Edit tour
Windows
Analysis Report
Quotation.exe
Overview
General Information
| Sample name: | Quotation.exe |
| Analysis ID: | 1545944 |
| MD5: | 5607e8b6d0197e51ec19233e72bc2036 |
| SHA1: | 91cf6d8f6eeb59e44741d16c4a1ba38cffe59435 |
| SHA256: | 2013e4b243a72b09add6488f84ad97b47ce0587cdecc1114f4380c82650e069c |
| Tags: | exeuser-lowmal3 |
| Infos: |   |
 | |
Detection
AgentTesla, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Quotation.exe (PID: 6964 cmdline:
"C:\Users\ user\Deskt op\Quotati on.exe" MD5: 5607E8B6D0197E51EC19233E72BC2036) "C:\Users\ user\Deskt op\Quotati on.exe" MD5: 5607E8B6D0197E51EC19233E72BC2036)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| Click to see the 2 entries | ||||
System Summary |   |
|---|
| Source: | Author: frack113: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-31T10:45:20.670689+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.9 | 49973 | 142.250.185.238 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004066F7 | |
| Source: | Code function: | 0_2_004065AD | |
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Window created: | Jump to behavior | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004036DA | |
| Source: | Code function: | 0_2_70022351 | |
| Source: | Code function: | 5_2_000DE289 | |
| Source: | Code function: | 5_2_000DA500 | |
| Source: | Code function: | 5_2_000DA960 | |
| Source: | Code function: | 5_2_000D4A98 | |
| Source: | Code function: | 5_2_000DDCA8 | |
| Source: | Code function: | 5_2_000D3E80 | |
| Source: | Code function: | 5_2_000D41C8 | |
| Source: | Code function: | 5_2_392B3108 | |
| Source: | Code function: | 5_2_392BC220 | |
| Source: | Code function: | 5_2_392B7E20 | |
| Source: | Code function: | 5_2_392B5648 | |
| Source: | Code function: | 5_2_392BB2BA | |
| Source: | Code function: | 5_2_392B6698 | |
| Source: | Code function: | 5_2_392B5D83 | |
| Source: | Code function: | 5_2_392BE440 | |
| Source: | Code function: | 5_2_392B0040 | |
| Source: | Code function: | 5_2_392B2338 | |
| Source: | Code function: | 5_2_392B7740 | |
| Source: | Code function: | 5_2_3979894C | |
| Source: | Code function: | 5_2_39791988 | |
| Source: | Code function: | 5_2_39791982 | |
| Source: | Code function: | 5_2_398F4B48 | |
| Source: | Code function: | 5_2_398F0448 | |
| Source: | Code function: | 5_2_000DB3B4 | |
| Source: | Code function: | 5_2_392B0012 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004036DA | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File written: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_70022351 | |
| Source: | Code function: | 5_2_000D0C52 | |
| Source: | Code function: | 5_2_000D0C52 | |
| Source: | Code function: | 5_2_000D0C7A | |
| Source: | Code function: | 5_2_397976E9 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Evaded block: | graph_0-3127 | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_004066F7 | |
| Source: | Code function: | 0_2_004065AD | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-3016 | ||
| Source: | Code function: | 0_2_0040154A | |
| Source: | Code function: | 0_2_70022351 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_004036DA | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | 2 OS Credential Dumping | 3 File and Directory Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 2 Native API | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 1 Obfuscated Files or Information | 11 Input Capture | 225 System Information Discovery | Remote Desktop Protocol | 2 Data from Local System | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 11 Process Injection | 1 DLL Side-Loading | 1 Credentials in Registry | 1 Query Registry | SMB/Windows Admin Shares | 1 Email Collection | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Masquerading | NTDS | 311 Security Software Discovery | Distributed Component Object Model | 11 Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 141 Virtualization/Sandbox Evasion | LSA Secrets | 141 Virtualization/Sandbox Evasion | SSH | 1 Clipboard Data | 23 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Access Token Manipulation | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 11 Process Injection | DCSync | 1 System Network Configuration Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 42% | ReversingLabs | Win32.Trojan.Guloader |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 142.250.185.238 | true | false | unknown | |
| drive.usercontent.google.com | 172.217.16.129 | true | false | unknown | |
| api.ipify.org | 172.67.74.152 | true | false | unknown | |
| showpiece.trillennium.biz | 67.23.226.139 | true | true | unknown | |
| mail.showpiece.trillennium.biz | unknown | unknown | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 67.23.226.139 | showpiece.trillennium.biz | United States | 33182 | DIMENOCUS | true | |
| 172.217.16.129 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false | |
| 142.250.185.238 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
| 172.67.74.152 | api.ipify.org | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1545944 |
| Start date and time: | 2024-10-31 10:43:12 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 12s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Quotation.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/12@4/4 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Quotation.exe
| Time | Type | Description |
|---|---|---|
| 05:45:26 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 67.23.226.139 | Get hash | malicious | AgentTesla | Browse | ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| 172.67.74.152 | Get hash | malicious | RDPWrap Tool | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Xmrig | Browse |
| ||
| Get hash | malicious | Xmrig | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | RDPWrap Tool | Browse |
| ||
| Get hash | malicious | Node Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| api.ipify.org | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | EvilProxy, HTMLPhisher | Browse |
| ||
| Get hash | malicious | Skuld Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla, DBatLoader, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| DIMENOCUS | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
| Get hash | malicious | HTMLPhisher, Mamba2FA | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Neshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWorm | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | Phisher | Browse |
| ||
| Get hash | malicious | Phisher | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Remcos, GuLoader | Browse |
| |
| Get hash | malicious | Stealc, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nss582A.tmp\System.dll | Get hash | malicious | FormBook, GuLoader | Browse | ||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | Cobalt Strike, GuLoader | Browse |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12288 |
| Entropy (8bit): | 5.97694153396788 |
| Encrypted: | false |
| SSDEEP: | 192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw |
| MD5: | D6F54D2CEFDF58836805796F55BFC846 |
| SHA1: | B980ADDC1A755B968DD5799179D3B4F1C2DE9D2D |
| SHA-256: | F917AEF484D1FBB4D723B2E2D3045CB6F5F664E61FBB3D5C577BD1C215DE55D9 |
| SHA-512: | CE67DA936A93D46EF7E81ABC8276787C82FD844C03630BA18AFC3528C7E420C3228BFE82AEDA083BB719F2D1314AFAE913362ABD1E220CB364606519690D45DB |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 35 |
| Entropy (8bit): | 4.264578373902383 |
| Encrypted: | false |
| SSDEEP: | 3:apWPWPjNLCNHiy:UPRCNHiy |
| MD5: | 58AC0B5E1D49D0EE1AED2FE13FAE6C7A |
| SHA1: | 02C8384573D47CA39F2E2ACA32B275861EC59A93 |
| SHA-256: | 624F49944CB84ED51FECABCD549AE3B47152F9A20C4A95E93C8B007AEFE9FEAB |
| SHA-512: | 8F5F062D6EBB8312DA4AD4F5AF077B1EAA2E14244823F15E6A87A9E48C7172CC1EA5AB691D3B4F9D8F8E0605F9CB3AA06590B4389820DA531633D9915B988FFC |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 482519 |
| Entropy (8bit): | 1.2446382063037653 |
| Encrypted: | false |
