Edit tour

Windows Analysis Report
test.exe

Overview

General Information

Sample name:	test.exe
Analysis ID:	1598636
MD5:	f0e89fbf1f83162025b9e5435024f269
SHA1:	340f8feeadaca0dee62d79374b4c07d3aaf575b3
SHA256:	32b36c15de8faf7ad71ae1dc4c568e6fc2fd23628dc1f4462dfed5ca6a08487b
Tags:	exepurepure-stealerstealeruser-lonenone1807
Infos:

Detection

Discord Token Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Discord Token Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

test.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\test.exe" MD5: F0E89FBF1F83162025B9E5435024F269)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.1344698185.0000000005550000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.1340920053.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: test.exe PID: 6516	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: test.exe PID: 6516	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: test.exe PID: 6516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.test.exe.5550000.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: test.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: test.exe	Virustotal: Detection: 51%			Perma Link
Source: test.exe	ReversingLabs: Detection: 55%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: test.exe

Joe Sandbox ML: detected

Source: test.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: test.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256}Lq source: test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.7:49703 -> 167.88.173.11:7899

Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.173.11

Source: test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, test.exe, 00000005.00000002.1340920053.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, test.exe, 00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: test.exe, 00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp, test.exe, 00000005.00000002.1342317403.0000000003D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, test.exe, 00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://icanhazip.com/
Source: test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: test.exe, 00000005.00000002.1340920053.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, test.exe, 00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/
Source: test.exe, 00000005.00000002.1340920053.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: test.exe, 00000005.00000002.1340920053.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: test.exe, 00000005.00000002.1340920053.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/

Source: C:\Users\user\Desktop\test.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

.NET source code contains very large array initializations

Source: test.exe, UhfUKTOnrsPBRyAQcu.cs

Large array initialization: yeR1KXmqZ: array initializer size 360128

Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_010C1018	5_2_010C1018
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_010C1028	5_2_010C1028
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_051B2B68	5_2_051B2B68
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055194C8	5_2_055194C8
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05514990	5_2_05514990
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05518D40	5_2_05518D40
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05518D31	5_2_05518D31
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055195E2	5_2_055195E2
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055194B8	5_2_055194B8
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055197B7	5_2_055197B7
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05514951	5_2_05514951
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05514980	5_2_05514980
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E2530	5_2_055E2530
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E2D87	5_2_055E2D87
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E5E20	5_2_055E5E20
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E51C8	5_2_055E51C8
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E0B38	5_2_055E0B38
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E6320	5_2_055E6320
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E2D5A	5_2_055E2D5A
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E2521	5_2_055E2521
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E25F5	5_2_055E25F5
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E2590	5_2_055E2590
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E25B7	5_2_055E25B7
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E5E20	5_2_055E5E20
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E2661	5_2_055E2661
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E5E0F	5_2_055E5E0F
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E2963	5_2_055E2963
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E2987	5_2_055E2987
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E51B8	5_2_055E51B8
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E28E9	5_2_055E28E9
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E8310	5_2_055E8310
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E6310	5_2_055E6310
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055E82E7	5_2_055E82E7
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05614518	5_2_05614518
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_056138C0	5_2_056138C0
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_0561AA68	5_2_0561AA68
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_0561450A	5_2_0561450A
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_0561AA82	5_2_0561AA82
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05620040	5_2_05620040
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_056210D8	5_2_056210D8
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05620367	5_2_05620367
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D43F8	5_2_058D43F8
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D0FF0	5_2_058D0FF0
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D37E0	5_2_058D37E0
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D5061	5_2_058D5061
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D7208	5_2_058D7208
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D7B18	5_2_058D7B18
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D0308	5_2_058D0308
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D02F8	5_2_058D02F8
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058DACA7	5_2_058DACA7
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058DACB8	5_2_058DACB8
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D0FE0	5_2_058D0FE0
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D71F8	5_2_058D71F8
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D5061	5_2_058D5061
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D10A7	5_2_058D10A7
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D10F0	5_2_058D10F0
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D123B	5_2_058D123B
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D7B08	5_2_058D7B08
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D3B28	5_2_058D3B28
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058D7A92	5_2_058D7A92
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05E91368	5_2_05E91368
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05E91363	5_2_05E91363
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D326A0	5_2_06D326A0
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D3AF30	5_2_06D3AF30
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D3CBC0	5_2_06D3CBC0
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D37950	5_2_06D37950
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D37170	5_2_06D37170
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D3AEF9	5_2_06D3AEF9
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D3CE25	5_2_06D3CE25
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D30F98	5_2_06D30F98
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D30F88	5_2_06D30F88
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D3BD80	5_2_06D3BD80
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D3BD80	5_2_06D3BD80
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D3BD70	5_2_06D3BD70
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D37209	5_2_06D37209
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D3CBC0	5_2_06D3CBC0
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D3CBB0	5_2_06D3CBB0
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D39843	5_2_06D39843
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D379EC	5_2_06D379EC
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D37941	5_2_06D37941
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_06D37160	5_2_06D37160

