766	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:33:57.684030056 CET	49766	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:33:58.011641026 CET	587	49766	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:33:58.998187065 CET	49766	587	192.168.2.4	51.79.229.7	.
Mar 29, 2024 11:33:59.315931082 CET	49766	587	192.168.2.4	51.79.229.7	.
Mar 29, 2024 11:33:59.327943087 CET	587	49766	51.79.229.7	192.168.2.4	250 OK id=1rq9YS-00C111-Q5
Mar 29, 2024 11:34:03.646014929 CET	49766	587	192.168.2.4	51.79.229.7	QUIT
Mar 29, 2024 11:34:03.973010063 CET	49766	587	192.168.2.4	51.79.229.7	QUIT
Mar 29, 2024 11:34:03.974015951 CET	587	49766	51.79.229.7	192.168.2.4	221 ns5005362.ip-51-79-229.net closing connection
Mar 29, 2024 11:34:05.859705925 CET	587	49767	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:04:04 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:34:05.860129118 CET	49767	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:34:06.184118986 CET	587	49767	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:34:06.184314966 CET	49767	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:34:06.508233070 CET	587	49767	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:34:06.843652964 CET	587	49767	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:34:06.843823910 CET	49767	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:34:07.167639017 CET	587	49767	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:34:07.167783022 CET	49767	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:34:07.815110922 CET	587	49767	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:34:07.816261053 CET	49767	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:34:08.139830112 CET	587	49767	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:34:09.121484041 CET	587	49767	51.79.229.7	192.168.2.4	250 OK id=1rq9Yc-00C12I-UL
Mar 29, 2024 11:34:13.030797958 CET	49767	587	192.168.2.4	51.79.229.7	QUIT
Mar 29, 2024 11:34:13.355309010 CET	587	49767	51.79.229.7	192.168.2.4	221 ns5005362.ip-51-79-229.net closing connection
Mar 29, 2024 11:34:14.189565897 CET	587	49768	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:04:13 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:34:14.192274094 CET	49768	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:34:14.524430037 CET	587	49768	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:34:14.526124954 CET	49768	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:34:14.858160973 CET	587	49768	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:34:15.197937965 CET	587	49768	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:34:15.198147058 CET	49768	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:34:15.530333996 CET	587	49768	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:34:15.530488014 CET	49768	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:34:16.371783018 CET	587	49768	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:34:16.372304916 CET	49768	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:34:16.704224110 CET	587	49768	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:34:17.705933094 CET	587	49768	51.79.229.7	192.168.2.4	250 OK id=1rq9Yl-00C13D-G0
Mar 29, 2024 11:34:26.630986929 CET	49768	587	192.168.2.4	51.79.229.7	QUIT
Mar 29, 2024 11:34:26.963865995 CET	587	49768	51.79.229.7	192.168.2.4	221 ns5005362.ip-51-79-229.net closing connection
Mar 29, 2024 11:34:27.790985107 CET	587	49769	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:04:26 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:34:27.794133902 CET	49769	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:34:28.127245903 CET	587	49769	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:34:28.128165007 CET	49769	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:34:28.461091995 CET	587	49769	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:34:28.804677963 CET	587	49769	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:34:28.811490059 CET	49769	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:34:29.143872976 CET	587	49769	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:34:29.144042969 CET	49769	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:34:29.799726963 CET	587	49769	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:34:29.801211119 CET	49769	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:34:30.133930922 CET	587	49769	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:34:31.134377956 CET	49769	587	192.168.2.4	51.79.229.7	.
Mar 29, 2024 11:34:31.456589937 CET	49769	587	192.168.2.4	51.79.229.7	.
Mar 29, 2024 11:34:31.470031977 CET	587	49769	51.79.229.7	192.168.2.4	250 OK id=1rq9Yy-00C15H-Tr
Mar 29, 2024 11:34:40.630558014 CET	49769	587	192.168.2.4	51.79.229.7	QUIT
Mar 29, 2024 11:34:40.956602097 CET	49769	587	192.168.2.4	51.79.229.7	QUIT
Mar 29, 2024 11:34:40.963645935 CET	587	49769	51.79.229.7	192.168.2.4	221 ns5005362.ip-51-79-229.net closing connection
Mar 29, 2024 11:34:41.796077967 CET	587	49770	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:04:40 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:34:41.798223019 CET	49770	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:34:42.133290052 CET	587	49770	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:34:42.133563042 CET	49770	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:34:42.469429016 CET	587	49770	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:34:42.813056946 CET	587	49770	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:34:42.813230038 CET	49770	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:34:43.148365021 CET	587	49770	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:34:43.148509979 CET	49770	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:34:43.807437897 CET	587	49770	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:34:43.964032888 CET	587	49770	51.79.229.7	192.168.2.4	421 ns5005362.ip-51-79-229.net lost input connection
Mar 29, 2024 11:34:44.667638063 CET	587	49771	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:04:43 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:34:44.667804003 CET	49771	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:34:44.995027065 CET	587	49771	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:34:44.995183945 CET	49771	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:34:45.323563099 CET	587	49771	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:34:45.659008980 CET	587	49771	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:34:45.846625090 CET	587	49771	51.79.229.7	192.168.2.4	421 ns5005362.ip-51-79-229.net lost input connection
Mar 29, 2024 11:34:46.698137045 CET	587	49772	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:04:45 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:34:46.708982944 CET	49772	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:34:47.036694050 CET	587	49772	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:34:47.050024986 CET	587	49772	51.79.229.7	192.168.2.4	421 ns5005362.ip-51-79-229.net lost input connection
Mar 29, 2024 11:34:47.650085926 CET	587	49773	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:04:46 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:34:47.650243998 CET	49773	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:34:47.973659992 CET	587	49773	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:34:47.974162102 CET	49773	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:34:48.297979116 CET	587	49773	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:34:48.629096985 CET	587	49773	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:34:48.630151987 CET	49773	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:34:48.953470945 CET	587	49773	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:34:48.953615904 CET	49773	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:34:49.600481033 CET	587	49773	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:34:49.600617886 CET	49773	587	192.168.2.4	51.79.229.7	DATA
Mar 29, 2024 11:34:49.924263954 CET	587	49773	51.79.229.7	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 29, 2024 11:34:51.225039959 CET	587	49773	51.79.229.7	192.168.2.4	250 OK id=1rq9ZI-00C186-NM
Mar 29, 2024 11:34:51.405668974 CET	587	49773	51.79.229.7	192.168.2.4	421 ns5005362.ip-51-79-229.net lost input connection
Mar 29, 2024 11:34:51.966362000 CET	587	49774	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:04:50 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:34:51.973031044 CET	49774	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:34:52.304411888 CET	587	49774	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:34:52.306179047 CET	49774	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:34:52.637283087 CET	587	49774	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:34:53.328732967 CET	587	49774	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:34:53.615247011 CET	587	49774	51.79.229.7	192.168.2.4	421 ns5005362.ip-51-79-229.net lost input connection
Mar 29, 2024 11:34:54.184283972 CET	587	49775	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:04:53 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:34:54.184521914 CET	49775	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:34:54.510925055 CET	587	49775	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 29, 2024 11:34:54.511113882 CET	49775	587	192.168.2.4	51.79.229.7	AUTH login c2FsZXNAZ29zcG9ydHouaW4=
Mar 29, 2024 11:34:54.837763071 CET	587	49775	51.79.229.7	192.168.2.4	334 UGFzc3dvcmQ6
Mar 29, 2024 11:34:55.172066927 CET	587	49775	51.79.229.7	192.168.2.4	235 Authentication succeeded
Mar 29, 2024 11:34:55.172291994 CET	49775	587	192.168.2.4	51.79.229.7	MAIL FROM:<sales@gosportz.in>
Mar 29, 2024 11:34:55.498246908 CET	587	49775	51.79.229.7	192.168.2.4	250 OK
Mar 29, 2024 11:34:56.973143101 CET	49775	587	192.168.2.4	51.79.229.7	RCPT TO:<info.superseal@yandex.com>
Mar 29, 2024 11:34:57.622916937 CET	587	49775	51.79.229.7	192.168.2.4	250 Accepted
Mar 29, 2024 11:34:57.622935057 CET	587	49775	51.79.229.7	192.168.2.4	421 ns5005362.ip-51-79-229.net lost input connection
Mar 29, 2024 11:34:57.871319056 CET	587	49776	51.79.229.7	192.168.2.4	220-ns5005362.ip-51-79-229.net ESMTP Exim 4.94.2 #2 Fri, 29 Mar 2024 16:04:56 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 29, 2024 11:34:57.871436119 CET	49776	587	192.168.2.4	51.79.229.7	EHLO 302494
Mar 29, 2024 11:34:58.199166059 CET	587	49776	51.79.229.7	192.168.2.4	250-ns5005362.ip-51-79-229.net Hello 302494 [102.165.48.43] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP

Target ID:	0
Start time:	11:30:48
Start date:	29/03/2024
Path:	C:\Users\user\Desktop\bhevLCQYD6.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\bhevLCQYD6.exe"
Imagebase:	0x1d7807f0000
File size:	661'864 bytes
MD5 hash:	83B5F3C1326831AB20C2D8114E4C324E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1738465464.000001D782B1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1739589900.000001D792611000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1739589900.000001D792611000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:30:50
Start date:	29/03/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Imagebase:
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	11:30:51
Start date:	29/03/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x560000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4052069622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4052069622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4053823405.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4053823405.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:30:51
Start date:	29/03/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x420000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:30:51
Start date:	29/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6956 -s 1212
Imagebase:	0x7ff757a70000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8B7C40 Relevance: 3.2, Strings: 2, Instructions: 738
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>K_I, xrefs: 00007FFD9B8DA9A1
zI_L, xrefs: 00007FFD9B8DAA74

Memory Dump Source

Source File: 00000000.00000002.1744688635.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_bhevLCQYD6.jbxd

Similarity

API ID:
String ID: >K_I$zI_L
API String ID: 0-2214994172
Opcode ID: b652ff5e4cc41453a1822f1539f18745bbb120ceae21bb2e93eed446489ddddc
Instruction ID: f9b8f944ce858075c880d1aac26a271dfbcdebb23b6ad310a424977000fe2240
Opcode Fuzzy Hash: b652ff5e4cc41453a1822f1539f18745bbb120ceae21bb2e93eed446489ddddc
Instruction Fuzzy Hash: 8A22E731B1DA4E5BE76CAB6894666B573D2EFD8340F51437EE04EC32D3DE38A9024681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8B7CC8 Relevance: 3.0, Instructions: 2981COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744688635.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_bhevLCQYD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0827321530d8c79b6b9b99d621e237fd1897705593ce264b4293ff68730d0b
Instruction ID: 418861f47c7ef88f7ff1b5c45b46b93073923b78e1c2d1961275a81532effbe2
Opcode Fuzzy Hash: 1d0827321530d8c79b6b9b99d621e237fd1897705593ce264b4293ff68730d0b
Instruction Fuzzy Hash: 8C33827061DB898FD7B8DB58C495AAA77E1FF98300F11467ED08DC72A2DE34A942C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8DE870 Relevance: 2.2, Strings: 1, Instructions: 966
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6I_H, xrefs: 00007FFD9B8DEE6D

Memory Dump Source

Source File: 00000000.00000002.1744688635.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_bhevLCQYD6.jbxd

Similarity

API ID:
String ID: 6I_H
API String ID: 0-3463136791
Opcode ID: b0b13cee7539f7a08d7613317dae4fd9cafbc35987c677b41d767af3d7c5ad0c
Instruction ID: 109f4db94b78d76e8ad0c8c36095754aa71aa4d0e4be528903077a3c52dca476
Opcode Fuzzy Hash: b0b13cee7539f7a08d7613317dae4fd9cafbc35987c677b41d767af3d7c5ad0c
Instruction Fuzzy Hash: CC624370B19A1D8FDBA8DB58C465BB873E1FF9C300F5542BAD00DD7296DE34A9428B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8B28B9 Relevance: 1.1, Instructions: 1109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744688635.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_bhevLCQYD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb4b56db5d86237d208feb8640d9c34fac3d8458ea1e8191fd0118f10cfcf90
Instruction ID: 749ce23a3306b3b2da1563efdce92a2333de161169d59e41dad3c8b86af13bbc
Opcode Fuzzy Hash: bfb4b56db5d86237d208feb8640d9c34fac3d8458ea1e8191fd0118f10cfcf90
Instruction Fuzzy Hash: 7B720531B1DA1E4FEB6C9BB8982567977D1EF58310F15427ED00EC31E6DE29AC428B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8DF400 Relevance: 1.0, Instructions: 1001COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744688635.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_bhevLCQYD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a207ada37e6999247f92cab0a790bbc9ce5acc7730963cf2e2561c6c95d702
Instruction ID: e044cd1ad10b913fff36b5a401598942eebf14441619cb5fa79ea860ce824564
Opcode Fuzzy Hash: d9a207ada37e6999247f92cab0a790bbc9ce5acc7730963cf2e2561c6c95d702
Instruction Fuzzy Hash: 3652B031B19A4A4FEBA8DB189465A7473D2FF9C340F1543BAD04EC72E6DE24AD428781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E1BD8 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744688635.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_bhevLCQYD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b5aa3467a2050fea1278f2f9dac7439a14e36635aeec533584c4397096ed23
Instruction ID: 3baa387b66797619f2b93779f2cb6ce382a18e66b0e3c46b7622f3a8bda54dc3
Opcode Fuzzy Hash: 45b5aa3467a2050fea1278f2f9dac7439a14e36635aeec533584c4397096ed23
Instruction Fuzzy Hash: 75224A30A1DB894FE75AEB6888615657BE1EF5A300B0A41FFD089C71F3DD28AD46C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8B29EE Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744688635.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_bhevLCQYD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a884abe7484f6a1e2f159ea487ce49f90f4557d9aa34e44aac69fb745b072801
Instruction ID: fba23cb7a3cabcb9f5c10c3bd4b002dfdc628edbf960d2787b1eca4739cfd9d1
Opcode Fuzzy Hash: a884abe7484f6a1e2f159ea487ce49f90f4557d9aa34e44aac69fb745b072801
Instruction Fuzzy Hash: FE911671B2EB5A4FD36DAFBC18261B47BC1EF58350B0542BED40AC72F6ED5968028781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B9E0C7B Relevance: 2.3, Strings: 1, Instructions: 1045
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 00007FFD9B9E1196