| SSDEEP: | 1536:+yiLw81PnsncGiIsTVODPOqNbsVEVWZkZA4:G/Pne9iIyVODPsVpZkZA4 |
| MD5: | 1D099F6122F4B7C8A78925726B59E5C3 |
| SHA1: | EEA154E31FF04CD1A2CED0193F7633ED219CFA47 |
| SHA-256: | 1B6DC1EAD079DB05B998725B154E803E6E1504E7E5B49C5611D55E018CD45E6D |
| SHA-512: | F31F0A285C5A6EB2236CCD49A8BF939E46624F270E0270FC4C5640B37684BC1C7780C5350F778DA8E9D0B8CD25320C1909A9CD937F15BB3A7CDDBCEEE94C47FB |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 379208 |
| Entropy (8bit): | 7.6144189340710176 |
| Encrypted: | false |
| SSDEEP: | 6144:+Ojg9/+8Uw+Txop1slWP/FAYiCHdj+1m9MLvZsq2IOz:16WzTxopkKAHC9j+Q9kuz |
| MD5: | 7C3E64A3E8123691A49FE787A50FC916 |
| SHA1: | ABD13A7497B522741F727E0172A8BC839DB18C93 |
| SHA-256: | 51312E2DDEFCCABC4C8C96A229637B5F247FB1000FECEDBF6FD6EAD54843870B |
| SHA-512: | 87D464C7A1EFF82650FAB62F0E8F0444A6A9504DD53151F607705D1F3A9FEDC00B76A201902DDE27D79474DC763E42E6815BABA6A763F7E23B11D5EF4375015F |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 151886 |
| Entropy (8bit): | 4.598995683173564 |
| Encrypted: | false |
| SSDEEP: | 1536:Gxab7YwMXTp0UgPWnDziLbHyFC/cx6pTeH6gObSzRy20KDfC3wInFTlLBmsYY6aH:xUw8iUgPsHoDu6pTek20EUnVlLksHt |
| MD5: | 7FC876F12112A1459C701AE1812AC3A4 |
| SHA1: | BF3ACAB93654D132BB2D62C844D888231AB17DF4 |
| SHA-256: | 9F9AD7DDDA58AAC8054D9A28ECE3956741834E725611C130DB15139C4DFFD1FA |
| SHA-512: | E210B9DDC6C8699EA5CFA4E3B13348F17693BED48B1244327775C335AB325A604DD78DB7B358051C84B562463F39A66FB1CC654FF3E0C8E0A8161C8D5665DFFB |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 288955 |
| Entropy (8bit): | 1.2577770955280814 |
| Encrypted: | false |
| SSDEEP: | 768:l1SkOmjqFRV/HZzy6+19kZBH4YVHCdJS7G5iOUEEaXXLlgHHl7MRY9hN+418WPK5:KOqvBJzC5vBhp8KT9AGCbQTZkkR |
| MD5: | 0B62328C4966F6B879B3C13B7FBD9C0D |
| SHA1: | 6DD81F12E739E81E06778067513ED1178A06AFC9 |
| SHA-256: | 645C325F62AF720972466322B09A7E396E46D8E640B138D582374B68D763A3A7 |
| SHA-512: | 2F738A2950352F124F7B969D38B52BD2E4453FF42BC8DEB7566620E6CDEA30368A6DC16230BA49050F8C0327175CAB71DC4A1709541F08A3FFDCF55FAF5B75B8 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 340974 |
| Entropy (8bit): | 1.254605943274635 |
| Encrypted: | false |
| SSDEEP: | 768:AgVdAd1etxyZmQhZgJwrQTTwKuiTGrJqCoIEsPkZnFFSKsOI4v/3n35lB3LiADa4:5TxLsV5IjQ3xx12 |
| MD5: | 49BE0E06F2E4F0CCFFB46426EE262642 |
| SHA1: | FF9C56C31A824E4CA087705C23D01D288FE34239 |
| SHA-256: | A55DAC07FB586D4B64F0DDF812087A2EEEC6F5286D9BC73AD648ED3220ABDD3A |
| SHA-512: | 27E9D035708943DD257186457C15488C9405747FC77F7C76760C96EE011C239F9FA53B5DA17958038FB2BA1C4E27E643E7924A37E6164E250B9F45A109D92E53 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 392462 |
| Entropy (8bit): | 1.241128723454179 |
| Encrypted: | false |
| SSDEEP: | 768:jby0EUrStmwpKcx/orVcYZ+M3ok1I7vZFCDrlv2UV5t3votN6cGia46OGj3OkYSk:FaZaukRTadSdbrJ5N275Ea3nRYS3r |
| MD5: | F130EC3095DBECEDC791D8C58A59040C |
| SHA1: | DAD2300B487F31F199520E1B41AB02B7D677B352 |
| SHA-256: | A56351ED69A301F5D9D89B6530280B7A85F998A806E1648911C37B6983BA9426 |
| SHA-512: | 8599200F472F2D59390E8F2C497331640B12AB9FAF71817160C6D450EDF8A99F78CEF28CC3B57581D6AECFC1EC90A49947A6685C606321B6EE300D483C838360 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 433786 |
| Entropy (8bit): | 1.255949132332751 |
| Encrypted: | false |
| SSDEEP: | 768:NFXORpsqJLOaVDzzoIgUPRGRoYNxHVxyczaUz4pP9Nom56I4tY6UBh1Yc88LaAQo:TUAoYxPzqoIzdwWR1+/24cwZXeCPiIBo |
| MD5: | 53FF1A157920AE92C9BF891D453D6B65 |
| SHA1: | B7BF3B7B16048F38132D8ACCA841130D73DB44C3 |
| SHA-256: | FAD1B5E641DC44B5A51048470D4E0FB47664CF2B994CEA24304495D99323B9DE |
| SHA-512: | E739381C24627F89255DB55B2DA39A09F055A322C577C3604BA048FB2C817AE7F63B12131F8461491F6140953FB33DD94EB66D8CB3B13B36717143342CE270AF |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 374902 |
| Entropy (8bit): | 1.250991222921627 |
| Encrypted: | false |
| SSDEEP: | 1536:XkYzjcLYszRzU5n1C900tMkYQx+gnpovYHO:XkYz4DzQB5sYYH |
| MD5: | 169115C751DDA5E021E8C86E8454B26D |
| SHA1: | 5A8254634C0C726BB18E42E626EAEB581D532DCD |
| SHA-256: | ACCD4911D88E808AED4A2AA27394628C62574810B0B47977B7103A246FDF2A10 |
| SHA-512: | 2B643014E8623CADBA7CE78B91D3C751D60FCBF3FA69FA26F29A14E55679FC6A5C2074834B2496773A1756E3172EC7C898E2DF29CB4A0513DBF8BC0DCDDA7E04 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 489048 |
| Entropy (8bit): | 1.245615736901525 |
| Encrypted: | false |
| SSDEEP: | 1536:HMtjgMjMD1whyMu1IXCVAcFNpruXO+nBJH:stjgmYi03XDL+nBJ |
| MD5: | B4FB425BAF217F31E91AAB39ABF66DCD |
| SHA1: | 03DE3BD0F923AB14213B6C4461C5CA73A0A6371C |
| SHA-256: | 4BC57A47B82B63EC20B393F65F3585EB81FE3F7748229CD19DEC8FE8A41D67C3 |
| SHA-512: | E72395FD6098130EFD543C5941781A1AA80FCE17C7701CB40FA8874271E0D43E0F7F082EBF5D458181287DE41CF4B34F88DCAABE84D8AD51003EF5DA1495D871 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 371 |
| Entropy (8bit): | 4.247837387326688 |
| Encrypted: | false |
| SSDEEP: | 6:r8pLNAsEyv1WABlvMW9uu+IXvVJyQXPhXOQemtNxgFUvNwmA6AQOp2jMPA9cnb:ruJAOgABlQuTXbyKhXOLmtLgHmFOYjMV |
| MD5: | 46003C65AA12A0EBE55662F0141186DC |
| SHA1: | 739652C3375018DAFFB986302A7D3E8D32770B41 |
| SHA-256: | 2EA079DEDE1B356842C5F5E0751B5E2B6565FDED65DAFB59A73D170C002ABB27 |
| SHA-512: | 59D394789F9EECE97873D56AEA64F353D3E13E007E4ACBD396AC76CB68E91494EB65888049EF05CBE9B20597ADADCC960D067F90AAD3EA5AA46AC3A82F5B82FD |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.811676042471184 |
| TrID: |
|
| File name: | Quotation.exe |
| File size: | 1'197'176 bytes |
| MD5: | 5607e8b6d0197e51ec19233e72bc2036 |
| SHA1: | 91cf6d8f6eeb59e44741d16c4a1ba38cffe59435 |
| SHA256: | 2013e4b243a72b09add6488f84ad97b47ce0587cdecc1114f4380c82650e069c |
| SHA512: | bd1334cf2a73bfaf4b4235baaa0b4f0ef86e352e90323f60912a1e749f31e2ce82cb29acd45e8b3df74bd0f172239f7cf31fd3f7303eb299d9d7e21ea4e4dd92 |
| SSDEEP: | 24576:64nhDoAFKQnWqZRi73deBNF12ZNXLGQ7WczkxFnfbP98:6+hkhQnxZRiBe5iNXKQKczga |
| TLSH: | B445232636E2C04BD9830A794BF7F33A897EDD153C16982677702B4EDD7128CDD8A660 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............o...o...o...k...o...i...o...n...o...n...o.I.k...o.I.....o.I.m...o.Rich..o.................PE..L...!.*c.................n. |
 | |
| Icon Hash: | 873335651170390f |
| Entrypoint: | 0x4036da |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x632AE721 [Wed Sep 21 10:27:45 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 3f91aceea750f765ef2ba5d9988e6a00 |
| Signature Valid: | false |
| Signature Issuer: | CN=Frostklart, O=Frostklart, L=Ancey, C=FR |
| Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
| Error Number: | -2146762487 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | D5180E15196D1898A3B907839CE72F94 |
| Thumbprint SHA-1: | A93ACCEF1A204E7A231C86AEFAD621EF80205976 |
| Thumbprint SHA-256: | FF48C37C9BCF76FF4194B83CBD8074DDC3CDFB204216E18F8FDAF4E7382836BA |
| Serial: | 531598CA6A96AABCE1A02FB8223F6BA8E6DA2A2E |
| Instruction |
|---|
| sub esp, 000003ECh |
| push ebx |
| push ebp |
| push esi |
| push edi |
| xor ebx, ebx |
| mov edi, 00408528h |
| push 00008001h |
| mov dword ptr [esp+14h], ebx |
| mov ebp, ebx |
| call dword ptr [00408170h] |
| mov esi, dword ptr [004080ACh] |
| lea eax, dword ptr [esp+2Ch] |
| xorps xmm0, xmm0 |
| mov dword ptr [esp+40h], ebx |
| push eax |
| movlpd qword ptr [esp+00000144h], xmm0 |
| mov dword ptr [esp+30h], 0000011Ch |
| call esi |
| test eax, eax |
| jne 00007FAAD884FB59h |
| lea eax, dword ptr [esp+2Ch] |
| mov dword ptr [esp+2Ch], 00000114h |
| push eax |
| call esi |
| push 00000053h |
| pop eax |
| mov dl, 04h |
| mov byte ptr [esp+00000146h], dl |
| cmp word ptr [esp+40h], ax |
| jne 00007FAAD884FB33h |
| mov eax, dword ptr [esp+5Ah] |
| add eax, FFFFFFD0h |
| mov word ptr [esp+00000140h], ax |
| jmp 00007FAAD884FB2Dh |
| xor eax, eax |
| jmp 00007FAAD884FB14h |
| mov dl, byte ptr [esp+00000146h] |
| cmp dword ptr [esp+30h], 0Ah |
| jnc 00007FAAD884FB2Dh |
| movzx eax, word ptr [esp+38h] |
| mov dword ptr [esp+38h], eax |
| jmp 00007FAAD884FB26h |
| mov eax, dword ptr [esp+38h] |
| mov dword ptr [007A8638h], eax |
| movzx eax, byte ptr [esp+30h] |
| shl ax, 0008h |