Source: test.exe, 00000005.00000002.1339845873.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs test.exe
Source: test.exe, 00000005.00000002.1345826760.0000000005A00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClassLibrary1.dll" vs test.exe
Source: test.exe, 00000005.00000002.1343359790.00000000052D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGpnufqyvgce.dll" vs test.exe
Source: test.exe, 00000005.00000002.1340920053.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs test.exe
Source: test.exe, 00000005.00000002.1342317403.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClassLibrary1.dll" vs test.exe
Source: test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs test.exe
Source: test.exe, 00000005.00000002.1342317403.0000000003D96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs test.exe
Source: test.exe	Binary or memory string: OriginalFilenameTlhspyzkj.exe" vs test.exe

Source: test.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: test.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: test.exe, UhfUKTOnrsPBRyAQcu.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.test.exe.3c95570.0.raw.unpack, J07khr5n0mn5HjyvLOS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.test.exe.3c95570.0.raw.unpack, J07khr5n0mn5HjyvLOS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.test.exe.3c95570.0.raw.unpack, J07khr5n0mn5HjyvLOS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.test.exe.3c95570.0.raw.unpack, J07khr5n0mn5HjyvLOS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.test.exe.52d0000.1.raw.unpack, SNH91osNv4nL7tEGbuA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.test.exe.52d0000.1.raw.unpack, SNH91osNv4nL7tEGbuA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.test.exe.52d0000.1.raw.unpack, SNH91osNv4nL7tEGbuA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.test.exe.52d0000.1.raw.unpack, a00NGNqSBq3CJSfxly8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.test.exe.52d0000.1.raw.unpack, a00NGNqSBq3CJSfxly8.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\test.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\test.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\test.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\test.exe	Mutant created: \Sessions\1\BaseNamedObjects\ffd287e204de5c09

Source: test.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: test.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\test.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\test.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\test.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\test.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: test.exe, 00000005.00000002.1340920053.0000000003170000.00000004.00000800.00020000.00000000.sdmp, test.exe, 00000005.00000002.1340920053.0000000003150000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: test.exe	Virustotal: Detection: 51%
Source: test.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\test.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\test.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: test.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: test.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256}Lq source: test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 5.2.test.exe.3c95570.0.raw.unpack, J07khr5n0mn5HjyvLOS.cs	.Net Code: Type.GetTypeFromHandle(KpmPL6oxOnBKmMBbV6O.ADrOoLkqvk(16777297)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KpmPL6oxOnBKmMBbV6O.ADrOoLkqvk(16777248)),Type.GetTypeFromHandle(KpmPL6oxOnBKmMBbV6O.ADrOoLkqvk(16777364))})
Source: 5.2.test.exe.52d0000.1.raw.unpack, SNH91osNv4nL7tEGbuA.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 5.2.test.exe.52d0000.1.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 5.2.test.exe.52d0000.1.raw.unpack, t4J4DWwFDVeTubp3uH.cs	.Net Code: rw7B7meBR System.AppDomain.Load(byte[])
Source: 5.2.test.exe.52d0000.1.raw.unpack, moOTcCyRckGDPxYCkKb.cs	.Net Code: JQp0u2rtv8
Source: 5.2.test.exe.52d0000.1.raw.unpack, moOTcCyRckGDPxYCkKb.cs	.Net Code: caNGG8sSqL

Yara detected Costura Assembly Loader

Source: Yara match	File source: 5.2.test.exe.5550000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1344698185.0000000005550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1340920053.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: test.exe PID: 6516, type: MEMORYSTR

Source: test.exe

Static PE information: 0x8809EC1A [Tue Apr 29 02:34:02 2042 UTC]

Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_051B2F18 push 8C00FAE8h; ret	5_2_051B2F2D
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055EC45F pushad ; ret	5_2_055EC465
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_055EC423 pushfd ; ret	5_2_055EC429
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05616534 push ds; iretd	5_2_0561653F
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05618500 push 8B03DA4Dh; iretd	5_2_05618505
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05610F47 push 8B000001h; iretd	5_2_05610F4C
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_0562C870 push eax; retf	5_2_0562CA51
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_058F3551 push ss; retf	5_2_058F3557
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05E86944 push cs; retf	5_2_05E8694F
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05E83505 pushad ; retf	5_2_05E83508
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05E976CB push eax; iretd	5_2_05E976D1
Source: C:\Users\user\Desktop\test.exe	Code function: 5_2_05E9ACC8 pushfd ; ret	5_2_05E9ACCF