Memory Dump Source

Source File: 00000000.00000002.1745229501.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9e0000_bhevLCQYD6.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 24226122240dcf5b3b391bfb2a06da7daaaa7bd384ba3c6c4607e69a190c9a31
Instruction ID: 3ba5ff72ed5702e438e361af535d32616e8e0b9f58b1baa7c532aaf3c79c5fae
Opcode Fuzzy Hash: 24226122240dcf5b3b391bfb2a06da7daaaa7bd384ba3c6c4607e69a190c9a31
Instruction Fuzzy Hash: 65629C31A1E7CA4FEB66DB68C8655A47FF0FF56300F0905FED089CB1A2DA246A46C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8B3F39 Relevance: 1.6, APIs: 1, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B8B3FFD

Memory Dump Source

Source File: 00000000.00000002.1744688635.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_bhevLCQYD6.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9f98306dadea7fc25b0800d426febe5ab5a3fa0ea640d13d116e554ff733be16
Instruction ID: 54b4c412f4e685ed3cbc2608a084de6499ce1fc346dfd2816cfde7932e48c8bb
Opcode Fuzzy Hash: 9f98306dadea7fc25b0800d426febe5ab5a3fa0ea640d13d116e554ff733be16
Instruction Fuzzy Hash: 1931183190DB5C8FDB1C9BA898556FE7BE1EF95311F00426FE049C3292DA74680587C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B9E1839 Relevance: .9, Instructions: 868COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745229501.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9e0000_bhevLCQYD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1c92a0ea4c3acb4e9cfe91082663b9576834e06746721116537ebacb094c5a
Instruction ID: 67ba4c1eee446f03854b0b169e19a8b861866741faafcc8ff5b14844b69346ae
Opcode Fuzzy Hash: ab1c92a0ea4c3acb4e9cfe91082663b9576834e06746721116537ebacb094c5a
Instruction Fuzzy Hash: A2426A32A1E7D95FE766CB7888655A47FE0FF56304F0605FED088CB1A3DA246A46C381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B9E05E1 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745229501.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9e0000_bhevLCQYD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18cf3228f7e215c48d837c349a76553778f3c0ea69fca6828d89fcad186b787
Instruction ID: 8238cb3fadf348ff0685e2046594c638a92adb6c1a26fb285a7b4b60a2100cf6
Opcode Fuzzy Hash: d18cf3228f7e215c48d837c349a76553778f3c0ea69fca6828d89fcad186b787
Instruction Fuzzy Hash: 7C41761270FB8E1FE79647B818612B47BD1DF86920B0E02FBC449C71E7EE099D468391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B9E1C79 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745229501.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9e0000_bhevLCQYD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adac41c353f769d1eaa34041dcd7051dc0785545a9228742a4668482c4504bbc
Instruction ID: ca35480f49baace703ed06e3912c310da161112276e5b2a02ae475d728e5ccf6
Opcode Fuzzy Hash: adac41c353f769d1eaa34041dcd7051dc0785545a9228742a4668482c4504bbc
Instruction Fuzzy Hash: E8415931A1EB9D9FDB66DF28C8644E57BF0FF65304B0601BED04AC71A2DA25AA41C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B9E0330 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745229501.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9e0000_bhevLCQYD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e652a853bace77dcde0f5e31f598005771cf9212cee933517905ba5f49a1a0c2
Instruction ID: f2547b66673605d6f5b59d435bf937d12209f555d0e6ff7e6fb66e434f9ec7d6
Opcode Fuzzy Hash: e652a853bace77dcde0f5e31f598005771cf9212cee933517905ba5f49a1a0c2
Instruction Fuzzy Hash: D1E0C212B09D090FEBD8A65D3C9817863D3DBD851139811BFD05EC329BDD28DC478300

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9B8B7EC8 Relevance: 2.1, Strings: 1, Instructions: 815COMMON

Download Yara Rule

Strings

(, xrefs: 00007FFD9B8F91B5

Memory Dump Source

Source File: 00000000.00000002.1744688635.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_bhevLCQYD6.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 035778ef177095eee8f1c53b8c8d356b19da4f93a5f4a1454c6b37dd742daa16
Instruction ID: b065ef732982066c1ce0d3918c7cec57f1f3a1c903b034626b7c7b7e948c93ef
Opcode Fuzzy Hash: 035778ef177095eee8f1c53b8c8d356b19da4f93a5f4a1454c6b37dd742daa16
Instruction Fuzzy Hash: 51428270B1DA4A8FDBA8DB5884A5A65B7D1FFA8300F11457ED04EC32A6DE34E942C781

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AddInProcess32.exePID: 6808, Parent PID: 6956COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	17
Total number of Limit Nodes:	4

Executed Functions

Function 062D3060 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 062D37B8
$^q, xrefs: 062D3788
$^q, xrefs: 062D375F
$^q, xrefs: 062D37AC
$^q, xrefs: 062D376B
$^q, xrefs: 062D3794

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: be3c6566c8cc6c8ff3de1e617b88149ff7376360902127603ad9cda16f6db9a9
Instruction ID: a636e93bf8e987b11ee9508ba49bb67c662c576c06cdf9bda90d91f1a14cbd27
Opcode Fuzzy Hash: be3c6566c8cc6c8ff3de1e617b88149ff7376360902127603ad9cda16f6db9a9
Instruction Fuzzy Hash: 19321E31E1061ACFDB54EF75D89459DB7B2FF89300F10C6A9D409AB264EB30AD85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062D7D48 Relevance: 3.0, Strings: 2, Instructions: 486
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 062D82E3
$^q, xrefs: 062D82EF

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: db4d23e888954ea023fd2a891b0c66f260a285decb5dc7b58c69facd4eefc758
Instruction ID: 6a6c049e3c960afd8a1f44ffd3981856e3f1efa79829f49122690dcc95b8de16
Opcode Fuzzy Hash: db4d23e888954ea023fd2a891b0c66f260a285decb5dc7b58c69facd4eefc758
Instruction Fuzzy Hash: 5A02CE31B102168FDB54EF68D4946AEB7E2FF84304F248529D80ADB795DB35EC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062D0040 Relevance: 2.1, Instructions: 2066COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254cec6d5cddd0de8dae992a43a6ecedf656408a29e3d1917cbf3ef5acadf5d1
Instruction ID: 91ebf23c5c601deca6bcb9c4b49c5e77878154e7646dea9f1a1233f53e628355
Opcode Fuzzy Hash: 254cec6d5cddd0de8dae992a43a6ecedf656408a29e3d1917cbf3ef5acadf5d1
Instruction Fuzzy Hash: 3123FC31D2071A8ECB11EF68C89469DF7B1FF99300F15C69AE459A7221EB70AAC5CB41