| movzx ecx, ax |
| movzx eax, byte ptr [esp+34h] |
| or ecx, eax |
| movzx eax, byte ptr [esp+00000140h] |
| shl ax, 0008h |
| shl ecx, 10h |
| movzx eax, word ptr [eax] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8a00 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3db000 | 0x3e910 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x123288 | 0x11f0 | .data |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6c0b | 0x6e00 | 9178309eee1a86dc5ef945d6826a6897 | False | 0.6605823863636363 | data | 6.398414552532143 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x1896 | 0x1a00 | 0885e83a553c38819d1fab2908ca0cf5 | False | 0.4307391826923077 | data | 4.86610208699674 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x39e640 | 0x200 | 5c0f03a1a77f205400c2cbabec9976c4 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x3a9000 | 0x32000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x3db000 | 0x3e910 | 0x3ea00 | 2690c3c0c1de505f961321c7e2d6da34 | False | 0.6915076097804391 | data | 6.574790239627466 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x3db388 | 0x16482 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 1.000394451383867 |
| RT_ICON | 0x3f1810 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.486498876138649 |
| RT_ICON | 0x402038 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 38016 | English | United States | 0.5308492747529956 |
| RT_ICON | 0x40b4e0 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 21600 | English | United States | 0.5497227356746766 |
| RT_ICON | 0x410968 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.5415682569674067 |
| RT_ICON | 0x414b90 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5884854771784233 |
| RT_ICON | 0x417138 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.6179643527204502 |
| RT_ICON | 0x4181e0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.6668032786885246 |
| RT_ICON | 0x418b68 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.7287234042553191 |
| RT_DIALOG | 0x418fd0 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x4190d0 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x4191f0 | 0xc4 | data | English | United States | 0.5918367346938775 |
| RT_DIALOG | 0x4192b8 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x419318 | 0x84 | Targa image data - Map 32 x 25730 x 1 +1 | English | United States | 0.7348484848484849 |
| RT_VERSION | 0x4193a0 | 0x220 | data | English | United States | 0.5110294117647058 |
| RT_MANIFEST | 0x4195c0 | 0x349 | XML 1.0 document, ASCII text, with very long lines (841), with no line terminators | English | United States | 0.5529131985731273 |
| DLL | Import |
|---|---|
| ADVAPI32.dll | RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW |
| SHELL32.dll | ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation |
| ole32.dll | OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance |
| COMCTL32.dll | ImageList_Destroy, ImageList_AddMasked, ImageList_Create |
| USER32.dll | DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW |
| GDI32.dll | SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW |
| KERNEL32.dll | WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-31T10:45:20.670689+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.9 | 49973 | 142.250.185.238 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 31, 2024 10:45:19.181154013 CET | 49973 | 443 | 192.168.2.9 | 142.250.185.238 |
| Oct 31, 2024 10:45:19.181193113 CET | 443 | 49973 | 142.250.185.238 | 192.168.2.9 |
| Oct 31, 2024 10:45:19.181277037 CET | 49973 | 443 | 192.168.2.9 | 142.250.185.238 |
| Oct 31, 2024 10:45:19.349750996 CET | 49973 | 443 | 192.168.2.9 | 142.250.185.238 |
| Oct 31, 2024 10:45:19.349776983 CET | 443 | 49973 | 142.250.185.238 | 192.168.2.9 |
| Oct 31, 2024 10:45:20.247996092 CET | 443 | 49973 | 142.250.185.238 | 192.168.2.9 |
| Oct 31, 2024 10:45:20.248171091 CET | 49973 | 443 | 192.168.2.9 | 142.250.185.238 |
| Oct 31, 2024 10:45:20.248953104 CET | 443 | 49973 | 142.250.185.238 | 192.168.2.9 |
| Oct 31, 2024 10:45:20.249039888 CET | 49973 | 443 | 192.168.2.9 | 142.250.185.238 |
| Oct 31, 2024 10:45:20.306324959 CET | 49973 | 443 | 192.168.2.9 | 142.250.185.238 |
| Oct 31, 2024 10:45:20.306365013 CET | 443 | 49973 | 142.250.185.238 | 192.168.2.9 |
| Oct 31, 2024 10:45:20.306744099 CET | 443 | 49973 | 142.250.185.238 | 192.168.2.9 |
| Oct 31, 2024 10:45:20.306802988 CET | 49973 | 443 | 192.168.2.9 | 142.250.185.238 |
| Oct 31, 2024 10:45:20.311475039 CET | 49973 | 443 | 192.168.2.9 | 142.250.185.238 |
| Oct 31, 2024 10:45:20.355344057 CET | 443 | 49973 | 142.250.185.238 | 192.168.2.9 |
| Oct 31, 2024 10:45:20.670675993 CET | 443 | 49973 | 142.250.185.238 | 192.168.2.9 |
| Oct 31, 2024 10:45:20.670939922 CET | 49973 | 443 | 192.168.2.9 | 142.250.185.238 |
| Oct 31, 2024 10:45:20.670950890 CET | 443 | 49973 | 142.250.185.238 | 192.168.2.9 |
| Oct 31, 2024 10:45:20.671006918 CET | 49973 | 443 | 192.168.2.9 | 142.250.185.238 |
| Oct 31, 2024 10:45:20.671072960 CET | 49973 | 443 | 192.168.2.9 | 142.250.185.238 |
| Oct 31, 2024 10:45:20.671097040 CET | 443 | 49973 | 142.250.185.238 | 192.168.2.9 |
| Oct 31, 2024 10:45:20.671152115 CET | 49973 | 443 | 192.168.2.9 | 142.250.185.238 |
| Oct 31, 2024 10:45:20.695652008 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:20.695707083 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:20.695849895 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:20.696203947 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:20.696217060 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:21.566843987 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:21.566973925 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:21.571389914 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:21.571403027 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:21.571743965 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:21.571821928 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:21.572227955 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:21.619334936 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.065629959 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.065767050 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.073929071 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.074086905 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.184010983 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.184097052 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.184149027 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.184166908 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.184340000 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.184340000 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.185854912 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.185905933 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.185918093 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.185967922 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.190237999 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.190359116 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.190371037 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.190418005 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.198879004 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.199125051 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.199140072 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.199193954 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.207681894 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.207787991 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.207796097 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.207850933 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.216207027 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.216291904 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.216299057 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.216372013 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.216377020 