Source: test.exe

Static PE information: section name: .text entropy: 7.996731416339195

Source: 5.2.test.exe.3c95570.0.raw.unpack, J07khr5n0mn5HjyvLOS.cs	High entropy of concatenated method names: 'qgn2FShpjikQGaXDJ5Y', 'Ao833ihZulZ1C5Pqbll', 'Pyto72mVkG', 'vh0ry9Sq2v', 'b5BoREwS7g', 'hJooeemy7m', 'MTioXJlEsT', 'lqJofqjUh1', 'w5HO5Ty9nQ', 'Qth5gnHTAq'
Source: 5.2.test.exe.3c95570.0.raw.unpack, zR8w8MrNr1JpsDVLSu.cs	High entropy of concatenated method names: 'Cd4QK4YMC', 'BZUxJJtdJ', 'SmDKFpfro', 'uvZNZQCZU', 'nW3ilvdZ7', 'FLkn1A3Dv', 'gZDmtH0xs', 'zBTC3EHJTV', 'II6gvVkwO', 'usOs3A9l1'
Source: 5.2.test.exe.3c95570.0.raw.unpack, AuZd0ZCAjjHCmOtYCOb.cs	High entropy of concatenated method names: 'r4rCEs8gO4', 'DkXClPywOD', 'J3jCbUwvBk', 'RD6CpClS61', 'gwhCZZcyVr', 'GrkCBl0qfY', 'vJwC53Q68G', 'F9JCWRFUj0', 'FWKCox1ikG', 'h6GY6YNcoo0tEfeHjaO'
Source: 5.2.test.exe.3c95570.0.raw.unpack, lV2C2d769cIQ4cVgWWi.cs	High entropy of concatenated method names: 'otSRLyjU5l', 's2lRJlasCM', 'y0JRwh8kE6', 'Mo7RP20Em9', 'nu7R6V8fWi', 't1qRkPoFa1', 'TVYRAWMMDf', 'hyi71PDEam', 'S3LRtcQdMv', 'Ul8REfj02C'
Source: 5.2.test.exe.3c95570.0.raw.unpack, j08kG2LyW4Xy9dBSmpB.cs	High entropy of concatenated method names: 'cBGLL67tuj', 'f6sLJJsgEF', 'SEELwNJcgY', 'voKLPL2k5T', 'PMlL6GhdOu', 'ygbLkCJ44B', 'npYLA9xQ9n', 'sOuLtLHmox', 'hT3LE5H1Zn', 'AydLljYOx1'
Source: 5.2.test.exe.3c95570.0.raw.unpack, zgfTUiwFk9ZOCtPF9xR.cs	High entropy of concatenated method names: 'GRcw1i4xbl', 'YumwcqyDvp', 'KkKwqQN3xf', 'Rr1wMuwyrm', 'RDSwYOKKBr', 'tXmwTwnXXD', 'VOkwrcnO1E', 'gVHwdciooA', 'X6SwQYwyga', 'O19wxe74gD'
Source: 5.2.test.exe.3c95570.0.raw.unpack, S6U5JlCfnaXuYVEIWCm.cs	High entropy of concatenated method names: 'dQowX6gS99PvyqXU23p', 'xBhFuwgRdlB1uw2l7C8', 'Dispose', 'ToString', 'e4caPRgXYot7jhcwtNX', 'QsufVpgfahBoobMpFD5', 'cGfdSc4yLXL4dHHh6uA', 'bC8OY149kZ4eZ1nlGXS', 'QGaRDmFttV', 'FvIRCdA1Ug'
Source: 5.2.test.exe.3c95570.0.raw.unpack, ESslEYCOJD1bdRaZU4f.cs	High entropy of concatenated method names: 'AAKq7E4ntniX7t5LT8x', 'BeSGRZ4mVRX3OW9nWfj', 'CtRWMe4sjZGe7lq8jTm', 'Lb6dxm44HuI2qwNXaPr', 'a0KUD2FS3J', 'UeDUCfg5bt', 'iuPUUTRpQb', 'EQXU3gADbZ', 'l46Uyt3stV', 'j3gU9NeN1e'
Source: 5.2.test.exe.3c95570.0.raw.unpack, t9cbmiUO1Zd75EJg7Qc.cs	High entropy of concatenated method names: 'PVN3DhahTn', 'zDF3CvmLNM', 'FGb3UXElKA', 'b2033CYIu1', 'hRE3yrKFQw', 'hdH39hCrab', 'tnc3LuKp4A', 'T6N3wPdTyL', 'm2P36IVsIQ', 'eb93kQSxK2'
Source: 5.2.test.exe.3c95570.0.raw.unpack, onmoxJ34OgqS73tMcLS.cs	High entropy of concatenated method names: 'OE23uKK8yC', 'YWi38oepFN', 'lQy3h7Rcki', 'kpQ3HQRyL9', 'YvZ3GwOeVt', 'V2A3OjO4Ca', 'JWr3zgEpFj', 'y6EyDae8AM', 'q97yC0cxpP', 'gijyUVhv17'