Uniqueness

Uniqueness Score: -1.00%

Function 062D2379 Relevance: 1.0, Instructions: 1009COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2331318cd7b45114d2b53ed8d6c2e1caff6ef4164b88e60c134f0b91ec403b
Instruction ID: e85fe5ec4206ed4c5c935a0254d661b1f84a542eb1fe467eee0a1eaadff7bd62
Opcode Fuzzy Hash: 9f2331318cd7b45114d2b53ed8d6c2e1caff6ef4164b88e60c134f0b91ec403b
Instruction Fuzzy Hash: 08928534A11205CFCBA4DB68C184A5DBBF2FB45314F54C8A9E90AAB361DB35ED81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 062D65B8 Relevance: .8, Instructions: 824COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327161123041d0e980cd939f0f8058c2b268bdbdbaa445d4c0861726937f647c
Instruction ID: 23702bfaa628172a98cad8cc98954afedccc26d1a1be6e1a389a7242c4b98fe2
Opcode Fuzzy Hash: 327161123041d0e980cd939f0f8058c2b268bdbdbaa445d4c0861726937f647c
Instruction Fuzzy Hash: 6F62BE34B202058FDB54DB68D584BADB7F2EF88314F148469E806EB395DB35ED82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062DC150 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a188ea959e725088250bb70a623811b7d65f44927225b16ed63f53ff4d0b1e7a
Instruction ID: bb38db7b151491203dbb00114fcd5dc916531a41709b89d485a9b6a51a1a78ab
Opcode Fuzzy Hash: a188ea959e725088250bb70a623811b7d65f44927225b16ed63f53ff4d0b1e7a
Instruction Fuzzy Hash: CF32A234B142069FDF54EB68D580BAEB7B6FB89314F108525E805EB394DB35EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062D5598 Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ebc2ae81d2d89bc8ae61769c5977cb937050e53d3418c132760571ce23d74c6
Instruction ID: 36367f690420d90718c99010d0ab372d936db784e8142ace4e2dba9335b38679
Opcode Fuzzy Hash: 7ebc2ae81d2d89bc8ae61769c5977cb937050e53d3418c132760571ce23d74c6
Instruction Fuzzy Hash: 3412E231F202169FEF64DF64D88066EB7A2EF84314F208429D85AEB384DB74DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062DB1FA Relevance: .6, Instructions: 565COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36889080ec710446293dba1e2a429a5983ef660ebeff5a0f3dfe9851b52eeb2
Instruction ID: d035d514e24072a1ea24b55e5fd12d2a47bf7b80bec892dee02f5c9b724afc70
Opcode Fuzzy Hash: b36889080ec710446293dba1e2a429a5983ef660ebeff5a0f3dfe9851b52eeb2
Instruction Fuzzy Hash: 1C229574E2010A8FEF64DF68D5A07AEB7B2EB45311F218825E845EB395CB35DC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062DACA0 Relevance: 10.4, Strings: 8, Instructions: 394
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 062DAE6C
$^q, xrefs: 062DAE43
$^q, xrefs: 062DAE20
$^q, xrefs: 062DAE14
$^q, xrefs: 062DAE78
$^q, xrefs: 062DAE4F
$^q, xrefs: 062DADC1
$^q, xrefs: 062DADCD

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 1f7c35ff444b2930bbd53c91d36ee1a96a38c2a3a1afa016a2ea1b5bc95f7cf7
Instruction ID: bd899e4483b180f5c85dd2bb714728365cdbe53dfa0e8c67309c81235f9c21cf
Opcode Fuzzy Hash: 1f7c35ff444b2930bbd53c91d36ee1a96a38c2a3a1afa016a2ea1b5bc95f7cf7
Instruction Fuzzy Hash: 6EE17030F2020A8FDF55DF68D494AAEB7B2EF85304F118929D809EB394DB75D846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062DB618 Relevance: 8.0, Strings: 6, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 062DBBD1
$^q, xrefs: 062DBB75
$^q, xrefs: 062DBB69
$^q, xrefs: 062DBBA9
$^q, xrefs: 062DBB9D
$^q, xrefs: 062DBBDD

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 45d77c377a4e5cbb080ff7336230dfb7420e2d4fee1736e98706f04e4a99995e
Instruction ID: 7f66ab62eff879d1a8ce482e3529a0257ac83bda14b42d23f184c58ea20dc5c8
Opcode Fuzzy Hash: 45d77c377a4e5cbb080ff7336230dfb7420e2d4fee1736e98706f04e4a99995e
Instruction Fuzzy Hash: B402A170E2020A8FDFA4DF68D4A06ADB7B1FB45311F12892AD845DB395DB34DC85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062D9120 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 062D9173
$^q, xrefs: 062D91AE
$^q, xrefs: 062D91A2
$^q, xrefs: 062D9167

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: f4fcbc187ac6a5d933c9ec0727336dcffb8490a0fdb11d4c73428ebab56739c8
Instruction ID: abe7d31f57647d2c88b6f6e25a2913d049bead125db7b07fa4eb5f3cb2abef1e
Opcode Fuzzy Hash: f4fcbc187ac6a5d933c9ec0727336dcffb8490a0fdb11d4c73428ebab56739c8
Instruction Fuzzy Hash: 08915231F1021A9FDB54EF65D9507AFB3F6ABC5204F108569D809EB384EB70DC868B91

Uniqueness

Uniqueness Score: -1.00%

Function 062DCF08 Relevance: 4.5, Strings: 3, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 062DD307
$^q, xrefs: 062DD313
$^q, xrefs: 062DD2FF

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 6dd6773b2c4e0f1370194031a3893e175b577bc5b85db1ba5f7d3cfb4194a7d4
Instruction ID: 3eb1249f9a2cf471037e0ad48906a2fc5188669bea909fcb60b46ed707cfe2a1
Opcode Fuzzy Hash: 6dd6773b2c4e0f1370194031a3893e175b577bc5b85db1ba5f7d3cfb4194a7d4
Instruction Fuzzy Hash: 5C625030A106168FCB55EF68D590A5EB7F2FF84304F208969D4099F359DB71ED8ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 062D4B68 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 062D4B93
XPcq, xrefs: 062D4CB9
\Ocq, xrefs: 062D4D43

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 2d9432a8f3c06182e404ae4e6bf2196dbe1f58cb890e30ab814a9b205c82df9b
Instruction ID: f4e574534cf76e2e8a2fdfc3f7ff170de36dc753115c926a2029f80feb7d9919
Opcode Fuzzy Hash: 2d9432a8f3c06182e404ae4e6bf2196dbe1f58cb890e30ab814a9b205c82df9b
Instruction Fuzzy Hash: AA618030E102199FEB54AFA9D8547AEBBF2FF88300F208429D506EB395DB754D458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 062D9110 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 062D91A2
$^q, xrefs: 062D9167

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 64946b9dd51f5bbc8ece4f14397be0d3b03f4d6976282d65dd78bbcf230624fa
Instruction ID: f4440ddf92341ca9403e0ec69d3db41732269a92f8a07cb692803073a9fdfc7e
Opcode Fuzzy Hash: 64946b9dd51f5bbc8ece4f14397be0d3b03f4d6976282d65dd78bbcf230624fa
Instruction Fuzzy Hash: 1D516F31F141069FDB54EB64D951BAF73FAAB88644F108469D809DB788EB30DC82CB95