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.216420889 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.225123882 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.225219011 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.225248098 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.225330114 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.233961105 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.234061956 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.234071970 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.234154940 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.242750883 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.242896080 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.242904902 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.242955923 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.302465916 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.302535057 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.302587986 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.302598000 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.302644968 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.302691936 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.302795887 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.302855968 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.302903891 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.302959919 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.302967072 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.302972078 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.303028107 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.303056002 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.303761959 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.303822994 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.304207087 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.304251909 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.304285049 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.304291010 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.304317951 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.304362059 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.304903984 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.304969072 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.308551073 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.308629990 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.308635950 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.308689117 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.309036970 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.309099913 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.309106112 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.309178114 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.317266941 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.317311049 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.317341089 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.317347050 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.317392111 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.317414045 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.321005106 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.321084976 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.321125984 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.321201086 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.326700926 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.326776981 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.326782942 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.326833010 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.332431078 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.332521915 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.332529068 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.332632065 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.338023901 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.338104963 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.338112116 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.338171959 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.343839884 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.343933105 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.343940020 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.344170094 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.349410057 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.349534035 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.349540949 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.349602938 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.355144024 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.355266094 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.355283022 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.355377913 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.361192942 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.361309052 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.361323118 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.361370087 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.420878887 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.420945883 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.420975924 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.420993090 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.421025038 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.421036005 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.421068907 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.421076059 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.421098948 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.421168089 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.421468973 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.421514988 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.421539068 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.421546936 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.421561003 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.421646118 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.422676086 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.422739983 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.422749043 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.422801971 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.422806978 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.422879934 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.422884941 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.422931910 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.427114010 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.427208900 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.427216053 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.427269936 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.427608967 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.427692890 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.427700043 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.427743912 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.432221889 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.432367086 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.432403088 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.432497978 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.435942888 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.436043024 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.436057091 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.436134100 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.439774036 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.439846039 