Source: 5.2.test.exe.3c95570.0.raw.unpack, wXs4sckrMTPKSmUBMEt.cs	High entropy of concatenated method names: 'aBdkQueD86', 'Vvpkx0005E', 'FBRkK9WwjH', 'j4hkNtKTqY', 'QdWkiPp6gY', 'zVoknPZQES', 'FI2kmxOeGM', 'Q7skg2gdvc', 'cQ5ksGIJmV', 'gue5QluWlHkKDglLqSl'
Source: 5.2.test.exe.3c95570.0.raw.unpack, wnove3omPKQgSXVDEGH.cs	High entropy of concatenated method names: 'QQT7D41nCb', 'raq7CF5FOJ', 'Y3Q7UoboEB', 'C1S73jGUY1', 'CyB7yOyum9', 'iG079xSj52', 'hdo7Lx38fM', 'OAn7JBJRAJ', 'lGd7wl2sRH', 'g9A7P8b1H8'
Source: 5.2.test.exe.3c95570.0.raw.unpack, LkyDxa9u3AaWYLDK9rw.cs	High entropy of concatenated method names: 'dfh9hXua43', 'LfM9HwjTvM', 'l2u9G9bmJQ', 'Evp9ObeLMv', 'rsy9zj7Txy', 'tKGLDDlxbj', 'opmLCKhiNH', 'qXdLUfKLMR', 'r6dJ2on1sFRHga8a7TS', 'BULXEoncPnMNNLVYbxZ'
Source: 5.2.test.exe.3c95570.0.raw.unpack, gWQkJg3dRTbNCmqsfVu.cs	High entropy of concatenated method names: 'Q6y3xqVUN6', 'GFe3K2UJpb', 'Dt03NE6aZ4', 'hfP3ij17jR', 'TJX3nFrL6b', 'nRP3mpPWKK', 'EWo3g6ZkYo', 'yK2nsei7LZLmxsXdHyk', 'iABONji0D9rgnQ1rStu'
Source: 5.2.test.exe.52d0000.1.raw.unpack, jgsf9W4Ds6OFpsKUOrk.cs	High entropy of concatenated method names: 'ygnsUtrArB', 'v5v7GNeDr8qIho3fjWX', 'lpYkeNeVHT8OJCsMwgW', 'ugU4NkwU0E', 'EVA4qgMl69', 'QSa4syNM3c', 'P8a43yaDxW', 'RHg4yeEq2T', 'Ks04Mshh0F', 'GUnrGgBCTKkhebCMLW8'
Source: 5.2.test.exe.52d0000.1.raw.unpack, SNH91osNv4nL7tEGbuA.cs	High entropy of concatenated method names: 'zarIDhe8X7ASr6Z2CSU', 'gNNnRJeICTATZ42256c', 'wgc36gYpaQ', 'vh0ry9Sq2v', 'hle3KiATWS', 'ex93lcwkGI', 'QP13SNhqWU', 'fGX3TsHj7O', 'YIIc8t1idQ', 'tsWssktEwm'
Source: 5.2.test.exe.52d0000.1.raw.unpack, t4J4DWwFDVeTubp3uH.cs	High entropy of concatenated method names: 'fwUhOfcxF', 'dvAcgmhNO', 'jcBA0ioph', 'ToInLk1C7', 'AKvEsSacf', 'PNdCETSFH', 'rw7B7meBR', 'YrgRiKmWC', 'q1vevskHf', 'Pe3ovLH9T'
Source: 5.2.test.exe.52d0000.1.raw.unpack, N2F6wcy5ReDkM6u3krH.cs	High entropy of concatenated method names: 'wx4yGNqN5g', 'RBNy8q6tVW', 'rn2yI3XjLF', 'eg6ymJowCB', 'JKfyYNNcdi', 'IN6ywON4Qw', 'MDwybbAPqj', 'tZgyE8mPgR', 'APMyCH2ZVJ', 'A1ayB537vQ'
Source: 5.2.test.exe.52d0000.1.raw.unpack, g6i2oKKDy6twrGIZq9.cs	High entropy of concatenated method names: 'T6lSsBIdq', 'N9STbYUEs', 'rLtjIRyKb', 'hFAkEWxDl', 'aGHrVniko', 'mq9PmAblb', 'UYFZqeaIS', 'HweJe0dVs', 'VKGdMo8sk', 'nL77ixBwJYB8IeAZrJ5'
Source: 5.2.test.exe.52d0000.1.raw.unpack, moOTcCyRckGDPxYCkKb.cs	High entropy of concatenated method names: 'A2xI8CTDgy', 'YbaIIkgFlO', 's7BImKPULA', 'wbVIYAYkst', 'YLJIw0S0BM', 'iAPIbvJvwB', 'lIdIEjvcIy', 'QHYyTbQKNE', 'rZdIC7U9TR', 'sbEIBbRBTF'

Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: test.exe, 00000005.00000002.1340920053.0000000002C91000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\test.exe	Memory allocated: 10C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Memory allocated: 4C90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\test.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\test.exe	Window / User API: threadDelayed 3560			Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Window / User API: threadDelayed 4098			Jump to behavior

Source: C:\Users\user\Desktop\test.exe TID: 2516	Thread sleep time: -21213755684765971s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\test.exe TID: 6312	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\test.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\test.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\test.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\Desktop\test.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\test.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\test.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\test.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: test.exe, 00000005.00000002.1340920053.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|Xen4win32_process.handle='{0}'
Source: test.exe, 00000005.00000002.1340920053.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
Source: test.exe, 00000005.00000002.1340920053.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: test.exe, 00000005.00000002.1342317403.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GosE0b7EhUSvmciTa1T
Source: test.exe, 00000005.00000002.1340100804.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\test.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\test.exe	Queries volume information: C:\Users\user\Desktop\test.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\test.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Discord Token Stealer

Source: Yara match

File source: Process Memory Space: test.exe PID: 6516, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrumj
Source: test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectronCash
Source: test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: test.exe, 00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q7C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: test.exe, 00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: test.exe, 00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q@C:\Users\user\AppData\Roaming\Binance\Local Storage\leveldb
Source: test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: test.exe, 00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q9C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: test.exe, 00000005.00000002.1345826760.0000000005A00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\test.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\test.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: test.exe PID: 6516, type: MEMORYSTR

Remote Access Functionality

Yara detected Discord Token Stealer

Source: Yara match

File source: Process Memory Space: test.exe PID: 6516, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	41 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	131 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	51 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	51 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	2 Data from Local System	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	34 System Information Discovery	Distributed Component Object Model	1 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
test.exe	51%	Virustotal		Browse
test.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.PureLogStealer
test.exe	100%	Avira	TR/Dropper.Gen
test.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp	false	high
https://steamcommunity.com/profiles/	test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, test.exe, 00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	test.exe, 00000005.00000002.1340920053.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp, test.exe, 00000005.00000002.1342317403.0000000003D96000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	test.exe, 00000005.00000002.1344781439.0000000005580000.00000004.08000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	test.exe, 00000005.00000002.1340920053.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefox	test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	false	high
https://icanhazip.com/	test.exe, 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, test.exe, 00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discordapp.com/api/v9/users/	test.exe, 00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
167.88.173.11	unknown	United States		46261	QUICKPACKETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1598636
Start date and time:	2025-01-24 15:43:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	test.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 423 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:44:03	API Interceptor	39x Sleep call for process: test.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
QUICKPACKETUS	http://demfre.com/lact/nhuo/onaoPJocCsxs7r0YZwFMZ/c3VzYW4ua2FsY3JvZnRAc3RhdGUubmUuZ292	Get hash	malicious	HTMLPhisher	Browse	173.46.80.217
	https://www.google.co.in/url?sa==0eb8hHdXwhGsXsLLHhCnRjmqTdx&rct=1YQtj8ixVwjwhrF7kmciV2a5Fp6oVtFln8NdgIVyEQUEKB07c4GHFuDA4L3UhOCr5x&sa=t&url=amp/demfre.com/lact/nhuo/S0onrZjkw2t0xR3k606fX/Y2hyaXN0YWwua2V5QG5scmIuZ292	Get hash	malicious	HTMLPhisher	Browse	173.46.80.217
	http://demfre.com/lact/nhuo/ILIYsds5NDR82cXqj2TUc/c3VzYW4ua2FsY3JvZnRAc3RhdGUubmUuZ292	Get hash	malicious	HTMLPhisher	Browse	173.46.80.217
	http://sahadayiz.com.tr/tec/les/K82cqkpomPEEC3lMMcYg4Gph6AcNsuj8uKaZh/anJvZmVAYmVsbHBvdHRlci5jb20uYXU=	Get hash	malicious	HTMLPhisher	Browse	173.46.80.217
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	104.166.84.42
	http://sahadayiz.com.tr/tec/les/K82cqkpomPEEC3lMMcYg4Gph6AcNsuj8uKaZh/john.walker@gmail.com	Get hash	malicious	HTMLPhisher	Browse	173.46.80.217
	https://www.google.co.in/url?sa==aDeebuRxEE4gApeYcGMsMJYICMs&rct=SY1P2rn6Z5c32FIG00ZqjEtoxMgAS7GZp3SyBXFxbtZZdSud5Thb5Zmhu7ip6WKSHC&sa=t&url=amp/demfre.com/lact/QPpRxgibJDhXKbYlQBt1o/c3VzYW4ua2FsY3JvZnRAc3RhdGUubmUuZ292	Get hash	malicious	HTMLPhisher	Browse	173.46.80.217
	https://github.com/Tarun999000/dfds/releases/download/fvxc/Order.receipt.845755-800.zip	Get hash	malicious	PureCrypter, AsyncRAT, Meduza Stealer	Browse	193.26.115.95
	armv7l.elf	Get hash	malicious	Mirai	Browse	172.82.184.196
	https://login.ecoleterradeasltd.xyz/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638725581254870614.NzQzNDkzODMtOTc3Ni00MTk4LWEyOTgtNzcxOTE2NjUxYzRiMGVmZDU5N2MtN2U3NC00YjUwLTkxMzUtNTE5MGUwYzg1ZmQ2&ui_locales=en-US&mkt=en-US&client-request-id=36d4a1f6-7cba-45d1-a3ed-df92000d1eff&state=HfQ7BQGkYjqSuhdp0uw1pmK7OnWuMWuL6CrtRUQFTAqayUvi4HK2WHpRg3qXyBpviEzEkkPrHxRuxUPhbVJ6VT_z1Q4rknsdO1I1G8I0vvmCJKY1Jj17UvvXfl7rwwbByhZiSjZv4e0zjm8vBEwSjLmzdF29N_NteyY8M7drEpkBEAgCB0EoFXswqlG9707goDIQqjTpA0BHvdohyO5aj-tJFO1J-Wz2owkKr6bkCNZlxKE53oI2XKYpyD1GEC2x5jHgmT1f4Yrr9BPkhEeMCw&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0	Get hash	malicious	Unknown	Browse	173.46.80.217