Uniqueness

Uniqueness Score: -1.00%

Function 062D4B58 Relevance: 2.6, Strings: 2, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 062D4B93
XPcq, xrefs: 062D4CB9

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: c92287d63cc11a27973bcea9df4e03fdad885e04dce91b3461065f755fc659f6
Instruction ID: 7f05ceeb4ab3be3ae9b35422b1cdb81a5327f8a8d5d0c205d05979bd6f66fcec
Opcode Fuzzy Hash: c92287d63cc11a27973bcea9df4e03fdad885e04dce91b3461065f755fc659f6
Instruction Fuzzy Hash: E1518230F102189FDB549FA9C85479EBAF6FF88700F208429E546AB395DA758D018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D9EB60 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4053113231.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db39baa0cb3b66aae3cbff79a9596cde7bee7e915c710914c7e1abbf2630938
Instruction ID: 723f79f3237b47322890953ffdf311649f77dec9288bd7580b8c0b74bed87b20
Opcode Fuzzy Hash: 2db39baa0cb3b66aae3cbff79a9596cde7bee7e915c710914c7e1abbf2630938
Instruction Fuzzy Hash: 6B414472D103599FCB14DF69D8042DEBBF5EF89310F14856AD805A7391DB349885CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9EC48 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 00D9ECAF

Memory Dump Source

Source File: 00000003.00000002.4053113231.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_AddInProcess32.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 098f211d51c5e0c69c3617a98fe582b776feab12cae81ef1ad3769d81e30ccc6
Instruction ID: 02c4651487fde7d7ed9c5442502345e40a4405ddb8d700f4e3269cea0ea71f87
Opcode Fuzzy Hash: 098f211d51c5e0c69c3617a98fe582b776feab12cae81ef1ad3769d81e30ccc6
Instruction Fuzzy Hash: 1711EFB1C006699BCB10DF9AC544BEEFBF4AB48320F14856AD858A7290D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 062DDA7D Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

PH^q, xrefs: 062DDBD9

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 40673bf35f4aaf2a3182388c1a5b597364291f8ae6895432386fe07fff0b26f8
Instruction ID: b6174cef2e9eabfd8c192a79ef039252d8d2d945d464d87c4cdbcffcfe3d7688
Opcode Fuzzy Hash: 40673bf35f4aaf2a3182388c1a5b597364291f8ae6895432386fe07fff0b26f8
Instruction Fuzzy Hash: 8E41B130E147469FDB519F78D8446AEBBB2FF85304F244929E805EB380EB70D946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062D2200 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 062D233B

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: b7d8ffe7c63eaa38a9dc41cf09b8f86faaa4f34e4562453cebbd7dee1ac1ea31
Instruction ID: 1a83ca09d42d0ba2e88330239b3828a1af98b0853e360fbce15651fa38740f5d
Opcode Fuzzy Hash: b7d8ffe7c63eaa38a9dc41cf09b8f86faaa4f34e4562453cebbd7dee1ac1ea31
Instruction Fuzzy Hash: 5C31D230B20206CFDB49AB78D51866F7BE2AB89704F104428D906DB394DF75DE46CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 062D8298 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 062D82E3

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 090b978819813ce5f31ffdcb808cfb4caf69ba1ade30328f076da6421527a41e
Instruction ID: bf61fcfc3f27fd51e8d439878eec460dd1a68b6a3c99c59754d5ef5f0184622b
Opcode Fuzzy Hash: 090b978819813ce5f31ffdcb808cfb4caf69ba1ade30328f076da6421527a41e
Instruction Fuzzy Hash: D0F0FF32B241028FDFE8AA89E9812B873A5EB40304F104426CC09CF684C739E905C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 062D61B0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c4e8d617ce41d31c4f293e6042c6ec7642fc4ca4538c8f66f7cfdd46a26e5c
Instruction ID: 1b9d93d58638705836750b76eb83cb835c5a1dc816e02153d2f6ae37f579efec
Opcode Fuzzy Hash: e0c4e8d617ce41d31c4f293e6042c6ec7642fc4ca4538c8f66f7cfdd46a26e5c
Instruction Fuzzy Hash: 9361D071F100224FCF50AA7EC88866FAAD7AFD4624F25443AD80EDB364DE65DD0287D2

Uniqueness

Uniqueness Score: -1.00%

Function 062D42A1 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2d06d0d62f7d349741da834d4ff70f4e1e0fb6e9cec0b2c72c53aaa5e73745
Instruction ID: 9b2c017426694410f65b466c14cfd32721554a59a20aafe3e79de4201c8723b4
Opcode Fuzzy Hash: 2f2d06d0d62f7d349741da834d4ff70f4e1e0fb6e9cec0b2c72c53aaa5e73745
Instruction Fuzzy Hash: 2A813034B1020A9FDF54EFA9D55479EB7F6AF89304F108429D80ADB394DB74EC828B91

Uniqueness

Uniqueness Score: -1.00%

Function 062D45BC Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242a198013acda551d483ccff45085ae6eda1dfa8fa4dcfb05a96b152e495ee2
Instruction ID: b5de06c0d6a0380aa86dedb4e800d12f7d8b82d5881f3b655277a85cdae23c60
Opcode Fuzzy Hash: 242a198013acda551d483ccff45085ae6eda1dfa8fa4dcfb05a96b152e495ee2
Instruction Fuzzy Hash: 88914030E1021A8FDF60DF68C890B9DB7B1FF89304F208595D549EB295DB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 062D45D0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd9f1d788b3e83f121ae43c83858b439e7538e02d877d6aa58a8df6323078c0
Instruction ID: d5b21547b4b289e4392ae408ac7e36017092af02924356175098470877a0084b
Opcode Fuzzy Hash: 5fd9f1d788b3e83f121ae43c83858b439e7538e02d877d6aa58a8df6323078c0
Instruction Fuzzy Hash: 7F912E30E1061A8BDF60DF68C880B9DB7B1FF89304F208695D549AB295DB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 062DEAD8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9b80c1bf76377200c3017b1f502144877439e66259ebae5a9861c7ae1eff94
Instruction ID: 829c154629df802738f83c53e2002d0e87995759e1ede4b6e82a61f7325f0ef1
Opcode Fuzzy Hash: ca9b80c1bf76377200c3017b1f502144877439e66259ebae5a9861c7ae1eff94
Instruction Fuzzy Hash: 1F713D30A102099FDB54DFA9D980A9DBBF6FF84304F258529E449EB355DB30ED46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 062DEAE8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0424353c2318366de6868919a943b0b458b0eddce2ebca15f337c73ed91d6448
Instruction ID: 0464bbeb7c8ddcca1c06456a775859ab605e0199a4d097e2892ff92da169e6b5
Opcode Fuzzy Hash: 0424353c2318366de6868919a943b0b458b0eddce2ebca15f337c73ed91d6448
Instruction Fuzzy Hash: E2711B30A102099FDB54EFA9D980A9DBBF6FF84304F258529E449EB355DB30ED46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 062DFC41 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13969a26987036c9c95704a58762595ef43040179d9b4513ce1d9183f01bfe22
Instruction ID: ec5570d336772a5afc75f5487549e58262dff4649fe3c249a3036a0e75501512
Opcode Fuzzy Hash: 13969a26987036c9c95704a58762595ef43040179d9b4513ce1d9183f01bfe22
Instruction Fuzzy Hash: 25511331E10206DFCF64EF78E6446ADBBB2EB88315F108829E90BD7391DB318955CB94