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.439852953 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.439933062 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.445058107 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.445178986 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.445185900 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.445230007 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.450879097 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.450948000 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.450954914 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.450998068 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.456619024 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.456767082 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.456773043 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.456824064 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.462302923 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.462387085 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.462397099 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.462460041 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.467761993 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.467849016 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.467880011 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.467919111 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.473509073 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.473609924 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.473623991 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.473675013 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.479552031 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.479634047 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.479644060 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.479763985 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.479772091 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.479830027 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.539681911 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.539762974 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.539776087 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.539819956 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.539829969 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.539838076 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.539875031 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.539906025 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.539908886 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.539927006 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.539985895 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.539985895 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.539994955 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.540034056 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.540298939 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.540353060 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.541290998 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.541347027 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.541356087 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.541404963 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.541424036 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.541431904 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.541451931 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.541728020 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.541732073 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.541789055 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.545870066 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.545969009 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.545980930 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.546072960 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.546086073 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.546101093 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.546134949 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.546185970 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.554580927 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.554656982 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.554666996 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.554708004 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.558424950 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.558494091 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.558502913 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.558556080 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.558562040 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.558572054 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.558594942 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.558621883 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.563837051 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.563934088 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.563946009 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.564018011 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.564023972 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.564078093 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.569377899 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.569437981 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.569449902 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.569535017 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.575257063 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.575376034 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.575391054 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.575504065 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.580893993 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.580951929 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.580961943 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.581005096 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.586510897 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.586833954 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.586855888 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.587078094 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.592221022 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.592593908 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.592605114 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.592658997 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.598628044 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.598720074 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.598742008 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.598756075 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.598793983 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.599070072 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.658216000 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.658313036 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.658389091 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.658421993 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.658451080 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.658468962 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.658495903 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.658503056 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.658520937 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.658545971 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.658570051 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.658576965 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.658595085 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.659212112 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.659218073 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.659269094 