Process:	C:\Users\user\Desktop\test.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1434
Entropy (8bit):	5.342612360333169
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhRAE4KzecKIE4oKNzKoZsXE4qdKqE4Kx1qE4TE4KmJE4j:MxHKlYHKh3oRAHKzectHo60H8HKx1qHd
MD5:	DED544725C0FC4A9C1A4064260007227
SHA1:	C196627F0D20E14F0240201AC995E9BEBC399C29
SHA-256:	82F1B25C0D0DC1B72BFE5E837B668E0087D7E469CCCF909924B72FEC5C1C8F10
SHA-512:	41A800B36C9017CB5B9D427C9AD317ACAC680FCE5FF85391497F6BE489782423B7E22A27CD7211C2E110B5465418747841A42A16C40D1A41A0CD27D192F2A7A5
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Managemen

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.990794224631719
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	test.exe
File size:	368'128 bytes
MD5:	f0e89fbf1f83162025b9e5435024f269
SHA1:	340f8feeadaca0dee62d79374b4c07d3aaf575b3
SHA256:	32b36c15de8faf7ad71ae1dc4c568e6fc2fd23628dc1f4462dfed5ca6a08487b
SHA512:	3690bf2a2c3198dae7028cd096de8cd21f949d801a27c36f354723934a03c12eea5c5fc7523cae745faf2b705ca4ff103af81181c6c370ff6a1fd41ca31f058a
SSDEEP:	6144:beWV10Q6rPjOrz9fiNHD5H0q12MrYh958UXWbMe6pTq+slpDFvHPSvkNZZmeAt52:l10QU7OrzZiDB0qIyCXWbMe6pTqpDD91
TLSH:	1074230A976EE343EF1B3F384CA1C7C67A10EA9A78A8C9C64DD7149E38533452FD5249
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x45b2de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8809EC1A [Tue Apr 29 02:34:02 2042 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5b290	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x568	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x592e4	0x59400	2b98915de0048a9b00327ccdcd8f6aa5	False	0.9953360250350141	data	7.996731416339195	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x568	0x600	aa5507614b882b8fdcf11d28549fdf37	False	0.4055989583333333	data	3.9594891136433494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0xc	0x200	7fbbb5ef20990383cc3db7de35af0be9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5c0a0	0x2dc	data			0.4371584699453552
RT_MANIFEST	0x5c37c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2025 15:44:03.878403902 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:03.883272886 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:03.883356094 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:03.904743910 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:03.909631968 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:03.909692049 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:03.914663076 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:04.820002079 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:04.820259094 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:04.820271969 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:04.820362091 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:04.820408106 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:04.820420027 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:04.820445061 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:04.820453882 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:04.820475101 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:04.820497990 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:04.820533037 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:04.820559978 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:04.820636034 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:04.820650101 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:04.820694923 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:04.825232029 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:04.825252056 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:04.825330019 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.051099062 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.051131010 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.051145077 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.051182985 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.051265955 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.051294088 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.051316023 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.051362038 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.051378012 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.051426888 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.051470041 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.051511049 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.051969051 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.051985025 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.052000999 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.052045107 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.052371025 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.052422047 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.052438021 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.052474976 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.052501917 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.052503109 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.052520037 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.052562952 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.053097963 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.053126097 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.053141117 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.053180933 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.053215027 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.053231001 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.053256989 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.053925991 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.053970098 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.055999041 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.056014061 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.056029081 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.056061029 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.101897955 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.292155027 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292188883 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292205095 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292277098 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.292303085 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292320013 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292336941 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292351007 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.292388916 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.292397976 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292495966 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292511940 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292527914 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292543888 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292543888 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.292562962 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292571068 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.292634964 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.292656898 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292759895 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292776108 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292804003 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.292817116 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292834044 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292849064 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292862892 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.292864084 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.292939901 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.293042898 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293060064 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293076992 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293092966 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293092966 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.293108940 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293126106 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.293155909 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.293616056 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293631077 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293648005 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293675900 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.293714046 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293730021 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293745995 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293759108 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.293780088 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293782949 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.293822050 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293837070 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293850899 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.293864012 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.293900967 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.369563103 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.369581938 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.369673014 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.514599085 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.514616013 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.514628887 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.514640093 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.514652014 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.514745951 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.514756918 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.514830112 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.514830112 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.514830112 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.514941931 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.514956951 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.514970064 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.514991999 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.515034914 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.515114069 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515198946 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515213013 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515223980 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515243053 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.515275002 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.515372038 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515384912 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515396118 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515431881 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.515554905 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515567064 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515578985 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515588045 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515616894 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.515651941 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.515722990 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515736103 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515748024 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515758991 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515772104 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515774012 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.515784025 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515796900 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.515798092 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.515830040 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.515861988 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.516406059 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516417980 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516427994 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516438007 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516448975 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516460896 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516473055 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516479969 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.516513109 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.516551018 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516563892 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516602039 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.516720057 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516731977 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516741991 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516753912 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516765118 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.516777992 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.516814947 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.516814947 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.517534971 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.517545938 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.517555952 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.517566919 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.517579079 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.517602921 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.517638922 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.517678022 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.517689943 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.517723083 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.517822981 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.517832994 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.517844915 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.517855883 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.517865896 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.517874002 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.517908096 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.517927885 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.518176079 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.581356049 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.752409935 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752430916 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752516031 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752520084 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.752563953 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752569914 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.752583027 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752599001 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752613068 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752624035 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.752660036 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.752734900 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752749920 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752764940 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752784967 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.752890110 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752902985 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752917051 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752928972 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752931118 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.752938032 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752944946 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752959013 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.752978086 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.753020048 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.753098965 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753114939 