Uniqueness

Uniqueness Score: -1.00%

Function 062DF9F0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9cabd511f33c4a088ecc5ffa434ddb556323099a8d683c80769b7ce26da0e9
Instruction ID: ff6d02be676ae2352f39f47f5df21bf477557b6991b91981fcbf3274ccbae153
Opcode Fuzzy Hash: 3d9cabd511f33c4a088ecc5ffa434ddb556323099a8d683c80769b7ce26da0e9
Instruction Fuzzy Hash: 6251D930B202159FEF70667CDA5476F2A5FD789710F20492AE80BDB3D5CA69CC8587A2

Uniqueness

Uniqueness Score: -1.00%

Function 062DFA00 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d45ce9a98d74ec280d996a6e62a1eb6dbff88f174e45b95f3572cee2195b55c
Instruction ID: 141fb094703e0e9ab217af0e836f1652d29c73cfe3953b7d2ff902c553c5182f
Opcode Fuzzy Hash: 5d45ce9a98d74ec280d996a6e62a1eb6dbff88f174e45b95f3572cee2195b55c
Instruction Fuzzy Hash: 5651D630B20215DFEF74666CDA5472F365EE789710F20492AE80BDB3D8CA69CC8547A6

Uniqueness

Uniqueness Score: -1.00%

Function 062D5411 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4855be967170e425f5984cd65d4e237b0118c3a24bc5000049a9267ac5091aa5
Instruction ID: d7aa6de788f92031371044eff3c60fb92a7c6237d2a1e0bef987238075efe307
Opcode Fuzzy Hash: 4855be967170e425f5984cd65d4e237b0118c3a24bc5000049a9267ac5091aa5
Instruction Fuzzy Hash: 3E415B72E1060A8BDF70CFA9D881AAFFBB2FB44310F10492AE556E7650D370E9558B91

Uniqueness

Uniqueness Score: -1.00%

Function 062DD930 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea80f15165c988c82b1dbe7eb53027282629fd5f2fb3848c81cb38f423bd157
Instruction ID: b070a62a4d0d9c836188f7419e4f81d851101eaf95befda0d459af0000aca157
Opcode Fuzzy Hash: 3ea80f15165c988c82b1dbe7eb53027282629fd5f2fb3848c81cb38f423bd157
Instruction Fuzzy Hash: 5831C630E2061A8FCF11DF68D99069EB7B1FF85304F148929E805EB344DB71E946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 062D3AA1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed56a65ccf2f9d0d4023d5d42f815939ae3bfc3bc3762c8fb82626eda82d21d3
Instruction ID: d1a090a6eeb729e1ea690d1227076b064c967f2760d69f49f83df164d756fc89
Opcode Fuzzy Hash: ed56a65ccf2f9d0d4023d5d42f815939ae3bfc3bc3762c8fb82626eda82d21d3
Instruction Fuzzy Hash: 0921AE75F156069FDB40DF69D880AAEBBF5EB89710F148025E905EB380E730DC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 062D3AB0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375f005cd7c0644a0b86fd86103439da9ad12a0bba8bfae35a7972e285ab785e
Instruction ID: c597567f35c5bea95f86e77a07e04479129e67041f49323292c75b9d4c084754
Opcode Fuzzy Hash: 375f005cd7c0644a0b86fd86103439da9ad12a0bba8bfae35a7972e285ab785e
Instruction Fuzzy Hash: AD21AC75F116069FDB40EFA9D880AAEBBF5EB49750F108029E905EB380E730DC41CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00D3D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4052915683.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d3d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88570358ccab9ebca4700b70dc7040f230a43dc678f9e45172331dbc1d3a8ac
Instruction ID: 2c3c8350d41464169137af3b2226c13ed9e0b52e6d6858a9f74f7c85f215a084
Opcode Fuzzy Hash: c88570358ccab9ebca4700b70dc7040f230a43dc678f9e45172331dbc1d3a8ac
Instruction Fuzzy Hash: 8121F271504204DFCB18DF14E980B26BBA6FB84714F24C569E8494B296C37AD846CE72

Uniqueness

Uniqueness Score: -1.00%

Function 00D3D1F8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4052915683.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d3d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e278b71dfecb824a80edb58a4de9f5606494f509e6236ad309054a4d8f7ea2
Instruction ID: 66bdfb0c108871370a5dc78e224b3532a49c565cdd6e8ee907eaa8acafffbd54
Opcode Fuzzy Hash: c3e278b71dfecb824a80edb58a4de9f5606494f509e6236ad309054a4d8f7ea2
Instruction Fuzzy Hash: 1B2135B9504200DFDB14DF14E9C4B2BBBA6FB84324F24C569E8494B246C37AD846CEB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D3D3A8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4052915683.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d3d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fafaee40311f7eb415ef7596b1e01c42b3b8967ad8fba0178c38efc9bfa68e41
Instruction ID: 3d1cabbc5158101a77119d1df46f5bdf76edbae303bdd9979a681a271a33b7df
Opcode Fuzzy Hash: fafaee40311f7eb415ef7596b1e01c42b3b8967ad8fba0178c38efc9bfa68e41
Instruction Fuzzy Hash: E52126B1604204DFCB05DF14E9C4B26BBA6FB84314F24C56DD9494B256C376E846CF72

Uniqueness

Uniqueness Score: -1.00%

Function 062DF918 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee09a3c3ccaeb7a2da3bde8209c0cba1e8f70d75d998214b3d46a1a2cc6a07c
Instruction ID: 507dc6632d17eee45176d02609f77aa1d991ee1c2d9dd1aaa66db22f1a904963
Opcode Fuzzy Hash: dee09a3c3ccaeb7a2da3bde8209c0cba1e8f70d75d998214b3d46a1a2cc6a07c
Instruction Fuzzy Hash: 2211A521F242156BEF65296D9D507AB158EC785750F208826F80FD7394D959CC4603F6

Uniqueness

Uniqueness Score: -1.00%

Function 00D3D005 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4052915683.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d3d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d637a85b2e5fa7aec01719676b0b0943bf5d5bcfc7745788580fb0f8e4d261
Instruction ID: 3ba06e2da0f77e867edfea6184cb6fe15a2fb31cf0891b6bbac025a0fcb6ae32
Opcode Fuzzy Hash: a2d637a85b2e5fa7aec01719676b0b0943bf5d5bcfc7745788580fb0f8e4d261
Instruction Fuzzy Hash: EA213D7550E3C08FD717CB24D990715BF71AB46214F29C5DBD8898F2A7C23A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 062DF928 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c71bb4de61fda10d7fcee647093aa512dabe39d0c3a074c1f1ccc15aa8b3958
Instruction ID: 20fb1bef746011f6184e3b085e430a0dae259863d76d5aedeba2b0101cb0da76
Opcode Fuzzy Hash: 0c71bb4de61fda10d7fcee647093aa512dabe39d0c3a074c1f1ccc15aa8b3958
Instruction Fuzzy Hash: 65018431F3021667EF64297D9E5576F108EC7C5760F20882AE90FE7398D959CC8603EA