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.659683943 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.659761906 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.659780979 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.659790039 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.659813881 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.660115957 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.660121918 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.660175085 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.660271883 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.660433054 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.664338112 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.664479971 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.664494038 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.664752007 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.664772034 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.664779902 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.664809942 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.665028095 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.670495033 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.670614004 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.672900915 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.673029900 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.673042059 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.673579931 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.676937103 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.677001953 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.677035093 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.677046061 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.677064896 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.677380085 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.677386045 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.677443027 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.682338953 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.682565928 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.682575941 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.682670116 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.688097000 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.688213110 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.688225985 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.688410997 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.693710089 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.693816900 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.693826914 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.693882942 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.699371099 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.699506044 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.699523926 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.699595928 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.721074104 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.721146107 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.721175909 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.721204042 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.721220016 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.721235037 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.721256971 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.721272945 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.721295118 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.721359968 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.721359968 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.721368074 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.721438885 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.721620083 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:24.721673012 CET | 443 | 49974 | 172.217.16.129 | 192.168.2.9 |
| Oct 31, 2024 10:45:24.721764088 CET | 49974 | 443 | 192.168.2.9 | 172.217.16.129 |
| Oct 31, 2024 10:45:25.796844959 CET | 49975 | 443 | 192.168.2.9 | 172.67.74.152 |
| Oct 31, 2024 10:45:25.796889067 CET | 443 | 49975 | 172.67.74.152 | 192.168.2.9 |
| Oct 31, 2024 10:45:25.796968937 CET | 49975 | 443 | 192.168.2.9 | 172.67.74.152 |
| Oct 31, 2024 10:45:25.800235987 CET | 49975 | 443 | 192.168.2.9 | 172.67.74.152 |
| Oct 31, 2024 10:45:25.800261021 CET | 443 | 49975 | 172.67.74.152 | 192.168.2.9 |
| Oct 31, 2024 10:45:26.418500900 CET | 443 | 49975 | 172.67.74.152 | 192.168.2.9 |
| Oct 31, 2024 10:45:26.418735027 CET | 49975 | 443 | 192.168.2.9 | 172.67.74.152 |
| Oct 31, 2024 10:45:26.420898914 CET | 49975 | 443 | 192.168.2.9 | 172.67.74.152 |
| Oct 31, 2024 10:45:26.420912981 CET | 443 | 49975 | 172.67.74.152 | 192.168.2.9 |
| Oct 31, 2024 10:45:26.421156883 CET | 443 | 49975 | 172.67.74.152 | 192.168.2.9 |
| Oct 31, 2024 10:45:26.428392887 CET | 49975 | 443 | 192.168.2.9 | 172.67.74.152 |
| Oct 31, 2024 10:45:26.471333981 CET | 443 | 49975 | 172.67.74.152 | 192.168.2.9 |
| Oct 31, 2024 10:45:26.602969885 CET | 443 | 49975 | 172.67.74.152 | 192.168.2.9 |
| Oct 31, 2024 10:45:26.603044033 CET | 443 | 49975 | 172.67.74.152 | 192.168.2.9 |
| Oct 31, 2024 10:45:26.603543043 CET | 49975 | 443 | 192.168.2.9 | 172.67.74.152 |
| Oct 31, 2024 10:45:26.609500885 CET | 49975 | 443 | 192.168.2.9 | 172.67.74.152 |
| Oct 31, 2024 10:45:28.559958935 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:28.564934015 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:28.566540956 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:29.273474932 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:29.273715973 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:29.284356117 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:29.436853886 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:29.437043905 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:29.442148924 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:29.587775946 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:29.588481903 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:29.593674898 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:29.757788897 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:29.757806063 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:29.758079052 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:29.758918047 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:29.758954048 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:29.759001970 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:29.759354115 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:29.787522078 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:29.792501926 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:29.936145067 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:29.938990116 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:29.943845987 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:30.087368965 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:30.088823080 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:30.093852997 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:30.238554955 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:30.239949942 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:30.246479034 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:30.395903111 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:30.396251917 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:30.401550055 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:30.544436932 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:30.544708014 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:30.549685955 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:30.696472883 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:30.697134018 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:30.702608109 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:30.845284939 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:30.846009016 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:30.846072912 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:30.846096039 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:30.846126080 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Oct 31, 2024 10:45:30.851639032 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:30.851706982 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:31.011070013 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 |
| Oct 31, 2024 10:45:31.061054945 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 31, 2024 10:45:19.168256998 CET | 59206 | 53 | 192.168.2.9 | 1.1.1.1 |
| Oct 31, 2024 10:45:19.175139904 CET | 53 | 59206 | 1.1.1.1 | 192.168.2.9 |
| Oct 31, 2024 10:45:20.686918974 CET | 60989 | 53 | 192.168.2.9 | 1.1.1.1 |
| Oct 31, 2024 10:45:20.694693089 CET | 53 | 60989 | 1.1.1.1 | 192.168.2.9 |
| Oct 31, 2024 10:45:25.783711910 CET | 62820 | 53 | 192.168.2.9 | 1.1.1.1 |
| Oct 31, 2024 10:45:25.792222977 CET | 53 | 62820 | 1.1.1.1 | 192.168.2.9 |
| Oct 31, 2024 10:45:27.825550079 CET | 62779 | 53 | 192.168.2.9 | 1.1.1.1 |
| Oct 31, 2024 10:45:28.530518055 CET | 53 | 62779 | 1.1.1.1 | 192.168.2.9 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 31, 2024 10:45:19.168256998 CET | 192.168.2.9 | 1.1.1.1 | 0x8c7f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 31, 2024 10:45:20.686918974 CET | 192.168.2.9 | 1.1.1.1 | 0x553c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 31, 2024 10:45:25.783711910 CET | 192.168.2.9 | 1.1.1.1 | 0x231e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 31, 2024 10:45:27.825550079 CET | 192.168.2.9 | 1.1.1.1 | 0x6dd4 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 31, 2024 10:45:19.175139904 CET | 1.1.1.1 | 192.168.2.9 | 0x8c7f | No error (0) | 142.250.185.238 | A (IP address) | IN (0x0001) | false | ||
| Oct 31, 2024 10:45:20.694693089 CET | 1.1.1.1 | 192.168.2.9 | 0x553c | No error (0) | 172.217.16.129 | A (IP address) | IN (0x0001) | false | ||
| Oct 31, 2024 10:45:25.792222977 CET | 1.1.1.1 | 192.168.2.9 | 0x231e | No error (0) | 172.67.74.152 | A (IP address) | IN (0x0001) | false | ||
| Oct 31, 2024 10:45:25.792222977 CET | 1.1.1.1 | 192.168.2.9 | 0x231e | No error (0) | 104.26.13.205 | A (IP address) | IN (0x0001) | false | ||
| Oct 31, 2024 10:45:25.792222977 CET | 1.1.1.1 | 192.168.2.9 | 0x231e | No error (0) | 104.26.12.205 | A (IP address) | IN (0x0001) | false | ||
| Oct 31, 2024 10:45:28.530518055 CET | 1.1.1.1 | 192.168.2.9 | 0x6dd4 | No error (0) | showpiece.trillennium.biz | CNAME (Canonical name) | IN (0x0001) | false | ||
| Oct 31, 2024 10:45:28.530518055 CET | 1.1.1.1 | 192.168.2.9 | 0x6dd4 | No error (0) | 67.23.226.139 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.9 | 49973 | 142.250.185.238 | 443 | 1212 | C:\Users\user\Desktop\Quotation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-31 09:45:20 UTC | 216 | OUT | |
| 2024-10-31 09:45:20 UTC | 1610 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.9 | 49974 | 172.217.16.129 | 443 | 1212 | C:\Users\user\Desktop\Quotation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-31 09:45:21 UTC | 258 | OUT | |
| 2024-10-31 09:45:24 UTC | 4915 | IN | |
| 2024-10-31 09:45:24 UTC | 4915 | IN | |
| 2024-10-31 09:45:24 UTC | 4866 | IN | |
| 2024-10-31 09:45:24 UTC | 1378 | IN | |
| 2024-10-31 09:45:24 UTC | 1378 | IN | |
| 2024-10-31 09:45:24 UTC | 1378 | IN | |
| 2024-10-31 09:45:24 UTC | 1378 | IN | |
| 2024-10-31 09:45:24 UTC | 1378 | IN | |
| 2024-10-31 09:45:24 UTC | 1378 | IN | |
| 2024-10-31 09:45:24 UTC | 1378 | IN | |
| 2024-10-31 09:45:24 UTC | 1378 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.9 | 49975 | 172.67.74.152 | 443 | 1212 | C:\Users\user\Desktop\Quotation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-31 09:45:26 UTC | 155 | OUT | |
| 2024-10-31 09:45:26 UTC | 211 | IN | |
| 2024-10-31 09:45:26 UTC | 14 | IN |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Oct 31, 2024 10:45:29.273474932 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 | 220-super.nseasy.com ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 05:45:29 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Oct 31, 2024 10:45:29.273715973 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 | EHLO 897506 |
| Oct 31, 2024 10:45:29.436853886 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 | 250-super.nseasy.com Hello 897506 [173.254.250.77] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP |
| Oct 31, 2024 10:45:29.437043905 CET | 49976 | 587 | 192.168.2.9 | 67.23.226.139 | STARTTLS |
| Oct 31, 2024 10:45:29.587775946 CET | 587 | 49976 | 67.23.226.139 | 192.168.2.9 | 220 TLS go ahead |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 05:44:04 |
| Start date: | 31/10/2024 |
| Path: | C:\Users\user\Desktop\Quotation.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'197'176 bytes |
| MD5 hash: | 5607E8B6D0197E51EC19233E72BC2036 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 05:45:05 |
| Start date: | 31/10/2024 |
| Path: | C:\Users\user\Desktop\Quotation.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'197'176 bytes |
| MD5 hash: | 5607E8B6D0197E51EC19233E72BC2036 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 30.7% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 27.2% |
| Total number of Nodes: | 826 |
| Total number of Limit Nodes: | 18 |
Graph
Function 004036DA Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 416stringfilecomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040154A Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 441stringtimesleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 70022351 Relevance: 18.7, APIs: 12, Instructions: 705stringlibrarymemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004066F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004065AD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404F70 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374windowstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A1C Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 225stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004033CB Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 178memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E98 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76stringwindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E1C Relevance: 6.0, APIs: 4, Instructions: 37COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 7002167A Relevance: 4.6, APIs: 3, Instructions: 123COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406616 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004066B4 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004068F9 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 70022D14 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004069E9 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406926 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 70021A4A Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004054C6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004054E1 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 700212F8 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062E4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405739 Relevance: 12.1, APIs: 8, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040362D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 700210C7 Relevance: 8.9, APIs: 7, Instructions: 162memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 70021F1E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 70022049 Relevance: 7.6, APIs: 5, Instructions: 129memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 70021F7B Relevance: 7.5, APIs: 5, Instructions: 38memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406534 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 70021CC7 Relevance: 6.2, APIs: 4, Instructions: 209COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403367 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 9.7% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 166 |
| Total number of Limit Nodes: | 14 |
Graph
Function 392B2338 Relevance: 6.0, Strings: 4, Instructions: 1038COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B3108 Relevance: 3.0, Strings: 2, Instructions: 545COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DA960 Relevance: 2.9, Instructions: 2893COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DB3B4 Relevance: 2.3, Instructions: 2336COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B6698 Relevance: 2.1, Strings: 1, Instructions: 823COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B5648 Relevance: 1.8, Strings: 1, Instructions: 595COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B7E20 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE289 Relevance: 1.6, Strings: 1, Instructions: 334COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392BC220 Relevance: .6, Instructions: 644COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392BB2BA Relevance: .6, Instructions: 566COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DA500 Relevance: .4, Instructions: 358COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DDCA8 Relevance: .3, Instructions: 344COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D4A98 Relevance: .3, Instructions: 266COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39795E79 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39795E88 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D86C8 Relevance: 6.8, Strings: 5, Instructions: 586COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D8729 Relevance: 6.8, Strings: 5, Instructions: 554COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D0838 Relevance: 3.8, Strings: 3, Instructions: 62COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DA070 Relevance: 2.6, Strings: 2, Instructions: 84COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DA080 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D9F70 Relevance: 2.6, Strings: 2, Instructions: 76COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D9F80 Relevance: 2.6, Strings: 2, Instructions: 70COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D0848 Relevance: 2.6, Strings: 2, Instructions: 62COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DECC8 Relevance: 1.6, Strings: 1, Instructions: 397COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39792372 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39792378 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39795CBC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39797250 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 397960C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 397960D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 397997EC Relevance: 1.6, APIs: 1, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 397997F0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39795D14 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39795E6C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39797B67 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D3E74 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1382 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE1C0 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE1D0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DF879 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DEBAC Relevance: 1.3, Strings: 1, Instructions: 20COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D4A8C Relevance: .3, Instructions: 260COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DA266 Relevance: .2, Instructions: 245COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B6298 Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B4348 Relevance: .2, Instructions: 224COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B4664 Relevance: .2, Instructions: 221COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B4678 Relevance: .2, Instructions: 210COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B4C10 Relevance: .2, Instructions: 186COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392BFD29 Relevance: .2, Instructions: 175COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B91D8 Relevance: .2, Instructions: 171COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D6EE2 Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392BFAE8 Relevance: .2, Instructions: 163COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DF930 Relevance: .1, Instructions: 148COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D7D28 Relevance: .1, Instructions: 142COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D6CDE Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B54B8 Relevance: .1, Instructions: 135COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D6CE8 Relevance: .1, Instructions: 132COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B4C01 Relevance: .1, Instructions: 129COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392BDB55 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1128 Relevance: .1, Instructions: 119COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1138 Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DFB49 Relevance: .1, Instructions: 108COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B21C0 Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D7D98 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D26DC Relevance: .1, Instructions: 93COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE720 Relevance: .1, Instructions: 92COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DF638 Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D26E8 Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DF640 Relevance: .1, Instructions: 85COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B3B48 Relevance: .1, Instructions: 82COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DFD6F Relevance: .1, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DFD80 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B3B58 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D16A0 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD044 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1878 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1888 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D16B0 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B6DB8 Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D17C0 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B3C68 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D148A Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B42AA Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D6BA0 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B3921 Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B3C57 Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD03F Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1498 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392BEE31 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B3928 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B42B8 Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392BEE40 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DFEE8 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392BA3A8 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392BC878 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DFEF8 Relevance: .0, Instructions: 42COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DF8B0 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DF2F0 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D7EB0 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392BAFB0 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392B6519 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE6E8 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE6F8 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|