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753153086 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.753405094 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753420115 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753433943 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753447056 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753458977 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.753460884 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753473043 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753484011 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.753487110 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753500938 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753513098 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753523111 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.753545046 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.753571987 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753587008 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753599882 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.753612995 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.753638029 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.753895998 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754087925 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754103899 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754117966 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754126072 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.754143953 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754158020 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754159927 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.754173994 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754188061 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754194975 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.754203081 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754215956 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754223108 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.754231930 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754245996 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754255056 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.754261971 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754276037 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754288912 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.754297972 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754308939 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.754313946 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754328966 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754343987 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754357100 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.754357100 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754374027 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754384995 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.754389048 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.754426003 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.755002975 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755028009 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755052090 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.755156994 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755173922 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755188942 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755197048 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.755203962 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755223989 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.755229950 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755245924 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755259991 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755274057 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755274057 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.755290031 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755302906 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.755332947 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755332947 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.755348921 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755363941 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755378008 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755393982 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.755393982 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755410910 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755419970 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.755425930 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755440950 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755448103 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.755455971 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755470037 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.755470037 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.755511999 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.756392002 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756432056 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756448984 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756467104 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756470919 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.756484032 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756500959 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756501913 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.756520033 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756537914 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.756546021 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756561995 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756577969 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756587982 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.756592989 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756608963 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756614923 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.756625891 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756643057 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756648064 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.756659985 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756678104 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756678104 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.756695986 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756714106 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756730080 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756746054 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756751060 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.756751060 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.756763935 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.756788969 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.757200956 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.757219076 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.757234097 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.757246971 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.757272005 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.757608891 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.969136953 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969153881 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969168901 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969185114 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969199896 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969245911 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.969252110 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969306946 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.969306946 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.969325066 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969340086 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969377041 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969381094 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.969413042 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969430923 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969484091 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.969583035 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969599009 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969625950 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.969667912 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969708920 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.969770908 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969785929 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969821930 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.969822884 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969840050 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.969894886 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.970031023 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970047951 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970063925 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970084906 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.970172882 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970189095 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970205069 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970213890 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.970242977 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.970300913 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970318079 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970334053 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970350027 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970355988 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.970395088 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.970519066 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970752954 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970768929 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970784903 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970798969 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.970824957 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.970915079 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970930099 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970944881 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.970968962 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.971020937 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.971035957 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.971050978 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.971060038 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.971067905 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.971084118 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.971088886 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.971122026 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.971254110 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.971270084 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.971291065 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.971311092 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.971740961 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.971756935 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.971771955 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.971786022 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.971812010 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.971977949 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.971992970 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972008944 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972023010 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972028971 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.972040892 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972055912 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972070932 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.972073078 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972091913 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972098112 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.972127914 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.972249031 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972265005 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972280025 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972302914 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.972692966 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972697020 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972712040 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972735882 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.972770929 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.972824097 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972839117 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972846985 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972861052 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972884893 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.972907066 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.972974062 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.972992897 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973007917 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973022938 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973028898 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.973040104 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973057985 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.973309040 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973325014 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973349094 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.973634958 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973649979 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973664999 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973676920 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.973707914 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.973767042 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973782063 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973797083 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973819971 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.973927021 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973942995 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973957062 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973968983 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.973972082 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973988056 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.973997116 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.974004984 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974039078 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.974091053 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974107981 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974131107 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.974538088 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974577904 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.974704981 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974720955 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974737883 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974752903 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974769115 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.974771976 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974793911 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.974812984 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974828959 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974843979 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974853039 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.974859953 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974875927 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974884987 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.974915028 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.974958897 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974975109 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.974989891 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.975023031 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.975514889 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.975529909 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.975545883 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.975570917 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.975584984 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.975614071 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.975630045 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.975645065 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.975658894 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.975673914 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.975677967 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.975706100 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.975747108 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.975761890 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.975776911 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.975788116 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:05.975792885 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:05.975815058 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:06.023808956 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:06.058526039 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:06.058547020 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:06.058563948 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:06.058578968 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:06.058594942 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:06.058603048 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:06.058613062 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:06.058630943 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:06.058649063 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:06.058660984 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:06.058660984 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:06.058665037 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:06.058681965 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:06.058697939 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:06.058708906 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:06.058716059 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:06.058732986 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:06.058768034 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:06.244270086 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:06.249361992 CET	7899	49703	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:06.249412060 CET	49703	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:06.995193958 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.000108957 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.000173092 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.021347046 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.021425962 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.026129007 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.026185036 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.026238918 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.026252985 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.026283979 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.026304007 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.026320934 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.026335001 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.026356936 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.026356936 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.026371002 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.026381969 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.026405096 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.026412010 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.026428938 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.026448011 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.026536942 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.026549101 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.026576042 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.026606083 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.030986071 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.031029940 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.031209946 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.031224966 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.031250000 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.031255007 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.031263113 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.031287909 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.031295061 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.031303883 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.031325102 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.031351089 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.073558092 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.073662043 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.121558905 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.121646881 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.169554949 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.169842005 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.217499971 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.217626095 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.265556097 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.265618086 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.317528009 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.317591906 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.365529060 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.365660906 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:07.415502071 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:07.591371059 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.026685953 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.114449024 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.114512920 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.119395971 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.518136978 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.518189907 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.518251896 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.523494005 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523560047 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523588896 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523627043 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.523643970 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523674011 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.523674965 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523695946 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.523704052 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523739100 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.523746014 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523775101 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523789883 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.523802996 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523823977 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.523830891 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523844957 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.523859024 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523886919 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.523886919 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523896933 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.523926020 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.523931026 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523981094 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.523999929 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.524008989 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.524028063 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.524036884 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.524058104 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.524065018 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.524091959 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.524095058 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.524105072 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.524120092 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.524143934 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.524147987 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.524168015 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.524175882 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.524193048 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.524203062 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.524221897 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.524230003 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.524254084 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.524259090 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.524283886 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.524291039 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.524297953 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.524322033 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.524341106 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.524362087 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529165983 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529191017 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529222965 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529237986 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529237986 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529253960 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529288054 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529300928 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529331923 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529437065 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529449940 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529462099 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529474020 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529494047 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529510975 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529529095 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529534101 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529540062 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529577017 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529664040 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529676914 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529690027 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529704094 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529714108 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529742002 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529756069 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529758930 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529769897 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529799938 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529803038 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529814005 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529856920 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529866934 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529869080 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529902935 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529916048 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529938936 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529952049 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529967070 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529978037 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.529984951 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.529997110 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.530006886 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.530019999 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.530026913 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:08.530131102 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.530147076 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534137964 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534151077 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534229040 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534240961 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534255028 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534265995 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534426928 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534439087 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534451962 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534456968 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534558058 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534573078 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534584999 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534596920 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534626961 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534638882 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534701109 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534713984 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534730911 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534826994 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534874916 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534914970 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534961939 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.534989119 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.535020113 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.535089016 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.535116911 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.535142899 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.535187960 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:08.535217047 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:09.167406082 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:09.172226906 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:09.172291994 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:09.177078962 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:09.807620049 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:09.851954937 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:10.041562080 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:10.050127029 CET	49704	7899	192.168.2.7	167.88.173.11
Jan 24, 2025 15:44:10.056916952 CET	7899	49704	167.88.173.11	192.168.2.7
Jan 24, 2025 15:44:10.056962013 CET	49704	7899	192.168.2.7	167.88.173.11

Target ID:	5
Start time:	09:44:02
Start date:	24/01/2025
Path:	C:\Users\user\Desktop\test.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\test.exe"
Imagebase:	0x930000
File size:	368'128 bytes
MD5 hash:	F0E89FBF1F83162025B9E5435024F269
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.1344698185.0000000005550000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.1340920053.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1340920053.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1340920053.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report test.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\test.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
test.exe