Uniqueness

Uniqueness Score: -1.00%

Function 062D3BC0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382ff934dc39b2a855d6dd61f8edff7a48d05d9c90df560daab0ae26ec900dbf
Instruction ID: 57e17b29bf5bca58055685ee166f2d2dba0d40761e4ca441e59af8b1d53d43fc
Opcode Fuzzy Hash: 382ff934dc39b2a855d6dd61f8edff7a48d05d9c90df560daab0ae26ec900dbf
Instruction Fuzzy Hash: A911A135B241295FDF54E668D8146AF73EAEBC9350F00853AD90AE7380EE64DC028BD2

Uniqueness

Uniqueness Score: -1.00%

Function 062DED59 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ca6f3ba91e805eeafb39f7b584503a846e7bcdb78d4de0846182d4fc21aaa9
Instruction ID: 042c16a4656eb70b097481ce8817eb93509f910841ed93197cb9797f87426721
Opcode Fuzzy Hash: 93ca6f3ba91e805eeafb39f7b584503a846e7bcdb78d4de0846182d4fc21aaa9
Instruction Fuzzy Hash: DB019634B101111FDB61967DA814A2F77EADBCA610F11842AF94ACB341DE25DC0247A5

Uniqueness

Uniqueness Score: -1.00%

Function 062D4202 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486d2b6b00373f46e6be01b4053c601c58599deec3f7c697b1f888da6397a064
Instruction ID: dff9b8c340a2d13cd337b779bf68bd5bd4ea6206ad60551ed47c69f4ba7493e1
Opcode Fuzzy Hash: 486d2b6b00373f46e6be01b4053c601c58599deec3f7c697b1f888da6397a064
Instruction Fuzzy Hash: 6E01D431B141111BDBA4A6ADA81871FB7DBDBC9718F148439E90EC7780D965DC4243A6

Uniqueness

Uniqueness Score: -1.00%

Function 062D3878 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fce8246940e28ca950165519fc10fb853507ad4c3899c316166b368d8772b8e
Instruction ID: d93fa5f9dd4571e684bbf2c74572330f081add048d4d9c64a2844ccddfe34f13
Opcode Fuzzy Hash: 5fce8246940e28ca950165519fc10fb853507ad4c3899c316166b368d8772b8e
Instruction Fuzzy Hash: 5E21C2B5D01259EFCB10DF9AD885ADEFFB4FB49310F10812AE918A7240C774A554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D3D1F3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4052915683.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d3d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: cda352a894a08e123460769564a2e2750cbce9f26ca9f75c9b6fb5682d2b3172
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: 81119079504280DFDB12CF14E5C4B16BB62FB94324F28C6AAD8494B656C33AD81ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D3D3A3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4052915683.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d3d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: b7ac9adb6ccf1597023e9f328aa8b8a85f07faacc4b34136f3fb1afb2c17baa9
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 41118BB5504280DFDB05CF14E5C4B15BBA2FB94314F28C6AAD9494B666C33AE84ACF62

Uniqueness

Uniqueness Score: -1.00%

Function 062D3BAF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52784f629d14b9a31f0ae82ffc4386c55f96245698902e5bf05792630243c377
Instruction ID: a9efa6dfed8f4904d7ab120b5c4c24e9c5767a64cb5a6851faa79af87c923e08
Opcode Fuzzy Hash: 52784f629d14b9a31f0ae82ffc4386c55f96245698902e5bf05792630243c377
Instruction Fuzzy Hash: 8501D832F241195BDB54A669DC116AF77EADBC9250F04403AD90BE7280EE209C0247D6

Uniqueness

Uniqueness Score: -1.00%

Function 062D3880 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d8c059d7c5cd91743fae6283359979c812366b77973a112a5dc375c4705401
Instruction ID: 85f23c0f073b87627f159adae8cbf294d6428f256dccaa316a3685abb2429f1d
Opcode Fuzzy Hash: 58d8c059d7c5cd91743fae6283359979c812366b77973a112a5dc375c4705401
Instruction Fuzzy Hash: 8911AFB5D01259AFCB00DF9AD884ADEFFB4FB49320F10812AE918A7240C374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 062D4210 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8197fd8616d69006e4c0b7ce9799550d947c4b3d7a6c032de81de1d2f1fa7028
Instruction ID: 5dd64d76ac975f3218eb9c931cca87bcbd4d60eb38fd8369e335f7cc94f7cead
Opcode Fuzzy Hash: 8197fd8616d69006e4c0b7ce9799550d947c4b3d7a6c032de81de1d2f1fa7028
Instruction Fuzzy Hash: 0001F431B101110BDBA4A6ADA418B2FB3DBDBC9728F108839E90EC7780DD31DC4243A9

Uniqueness

Uniqueness Score: -1.00%

Function 062DA2D8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55d65872f21199aca3e734aa7b163750c1e8f8ea99d3b546d2c8166dd9d28fc
Instruction ID: 66df56de0db4be95f7997bdf2077b904498ed12b807f2527174efb40e4e9a012
Opcode Fuzzy Hash: c55d65872f21199aca3e734aa7b163750c1e8f8ea99d3b546d2c8166dd9d28fc
Instruction Fuzzy Hash: 5401F730B142110FC7E1EA7DE815B5E73D6DB89714F108429E50ECB385EA15DC828B95

Uniqueness

Uniqueness Score: -1.00%

Function 062DED68 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ed3660b91794437ad5dfdf2e2806a3fb27de7815eadb49a7d481a5e173bb58
Instruction ID: 384c2da03cb72732dd6ba2121fa09587c3aebba4de980a567e388a209798569b
Opcode Fuzzy Hash: 22ed3660b91794437ad5dfdf2e2806a3fb27de7815eadb49a7d481a5e173bb58
Instruction Fuzzy Hash: B901A435B101111FDB65966DA85472F63DADBCA714F118839E54ECB340DE25DC0247A5

Uniqueness

Uniqueness Score: -1.00%

Function 062DA2E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17341bad7464552e392701c34667bbd5752356d49bae43117eee76af791ba860
Instruction ID: 500fa96e3f42457270910457bd158ea1b653427f5ed92fef2ca2f4b25e97224f
Opcode Fuzzy Hash: 17341bad7464552e392701c34667bbd5752356d49bae43117eee76af791ba860
Instruction Fuzzy Hash: 9901A430B141110FDBE0EA6DE454B6E73D7EB89714F108838E90ECB384EA26EC424B95

Uniqueness

Uniqueness Score: -1.00%

Function 062DFEB1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9906906235680c42ec5d6e1e6a44b8f2e42fe9e068da65d810edb1667315cc
Instruction ID: 110f6a7191666ca42372f68b3d4a2a0915e71249fc4fbf183b3818df0df0a62d
Opcode Fuzzy Hash: ce9906906235680c42ec5d6e1e6a44b8f2e42fe9e068da65d810edb1667315cc
Instruction Fuzzy Hash: 18F03070A052059FD794FF78D51025E7BF6EB85204F5041B9980AD7299EB309942CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 062DFEB8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f40585d2e80c759fc3b16696dd0b7c3b930d40e5e39ec60fe2b2e9d7d62061
Instruction ID: 3115cbf5dd52c3039009ed5792e49cd185967aa617a6bcfefaac64d34cdcbec8
Opcode Fuzzy Hash: 87f40585d2e80c759fc3b16696dd0b7c3b930d40e5e39ec60fe2b2e9d7d62061
Instruction Fuzzy Hash: 12F05E70A052098FD380FFB8D51025E77F2EB85200F504179880AD7398FB309942CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 062D6438 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe55d8764e97bb0d49a913ac7b06a6d5861ebbc2778e3274bd8e568d8c708acf
Instruction ID: 82cf775e5ba16eeadeca14c131120c7f81955410b68434ca4ce49f2853523795
Opcode Fuzzy Hash: fe55d8764e97bb0d49a913ac7b06a6d5861ebbc2778e3274bd8e568d8c708acf
Instruction Fuzzy Hash: A5E048B2D341495BEFA0DAB0D95579AB76DD705204F1188A5DC05D7181E176CD055341

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 062D7668 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 062D7C0E
$^q, xrefs: 062D7B59
$^q, xrefs: 062D77CD
$^q, xrefs: 062D77A8
$^q, xrefs: 062D7C04
$^q, xrefs: 062D779C
$^q, xrefs: 062D77D9
$^q, xrefs: 062D7BF8
$^q, xrefs: 062D7C1A
$^q, xrefs: 062D7B65

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 00d877aa05ce10e42e63394806352a85d946677ebe10150e6293c9adacce4187
Instruction ID: 53276d607cc1419d04ecc9233fcd509804cd18f00d4612e1af2594dc1a8bf6af
Opcode Fuzzy Hash: 00d877aa05ce10e42e63394806352a85d946677ebe10150e6293c9adacce4187
Instruction Fuzzy Hash: A8123C30E1021A8FDB64DF65D954A9EB7F2FF88304F2089A9D40AAB354DB349D85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 062DA908 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 062DAA90
$^q, xrefs: 062DAAC6
$^q, xrefs: 062DAA84
$^q, xrefs: 062DA9FE
$^q, xrefs: 062DAA65
$^q, xrefs: 062DAABA
$^q, xrefs: 062DAA0A
$^q, xrefs: 062DAA59

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 6ce6a9e2a0d7d763943bcc7094725a24ab79b86e89fea989b5a3354af13fa64b
Instruction ID: 2193241fc5084edfcfb4a1ab8f6e63e0b4428aee899178603275d7e31990ddda
Opcode Fuzzy Hash: 6ce6a9e2a0d7d763943bcc7094725a24ab79b86e89fea989b5a3354af13fa64b
Instruction Fuzzy Hash: 5A916030E2020ADFDB64EF68D585B6EBBB2FF44300F108529E8029B394DB759D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062D7068 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 062D73A4
$^q, xrefs: 062D7504
$^q, xrefs: 062D757C
$^q, xrefs: 062D7570
.5vq, xrefs: 062D70C3
$^q, xrefs: 062D734A
$^q, xrefs: 062D73B0

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: a89536ad9a87724abcb7d1548c5c93370ab8668546a8dd32dd1a1681adbe14b8
Instruction ID: 16e15d2807b1765d4d15406225384b397f02b8128a81ecd506f9973d4a29c5bb
Opcode Fuzzy Hash: a89536ad9a87724abcb7d1548c5c93370ab8668546a8dd32dd1a1681adbe14b8
Instruction Fuzzy Hash: A7F16130B11209CFDB54EF68D554A6EBBB2FF84304F208528D805AB399DB35DC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062D83A0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 062D8606
$^q, xrefs: 062D85FA
$^q, xrefs: 062D866B
$^q, xrefs: 062D865F

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 5a0406637142b25bbb41994fc226457adad057726177d1cf1e74088a30baf4a9
Instruction ID: d140c45bdfa37bc4e28c784d7b2b4a65bff0ea646a907702c6fcb35a043c2a2a
Opcode Fuzzy Hash: 5a0406637142b25bbb41994fc226457adad057726177d1cf1e74088a30baf4a9
Instruction Fuzzy Hash: 55B15D34B10209DFDB54EF68D58466EB7B2FF84314F248929D8069B359DB79DC82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 062DAC90 Relevance: 5.2, Strings: 4, Instructions: 169COMMON

Download Yara Rule

Strings

$^q, xrefs: 062DAE6C
$^q, xrefs: 062DAE43
$^q, xrefs: 062DAE14
$^q, xrefs: 062DADC1

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 5145499a152d5db9e8891683d831a3a94cf601370d8e55e42dd6f4330a001ecb
Instruction ID: 66b91c32ca9b15dedf45eec94975dfe4890bc235b2f4c9e1536746cfbca6023c
Opcode Fuzzy Hash: 5145499a152d5db9e8891683d831a3a94cf601370d8e55e42dd6f4330a001ecb
Instruction Fuzzy Hash: DD518030E212059FDF65DB68E984AAEB7B2EB85310F148939DC16DB395DB30DC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 062D87B8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 062D88AB
$^q, xrefs: 062D8843
LR^q, xrefs: 062D88FA
$^q, xrefs: 062D8837

Memory Dump Source

Source File: 00000003.00000002.4059911588.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_62d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: b740de4fefd35fe9b6f99fe0c08b1a1085a76d4029feeb4e5422df556c51fb6c
Instruction ID: cf07145427410a158ddc17b180910b2a1c649686be04d75f590bc7df1628e310
Opcode Fuzzy Hash: b740de4fefd35fe9b6f99fe0c08b1a1085a76d4029feeb4e5422df556c51fb6c
Instruction Fuzzy Hash: D551A331B202059FDB54EF28D941A6A77E2FF84704F108968E806DF399DB75EC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bhevLCQYD6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bhevLCQYD6.exe_8827a0dbb697e60d3eedbe15e2e4538eca41c0_4be6e095_ef33ba46-e919-4d22-a920-a353ca617ed5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3BE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA594.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5D4.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Windows Analysis Report
bhevLCQYD6.exe

Function 00007FFD9B8B7C40 Relevance: 3.2, Strings: 2, Instructions: 738
COMMON

Function 00007FFD9B8DE870 Relevance: 2.2, Strings: 1, Instructions: 966
COMMON

Function 00007FFD9B9E0C7B Relevance: 2.3, Strings: 1, Instructions: 1045
COMMON

Function 00007FFD9B8B3F39 Relevance: 1.6, APIs: 1, Instructions: 133
memoryCOMMON

Function 062D3060 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Function 062D7D48 Relevance: 3.0, Strings: 2, Instructions: 486
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre