Edit tour
Windows
Analysis Report
Quotation.exe
Overview
General Information
| Sample name: | Quotation.exe |
| Analysis ID: | 1548300 |
| MD5: | 9ed064f0feb2397bb999563751c20b92 |
| SHA1: | 810d6882ab53614c20950da17021650fed89f5d8 |
| SHA256: | f849a928785cb16a719369fbe98c9246bc84d634f3547467a3223fa148a6b09b |
| Tags: | exeuser-lowmal3 |
| Infos: |   |
 | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Quotation.exe (PID: 5968 cmdline:
"C:\Users\ user\Deskt op\Quotati on.exe" MD5: 9ED064F0FEB2397BB999563751C20B92) "C:\Users\ user\Deskt op\Quotati on.exe" MD5: 9ED064F0FEB2397BB999563751C20B92)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
System Summary |   |
|---|
| Source: | Author: frack113: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-04T10:00:13.349949+0100 | 2022930 | 1 | A Network Trojan was detected | 172.202.163.200 | 443 | 192.168.2.5 | 49704 | TCP |
| 2024-11-04T10:00:52.036491+0100 | 2022930 | 1 | A Network Trojan was detected | 172.202.163.200 | 443 | 192.168.2.5 | 49888 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-04T10:00:28.263870+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.5 | 49767 | 142.250.186.174 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004066F7 | |
| Source: | Code function: | 0_2_004065AD | |
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Window created: | Jump to behavior | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004036DA | |
| Source: | Code function: | 0_2_733F2351 | |
| Source: | Code function: | 3_2_0015A500 | |
| Source: | Code function: | 3_2_0015A950 | |
| Source: | Code function: | 3_2_00154A98 | |
| Source: | Code function: | 3_2_0015DCA8 | |
| Source: | Code function: | 3_2_00153E80 | |
| Source: | Code function: | 3_2_001541BE | |
| Source: | Code function: | 3_2_001541C8 | |
| Source: | Code function: | 3_2_36D56698 | |
| Source: | Code function: | 3_2_36D5B2BA | |
| Source: | Code function: | 3_2_36D55648 | |
| Source: | Code function: | 3_2_36D5C220 | |
| Source: | Code function: | 3_2_36D57E20 | |
| Source: | Code function: | 3_2_36D53108 | |
| Source: | Code function: | 3_2_36D57740 | |
| Source: | Code function: | 3_2_36D52338 | |
| Source: | Code function: | 3_2_36D5E440 | |
| Source: | Code function: | 3_2_36D50040 | |
| Source: | Code function: | 3_2_36D55D83 | |
| Source: | Code function: | 3_2_3723194A | |
| Source: | Code function: | 3_2_37231982 | |
| Source: | Code function: | 3_2_37231988 | |
| Source: | Code function: | 3_2_37390448 | |
| Source: | Code function: | 3_2_37394B48 | |
| Source: | Code function: | 3_2_36D50037 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004036DA | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File written: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_733F2351 | |
| Source: | Code function: | 3_2_372376E9 | |
| Source: | Code function: | 3_2_37237CAD | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Evaded block: | graph_0-3126 | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_004066F7 | |
| Source: | Code function: | 0_2_004065AD | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-3017 | ||
| Source: | Code function: | 0_2_733F2351 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_004036DA | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | 2 OS Credential Dumping | 3 File and Directory Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 2 Native API | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 1 Obfuscated Files or Information | 11 Input Capture | 225 System Information Discovery | Remote Desktop Protocol | 2 Data from Local System | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 11 Process Injection | 1 DLL Side-Loading | 1 Credentials in Registry | 1 Query Registry | SMB/Windows Admin Shares | 1 Email Collection | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Masquerading | NTDS | 311 Security Software Discovery | Distributed Component Object Model | 11 Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 141 Virtualization/Sandbox Evasion | LSA Secrets | 141 Virtualization/Sandbox Evasion | SSH | 1 Clipboard Data | 23 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Access Token Manipulation | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 11 Process Injection | DCSync | 1 System Network Configuration Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 58% | ReversingLabs | Win32.Trojan.GuLoader |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 142.250.186.174 | true | false | unknown | |
| drive.usercontent.google.com | 142.250.185.97 | true | false | unknown | |
| api.ipify.org | 104.26.13.205 | true | false | unknown | |
| showpiece.trillennium.biz | 67.23.226.139 | true | true | unknown | |
| mail.showpiece.trillennium.biz | unknown | unknown | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 67.23.226.139 | showpiece.trillennium.biz | United States | 33182 | DIMENOCUS | true | |
| 142.250.186.174 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
| 104.26.13.205 | api.ipify.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 142.250.185.97 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1548300 |
| Start date and time: | 2024-11-04 09:59:04 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 28s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Quotation.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/12@4/4 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Quotation.exe
| Time | Type | Description |
|---|---|---|
| 04:00:33 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 67.23.226.139 | Get hash | malicious | AgentTesla, GuLoader | Browse | ||
| Get hash | malicious | AgentTesla, GuLoader | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
| 104.26.13.205 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | RDPWrap Tool | Browse |
| ||
| Get hash | malicious | Node Stealer | Browse |
| ||
| Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| api.ipify.org | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Quasar | Browse |
| ||
| Get hash | malicious | Quasar | Browse |
| ||
| Get hash | malicious | Kronos, Strela Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Phisher | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | LummaC, Stealc, Vidar | Browse |
| ||
| DIMENOCUS | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
| Get hash | malicious | HTMLPhisher, Mamba2FA | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Azorult, GuLoader | Browse |
| |
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nss46CE.tmp\System.dll | Get hash | malicious | AgentTesla | Browse | ||
| Get hash | malicious | AgentTesla, GuLoader | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12288 |
| Entropy (8bit): | 5.97694153396788 |
| Encrypted: | false |
| SSDEEP: | 192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw |
| MD5: | D6F54D2CEFDF58836805796F55BFC846 |
| SHA1: | B980ADDC1A755B968DD5799179D3B4F1C2DE9D2D |
| SHA-256: | F917AEF484D1FBB4D723B2E2D3045CB6F5F664E61FBB3D5C577BD1C215DE55D9 |
| SHA-512: | CE67DA936A93D46EF7E81ABC8276787C82FD844C03630BA18AFC3528C7E420C3228BFE82AEDA083BB719F2D1314AFAE913362ABD1E220CB364606519690D45DB |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 35 |
| Entropy (8bit): | 4.264578373902383 |
| Encrypted: | false |
| SSDEEP: | 3:apWPWPjNLCNHiy:UPRCNHiy |
| MD5: | 58AC0B5E1D49D0EE1AED2FE13FAE6C7A |
| SHA1: | 02C8384573D47CA39F2E2ACA32B275861EC59A93 |
| SHA-256: | 624F49944CB84ED51FECABCD549AE3B47152F9A20C4A95E93C8B007AEFE9FEAB |
| SHA-512: | 8F5F062D6EBB8312DA4AD4F5AF077B1EAA2E14244823F15E6A87A9E48C7172CC1EA5AB691D3B4F9D8F8E0605F9CB3AA06590B4389820DA531633D9915B988FFC |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 482519 |
| Entropy (8bit): | 1.2446382063037653 |
| Encrypted: | false |
| SSDEEP: | 1536:+yiLw81PnsncGiIsTVODPOqNbsVEVWZkZA4:G/Pne9iIyVODPsVpZkZA4 |
| MD5: | 1D099F6122F4B7C8A78925726B59E5C3 |
| SHA1: | EEA154E31FF04CD1A2CED0193F7633ED219CFA47 |
| SHA-256: | 1B6DC1EAD079DB05B998725B154E803E6E1504E7E5B49C5611D55E018CD45E6D |
| SHA-512: | F31F0A285C5A6EB2236CCD49A8BF939E46624F270E0270FC4C5640B37684BC1C7780C5350F778DA8E9D0B8CD25320C1909A9CD937F15BB3A7CDDBCEEE94C47FB |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 288955 |
| Entropy (8bit): | 1.2577770955280814 |
| Encrypted: | false |
| SSDEEP: | 768:l1SkOmjqFRV/HZzy6+19kZBH4YVHCdJS7G5iOUEEaXXLlgHHl7MRY9hN+418WPK5:KOqvBJzC5vBhp8KT9AGCbQTZkkR |
| MD5: | 0B62328C4966F6B879B3C13B7FBD9C0D |
| SHA1: | 6DD81F12E739E81E06778067513ED1178A06AFC9 |
| SHA-256: | 645C325F62AF720972466322B09A7E396E46D8E640B138D582374B68D763A3A7 |
| SHA-512: | 2F738A2950352F124F7B969D38B52BD2E4453FF42BC8DEB7566620E6CDEA30368A6DC16230BA49050F8C0327175CAB71DC4A1709541F08A3FFDCF55FAF5B75B8 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 340974 |
| Entropy (8bit): | 1.254605943274635 |
| Encrypted: | false |
| SSDEEP: | 768:AgVdAd1etxyZmQhZgJwrQTTwKuiTGrJqCoIEsPkZnFFSKsOI4v/3n35lB3LiADa4:5TxLsV5IjQ3xx12 |
| MD5: | 49BE0E06F2E4F0CCFFB46426EE262642 |
| SHA1: | FF9C56C31A824E4CA087705C23D01D288FE34239 |
| SHA-256: | A55DAC07FB586D4B64F0DDF812087A2EEEC6F5286D9BC73AD648ED3220ABDD3A |
| SHA-512: | 27E9D035708943DD257186457C15488C9405747FC77F7C76760C96EE011C239F9FA53B5DA17958038FB2BA1C4E27E643E7924A37E6164E250B9F45A109D92E53 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 399458 |
| Entropy (8bit): | 7.576181832030088 |
| Encrypted: | false |
| SSDEEP: | 6144:LDplbZ05V2zN/hm4Qt4vENC20tkliS/+nFsNHo5JCaZ0BMz6GH0:LNlbGV2Z/MR4cNat3cHgJmMz8 |
| MD5: | AE18AD1D473CDB183050652CEDA5C015 |
| SHA1: | A4E4E1FDB5092B5E8C1836592A933220219E0465 |
| SHA-256: | 14A8F61535835B9D36A36BA4588FA5C7B6F8B0712E0F17CC9CB571DEDBB5460B |
| SHA-512: | 26EF11EB6E92C4A49A8AF2E7888DDB023DD7795F5FC9D05D7F3CC139AA025845549B1F93E3ABDD0B410BC76D759FC677886C8D20EEADA9DC3EEAF42D2A0BF1DB |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 151977 |
| Entropy (8bit): | 4.61386909245272 |
| Encrypted: | false |
| SSDEEP: | 3072:gpw4seASHVIkooxAzT90BlNoIXNDdu4B0:VCA8mLoimBlKIdDduG0 |
| MD5: | 6B379F8EF49DAD739879E9C0C133DA91 |
| SHA1: | 39D93DA83AAC396E331FFB5E998F574575241B14 |
| SHA-256: | B6EE19F43C0A6A088FD0D26E2C1A49ABA76D2A0BA76BAEA7D4D8783714520F58 |
| SHA-512: | 596A2A55FFA79AF8B66C115317CBF6E283E7416A01C5F19B805015BC013CAEA831BE1BFD55653E5E225F04C4610C96652E4AB227FC3D187AC3991163C0504E8A |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 392462 |
| Entropy (8bit): | 1.241128723454179 |
| Encrypted: | false |
| SSDEEP: | 768:jby0EUrStmwpKcx/orVcYZ+M3ok1I7vZFCDrlv2UV5t3votN6cGia46OGj3OkYSk:FaZaukRTadSdbrJ5N275Ea3nRYS3r |
| MD5: | F130EC3095DBECEDC791D8C58A59040C |
| SHA1: | DAD2300B487F31F199520E1B41AB02B7D677B352 |
| SHA-256: | A56351ED69A301F5D9D89B6530280B7A85F998A806E1648911C37B6983BA9426 |
| SHA-512: | 8599200F472F2D59390E8F2C497331640B12AB9FAF71817160C6D450EDF8A99F78CEF28CC3B57581D6AECFC1EC90A49947A6685C606321B6EE300D483C838360 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 433786 |
| Entropy (8bit): | 1.255949132332751 |
| Encrypted: | false |
| SSDEEP: | 768:NFXORpsqJLOaVDzzoIgUPRGRoYNxHVxyczaUz4pP9Nom56I4tY6UBh1Yc88LaAQo:TUAoYxPzqoIzdwWR1+/24cwZXeCPiIBo |
| MD5: | 53FF1A157920AE92C9BF891D453D6B65 |
| SHA1: | B7BF3B7B16048F38132D8ACCA841130D73DB44C3 |
| SHA-256: | FAD1B5E641DC44B5A51048470D4E0FB47664CF2B994CEA24304495D99323B9DE |
| SHA-512: | E739381C24627F89255DB55B2DA39A09F055A322C577C3604BA048FB2C817AE7F63B12131F8461491F6140953FB33DD94EB66D8CB3B13B36717143342CE270AF |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 374902 |
| Entropy (8bit): | 1.250991222921627 |
| Encrypted: | false |
| SSDEEP: | 1536:XkYzjcLYszRzU5n1C900tMkYQx+gnpovYHO:XkYz4DzQB5sYYH |
| MD5: | 169115C751DDA5E021E8C86E8454B26D |
| SHA1: | 5A8254634C0C726BB18E42E626EAEB581D532DCD |
| SHA-256: | ACCD4911D88E808AED4A2AA27394628C62574810B0B47977B7103A246FDF2A10 |
| SHA-512: | 2B643014E8623CADBA7CE78B91D3C751D60FCBF3FA69FA26F29A14E55679FC6A5C2074834B2496773A1756E3172EC7C898E2DF29CB4A0513DBF8BC0DCDDA7E04 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 489048 |
| Entropy (8bit): | 1.245615736901525 |
| Encrypted: | false |
| SSDEEP: | 1536:HMtjgMjMD1whyMu1IXCVAcFNpruXO+nBJH:stjgmYi03XDL+nBJ |
| MD5: | B4FB425BAF217F31E91AAB39ABF66DCD |
| SHA1: | 03DE3BD0F923AB14213B6C4461C5CA73A0A6371C |
| SHA-256: | 4BC57A47B82B63EC20B393F65F3585EB81FE3F7748229CD19DEC8FE8A41D67C3 |
| SHA-512: | E72395FD6098130EFD543C5941781A1AA80FCE17C7701CB40FA8874271E0D43E0F7F082EBF5D458181287DE41CF4B34F88DCAABE84D8AD51003EF5DA1495D871 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Quotation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 371 |
| Entropy (8bit): | 4.247837387326688 |
| Encrypted: | false |
| SSDEEP: | 6:r8pLNAsEyv1WABlvMW9uu+IXvVJyQXPhXOQemtNxgFUvNwmA6AQOp2jMPA9cnb:ruJAOgABlQuTXbyKhXOLmtLgHmFOYjMV |
| MD5: | 46003C65AA12A0EBE55662F0141186DC |
| SHA1: | 739652C3375018DAFFB986302A7D3E8D32770B41 |
| SHA-256: | 2EA079DEDE1B356842C5F5E0751B5E2B6565FDED65DAFB59A73D170C002ABB27 |
| SHA-512: | 59D394789F9EECE97873D56AEA64F353D3E13E007E4ACBD396AC76CB68E91494EB65888049EF05CBE9B20597ADADCC960D067F90AAD3EA5AA46AC3A82F5B82FD |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.81503713013307 |
| TrID: |
|
| File name: | Quotation.exe |
| File size: | 1'208'728 bytes |
| MD5: | 9ed064f0feb2397bb999563751c20b92 |
| SHA1: | 810d6882ab53614c20950da17021650fed89f5d8 |
| SHA256: | f849a928785cb16a719369fbe98c9246bc84d634f3547467a3223fa148a6b09b |
| SHA512: | ef7d103dad237045980181b85ddc6b0d4ffbbcbdf38eb2a56b09823baae143f52c336f89ec45bd872f7dca255156b9f44208e979e37f0995a18fc7f2de359ffd |
| SSDEEP: | 24576:S4nhDoAFq5Avnh/KPGB8mTyBNFX3FZNXLGQ7WczkxFnfbP9:S+hkT6vnh/J8oy5X3PNXKQKczg |
| TLSH: | B845222932B6D08BD6824A3C4BF3E735DE7DEE143D26942777712F4E9D30288AE46650 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............o...o...o...k...o...i...o...n...o...n...o.I.k...o.I.....o.I.m...o.Rich..o.................PE..L...!.*c.................n. |
 | |
| Icon Hash: | 873335651170390f |
| Entrypoint: | 0x4036da |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x632AE721 [Wed Sep 21 10:27:45 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 3f91aceea750f765ef2ba5d9988e6a00 |
| Signature Valid: | false |
| Signature Issuer: | CN=Teaberries, O=Teaberries, L=Le Pas, C=FR |
| Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
| Error Number: | -2146762487 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 20BF21B5BB8BD4ADC8241FBC132F153B |
| Thumbprint SHA-1: | 7B90FE6EFB81F5301AE4609BDA23D016FBE84269 |
| Thumbprint SHA-256: | FC9FF8A2D1437A37705EDB7D9B016A35F2B22465B8BECAD31D75739BDE5A03A2 |
| Serial: | 7565486B99A8B4326594078BB65FCED341D7D33E |
| Instruction |
|---|
| sub esp, 000003ECh |
| push ebx |
| push ebp |
| push esi |
| push edi |
| xor ebx, ebx |
| mov edi, 00408528h |
| push 00008001h |
| mov dword ptr [esp+14h], ebx |
| mov ebp, ebx |
| call dword ptr [00408170h] |
| mov esi, dword ptr [004080ACh] |
| lea eax, dword ptr [esp+2Ch] |
| xorps xmm0, xmm0 |
| mov dword ptr [esp+40h], ebx |
| push eax |
| movlpd qword ptr [esp+00000144h], xmm0 |
| mov dword ptr [esp+30h], 0000011Ch |
| call esi |
| test eax, eax |
| jne 00007FEF74529189h |
| lea eax, dword ptr [esp+2Ch] |
| mov dword ptr [esp+2Ch], 00000114h |
| push eax |
| call esi |
| push 00000053h |
| pop eax |
| mov dl, 04h |
| mov byte ptr [esp+00000146h], dl |
| cmp word ptr [esp+40h], ax |
| jne 00007FEF74529163h |
| mov eax, dword ptr [esp+5Ah] |
| add eax, FFFFFFD0h |
| mov word ptr [esp+00000140h], ax |
| jmp 00007FEF7452915Dh |
| xor eax, eax |
| jmp 00007FEF74529144h |
| mov dl, byte ptr [esp+00000146h] |
| cmp dword ptr [esp+30h], 0Ah |
| jnc 00007FEF7452915Dh |
| movzx eax, word ptr [esp+38h] |
| mov dword ptr [esp+38h], eax |
| jmp 00007FEF74529156h |
| mov eax, dword ptr [esp+38h] |
| mov dword ptr [007A8638h], eax |
| movzx eax, byte ptr [esp+30h] |
| shl ax, 0008h |
| movzx ecx, ax |
| movzx eax, byte ptr [esp+34h] |
| or ecx, eax |
| movzx eax, byte ptr [esp+00000140h] |
| shl ax, 0008h |
| shl ecx, 10h |
| movzx eax, word ptr [eax] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8a00 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3db000 | 0x3e910 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x125fa0 | 0x11f8 | .data |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6c0b | 0x6e00 | 9178309eee1a86dc5ef945d6826a6897 | False | 0.6605823863636363 | data | 6.398414552532143 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x1896 | 0x1a00 | 0885e83a553c38819d1fab2908ca0cf5 | False | 0.4307391826923077 | data | 4.86610208699674 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x39e640 | 0x200 | 5c0f03a1a77f205400c2cbabec9976c4 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x3a9000 | 0x32000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x3db000 | 0x3e910 | 0x3ea00 | 2690c3c0c1de505f961321c7e2d6da34 | False | 0.6915076097804391 | data | 6.574790239627466 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x3db388 | 0x16482 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 1.000394451383867 |
| RT_ICON | 0x3f1810 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.486498876138649 |
| RT_ICON | 0x402038 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 38016 | English | United States | 0.5308492747529956 |
| RT_ICON | 0x40b4e0 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 21600 | English | United States | 0.5497227356746766 |
| RT_ICON | 0x410968 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.5415682569674067 |
| RT_ICON | 0x414b90 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5884854771784233 |
| RT_ICON | 0x417138 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.6179643527204502 |
| RT_ICON | 0x4181e0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.6668032786885246 |
| RT_ICON | 0x418b68 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.7287234042553191 |
| RT_DIALOG | 0x418fd0 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x4190d0 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x4191f0 | 0xc4 | data | English | United States | 0.5918367346938775 |
| RT_DIALOG | 0x4192b8 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x419318 | 0x84 | Targa image data - Map 32 x 25730 x 1 +1 | English | United States | 0.7348484848484849 |
| RT_VERSION | 0x4193a0 | 0x220 | data | English | United States | 0.5110294117647058 |
| RT_MANIFEST | 0x4195c0 | 0x349 | XML 1.0 document, ASCII text, with very long lines (841), with no line terminators | English | United States | 0.5529131985731273 |
| DLL | Import |
|---|---|
| ADVAPI32.dll | RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW |
| SHELL32.dll | ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation |
| ole32.dll | OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance |
| COMCTL32.dll | ImageList_Destroy, ImageList_AddMasked, ImageList_Create |
| USER32.dll | DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW |
| GDI32.dll | SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW |
| KERNEL32.dll | WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-04T10:00:13.349949+0100 | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 1 | 172.202.163.200 | 443 | 192.168.2.5 | 49704 | TCP |
| 2024-11-04T10:00:28.263870+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.5 | 49767 | 142.250.186.174 | 443 | TCP |
| 2024-11-04T10:00:52.036491+0100 | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 1 | 172.202.163.200 | 443 | 192.168.2.5 | 49888 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 4, 2024 10:00:26.783416033 CET | 49767 | 443 | 192.168.2.5 | 142.250.186.174 |
| Nov 4, 2024 10:00:26.783427000 CET | 443 | 49767 | 142.250.186.174 | 192.168.2.5 |
| Nov 4, 2024 10:00:26.783535004 CET | 49767 | 443 | 192.168.2.5 | 142.250.186.174 |
| Nov 4, 2024 10:00:26.791717052 CET | 49767 | 443 | 192.168.2.5 | 142.250.186.174 |
| Nov 4, 2024 10:00:26.791731119 CET | 443 | 49767 | 142.250.186.174 | 192.168.2.5 |
| Nov 4, 2024 10:00:27.644102097 CET | 443 | 49767 | 142.250.186.174 | 192.168.2.5 |
| Nov 4, 2024 10:00:27.644169092 CET | 49767 | 443 | 192.168.2.5 | 142.250.186.174 |
| Nov 4, 2024 10:00:27.644826889 CET | 443 | 49767 | 142.250.186.174 | 192.168.2.5 |
| Nov 4, 2024 10:00:27.644885063 CET | 49767 | 443 | 192.168.2.5 | 142.250.186.174 |
| Nov 4, 2024 10:00:27.901628017 CET | 49767 | 443 | 192.168.2.5 | 142.250.186.174 |
| Nov 4, 2024 10:00:27.901639938 CET | 443 | 49767 | 142.250.186.174 | 192.168.2.5 |
| Nov 4, 2024 10:00:27.902004957 CET | 443 | 49767 | 142.250.186.174 | 192.168.2.5 |
| Nov 4, 2024 10:00:27.902070045 CET | 49767 | 443 | 192.168.2.5 | 142.250.186.174 |
| Nov 4, 2024 10:00:27.905908108 CET | 49767 | 443 | 192.168.2.5 | 142.250.186.174 |
| Nov 4, 2024 10:00:27.951338053 CET | 443 | 49767 | 142.250.186.174 | 192.168.2.5 |
| Nov 4, 2024 10:00:28.263916969 CET | 443 | 49767 | 142.250.186.174 | 192.168.2.5 |
| Nov 4, 2024 10:00:28.264049053 CET | 49767 | 443 | 192.168.2.5 | 142.250.186.174 |
| Nov 4, 2024 10:00:28.264483929 CET | 49767 | 443 | 192.168.2.5 | 142.250.186.174 |
| Nov 4, 2024 10:00:28.264522076 CET | 443 | 49767 | 142.250.186.174 | 192.168.2.5 |
| Nov 4, 2024 10:00:28.264662027 CET | 49767 | 443 | 192.168.2.5 | 142.250.186.174 |
| Nov 4, 2024 10:00:28.290769100 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:28.290791988 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:28.290879965 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:28.291122913 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:28.291131020 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:29.147655964 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:29.147799015 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:29.152369976 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:29.152375937 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:29.152600050 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:29.152687073 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:29.166377068 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:29.211338043 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.316909075 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.316999912 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.325100899 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.325182915 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.434129000 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.434202909 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.434772015 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.434833050 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.434838057 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.434884071 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.435051918 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.435117006 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.436789036 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.436851978 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.436974049 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.437041044 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.442759037 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.442809105 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.442954063 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.443005085 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.451783895 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.451843023 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.451848030 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.451889038 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.563169956 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.563235998 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.563242912 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.563298941 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.563530922 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.563580990 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.563585043 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.563633919 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.563637018 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.563684940 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.563688993 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.563740015 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.564214945 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.564294100 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.564296961 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.564368963 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.570346117 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.570413113 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.570476055 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.570543051 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.670527935 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.670578003 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.670677900 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.670684099 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.670752048 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.670752048 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.670958042 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.671148062 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.673619986 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.673701048 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.673759937 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.673823118 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.673964024 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.674015045 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.680826902 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.680902958 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.680978060 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.681027889 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.687269926 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.687319040 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.687414885 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.687464952 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.787656069 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.787779093 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.788089037 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.788232088 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.788278103 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.788331985 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.788381100 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.788427114 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.792046070 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.792090893 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.792094946 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.792139053 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.792359114 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.792407036 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.792409897 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.792493105 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.792495966 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.792541981 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.798667908 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.798808098 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.798811913 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.798923969 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.805337906 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.805447102 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.805452108 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.805541039 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.805603027 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.805643082 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.906099081 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.906184912 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.906189919 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.906246901 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.909449100 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.909506083 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.909612894 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.909663916 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.909759045 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.909800053 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.909959078 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.910005093 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.916476011 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.916533947 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.916614056 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.916654110 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.923021078 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.923063993 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.923157930 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.923198938 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.923398018 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.923434019 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:31.923438072 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:31.923476934 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.023896933 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.023968935 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.024039984 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.024092913 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.024099112 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.024152994 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.027395964 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.027445078 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.027669907 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.027714968 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.027718067 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.027759075 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.027766943 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.027808905 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.027812004 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.027849913 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.034226894 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.034287930 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.034365892 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.034414053 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.040898085 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.040947914 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.041027069 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.041071892 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.041337967 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.041378975 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.041409969 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.041449070 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.041632891 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.041676044 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.142045021 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.142154932 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.142184019 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.142234087 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.145200014 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.145246983 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.145334005 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.145380020 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.145544052 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.145586967 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.145745993 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.145787001 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.152112007 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.152204037 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.152254105 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.152293921 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.158723116 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.158885002 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.158889055 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.158934116 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.159017086 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.159064054 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.159084082 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.159130096 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.159387112 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.159429073 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.259723902 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.259785891 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.259792089 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.259829998 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.259838104 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.259872913 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.265758991 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.265819073 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.265822887 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.265862942 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.265866041 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.265908957 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.265923023 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.265966892 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.270529985 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.270581961 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.270694971 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.270750999 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.276480913 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.276539087 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.276626110 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.276667118 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.276678085 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.276726007 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.276913881 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.276962042 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.321527004 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.321630001 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.321635962 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.321683884 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.377582073 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.377652884 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.377659082 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.377698898 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.380940914 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.381004095 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.381088972 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.381134987 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.387598038 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.387687922 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.387717009 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.387758017 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.388370037 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.388415098 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.394298077 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.394359112 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.394439936 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.394484997 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.394613028 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.394659042 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.394809961 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.394860029 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.394890070 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.394931078 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.394934893 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.394978046 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.395072937 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.395108938 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.438617945 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.438673019 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.438677073 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.438715935 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.495919943 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.495973110 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.496010065 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.496052980 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.498656034 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.498708963 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.498768091 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.498809099 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.505330086 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.505387068 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.505390882 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.505434990 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.512288094 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.512368917 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.512427092 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.512471914 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.512588024 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.512628078 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.512634993 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.512676954 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.512856960 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.512900114 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.513020992 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.513060093 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.561594009 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.561686039 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.561711073 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.561750889 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.561758995 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.561800003 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.562007904 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.562058926 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.613471985 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.613526106 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.613533020 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.613567114 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.613579035 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.613617897 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.616662025 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.616816044 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.616821051 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.616867065 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.623378038 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.623450994 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.623455048 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.623495102 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.630013943 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.630079985 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.630136013 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.630177021 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.630181074 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.630222082 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.630439043 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.630487919 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.630569935 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.630618095 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.630745888 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.630795002 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.679501057 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.679553032 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.679591894 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.679627895 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.679632902 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.679672956 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.679920912 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.679965973 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.732541084 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.732631922 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.732639074 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.732678890 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.735444069 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.735492945 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.735553026 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.735598087 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.741595984 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.741642952 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.741739035 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.741785049 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.749022961 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.749147892 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.749182940 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.749222994 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.749227047 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.749260902 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.749423981 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.749466896 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.749605894 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.749651909 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.749810934 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.749852896 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.749856949 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.749898911 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.797509909 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.797763109 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.797768116 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.797832012 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.797866106 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.797907114 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.797920942 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.797965050 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.850083113 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.850147963 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.850178957 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.850222111 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.853262901 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.853435993 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.853441000 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.853532076 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.859366894 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.859451056 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.859484911 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.859555960 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.859560013 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.859586000 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.859592915 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.859600067 CET | 443 | 49773 | 142.250.185.97 | 192.168.2.5 |
| Nov 4, 2024 10:00:32.859606981 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:32.859668016 CET | 49773 | 443 | 192.168.2.5 | 142.250.185.97 |
| Nov 4, 2024 10:00:33.328067064 CET | 49802 | 443 | 192.168.2.5 | 104.26.13.205 |
| Nov 4, 2024 10:00:33.328094006 CET | 443 | 49802 | 104.26.13.205 | 192.168.2.5 |
| Nov 4, 2024 10:00:33.328170061 CET | 49802 | 443 | 192.168.2.5 | 104.26.13.205 |
| Nov 4, 2024 10:00:33.331073046 CET | 49802 | 443 | 192.168.2.5 | 104.26.13.205 |
| Nov 4, 2024 10:00:33.331085920 CET | 443 | 49802 | 104.26.13.205 | 192.168.2.5 |
| Nov 4, 2024 10:00:33.943159103 CET | 443 | 49802 | 104.26.13.205 | 192.168.2.5 |
| Nov 4, 2024 10:00:33.943250895 CET | 49802 | 443 | 192.168.2.5 | 104.26.13.205 |
| Nov 4, 2024 10:00:33.944834948 CET | 49802 | 443 | 192.168.2.5 | 104.26.13.205 |
| Nov 4, 2024 10:00:33.944848061 CET | 443 | 49802 | 104.26.13.205 | 192.168.2.5 |
| Nov 4, 2024 10:00:33.945152998 CET | 443 | 49802 | 104.26.13.205 | 192.168.2.5 |
| Nov 4, 2024 10:00:33.950685024 CET | 49802 | 443 | 192.168.2.5 | 104.26.13.205 |
| Nov 4, 2024 10:00:33.995336056 CET | 443 | 49802 | 104.26.13.205 | 192.168.2.5 |
| Nov 4, 2024 10:00:34.125526905 CET | 443 | 49802 | 104.26.13.205 | 192.168.2.5 |
| Nov 4, 2024 10:00:34.125637054 CET | 443 | 49802 | 104.26.13.205 | 192.168.2.5 |
| Nov 4, 2024 10:00:34.125695944 CET | 49802 | 443 | 192.168.2.5 | 104.26.13.205 |
| Nov 4, 2024 10:00:34.131138086 CET | 49802 | 443 | 192.168.2.5 | 104.26.13.205 |
| Nov 4, 2024 10:00:35.791871071 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:35.798650980 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:35.798760891 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:36.501033068 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:36.501220942 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:36.506201982 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:37.581612110 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:37.581650972 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:37.581680059 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:37.581744909 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:37.581854105 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:37.581854105 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:37.582514048 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:37.582608938 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:37.587863922 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:37.739248991 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:37.739610910 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:37.744510889 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:37.908931017 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:37.908957005 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:37.909049034 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:37.909889936 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:37.909970999 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:37.910020113 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:37.910162926 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:37.925327063 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:37.930217981 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:38.078052044 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:38.080600023 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:38.085453987 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:38.235836983 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:38.236675978 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:38.241573095 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:38.390033960 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:38.390918016 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:38.395812988 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:38.558218002 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:38.558578014 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:38.563425064 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:38.846560001 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:38.846755981 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:38.851536036 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:39.029341936 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:39.029984951 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:39.034840107 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:39.182426929 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:39.183120966 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:39.183182001 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:39.183212042 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:39.183242083 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Nov 4, 2024 10:00:39.188002110 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:39.188043118 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:39.188133955 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:39.188138008 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:39.354703903 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 |
| Nov 4, 2024 10:00:39.410228968 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 4, 2024 10:00:26.771666050 CET | 59813 | 53 | 192.168.2.5 | 1.1.1.1 |
| Nov 4, 2024 10:00:26.778480053 CET | 53 | 59813 | 1.1.1.1 | 192.168.2.5 |
| Nov 4, 2024 10:00:28.282558918 CET | 58355 | 53 | 192.168.2.5 | 1.1.1.1 |
| Nov 4, 2024 10:00:28.290019989 CET | 53 | 58355 | 1.1.1.1 | 192.168.2.5 |
| Nov 4, 2024 10:00:33.318192959 CET | 56720 | 53 | 192.168.2.5 | 1.1.1.1 |
| Nov 4, 2024 10:00:33.325041056 CET | 53 | 56720 | 1.1.1.1 | 192.168.2.5 |
| Nov 4, 2024 10:00:35.161303043 CET | 52769 | 53 | 192.168.2.5 | 1.1.1.1 |
| Nov 4, 2024 10:00:35.790688038 CET | 53 | 52769 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 4, 2024 10:00:26.771666050 CET | 192.168.2.5 | 1.1.1.1 | 0xee1a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 4, 2024 10:00:28.282558918 CET | 192.168.2.5 | 1.1.1.1 | 0x12f3 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 4, 2024 10:00:33.318192959 CET | 192.168.2.5 | 1.1.1.1 | 0xd6a3 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 4, 2024 10:00:35.161303043 CET | 192.168.2.5 | 1.1.1.1 | 0x1ce7 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 4, 2024 10:00:26.778480053 CET | 1.1.1.1 | 192.168.2.5 | 0xee1a | No error (0) | 142.250.186.174 | A (IP address) | IN (0x0001) | false | ||
| Nov 4, 2024 10:00:28.290019989 CET | 1.1.1.1 | 192.168.2.5 | 0x12f3 | No error (0) | 142.250.185.97 | A (IP address) | IN (0x0001) | false | ||
| Nov 4, 2024 10:00:33.325041056 CET | 1.1.1.1 | 192.168.2.5 | 0xd6a3 | No error (0) | 104.26.13.205 | A (IP address) | IN (0x0001) | false | ||
| Nov 4, 2024 10:00:33.325041056 CET | 1.1.1.1 | 192.168.2.5 | 0xd6a3 | No error (0) | 104.26.12.205 | A (IP address) | IN (0x0001) | false | ||
| Nov 4, 2024 10:00:33.325041056 CET | 1.1.1.1 | 192.168.2.5 | 0xd6a3 | No error (0) | 172.67.74.152 | A (IP address) | IN (0x0001) | false | ||
| Nov 4, 2024 10:00:35.790688038 CET | 1.1.1.1 | 192.168.2.5 | 0x1ce7 | No error (0) | showpiece.trillennium.biz | CNAME (Canonical name) | IN (0x0001) | false | ||
| Nov 4, 2024 10:00:35.790688038 CET | 1.1.1.1 | 192.168.2.5 | 0x1ce7 | No error (0) | 67.23.226.139 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49767 | 142.250.186.174 | 443 | 2284 | C:\Users\user\Desktop\Quotation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-04 09:00:27 UTC | 216 | OUT | |
| 2024-11-04 09:00:28 UTC | 1610 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49773 | 142.250.185.97 | 443 | 2284 | C:\Users\user\Desktop\Quotation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-04 09:00:29 UTC | 258 | OUT | |
| 2024-11-04 09:00:31 UTC | 4925 | IN | |
| 2024-11-04 09:00:31 UTC | 4925 | IN | |
| 2024-11-04 09:00:31 UTC | 4851 | IN | |
| 2024-11-04 09:00:31 UTC | 1322 | IN | |
| 2024-11-04 09:00:31 UTC | 1378 | IN | |
| 2024-11-04 09:00:31 UTC | 1378 | IN | |
| 2024-11-04 09:00:31 UTC | 1378 | IN | |
| 2024-11-04 09:00:31 UTC | 1378 | IN | |
| 2024-11-04 09:00:31 UTC | 1378 | IN | |
| 2024-11-04 09:00:31 UTC | 1378 | IN | |
| 2024-11-04 09:00:31 UTC | 1378 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49802 | 104.26.13.205 | 443 | 2284 | C:\Users\user\Desktop\Quotation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-04 09:00:33 UTC | 155 | OUT | |
| 2024-11-04 09:00:34 UTC | 399 | IN | |
| 2024-11-04 09:00:34 UTC | 14 | IN |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Nov 4, 2024 10:00:36.501033068 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 | 220-super.nseasy.com ESMTP Exim 4.96.2 #2 Mon, 04 Nov 2024 04:00:36 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Nov 4, 2024 10:00:36.501220942 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 | EHLO 745773 |
| Nov 4, 2024 10:00:37.581612110 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 | 250-super.nseasy.com Hello 745773 [173.254.250.69] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP |
| Nov 4, 2024 10:00:37.581650972 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 | 250-super.nseasy.com Hello 745773 [173.254.250.69] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP |
| Nov 4, 2024 10:00:37.581680059 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 | 250-super.nseasy.com Hello 745773 [173.254.250.69] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP |
| Nov 4, 2024 10:00:37.581854105 CET | 49815 | 587 | 192.168.2.5 | 67.23.226.139 | STARTTLS |
| Nov 4, 2024 10:00:37.582514048 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 | 250-super.nseasy.com Hello 745773 [173.254.250.69] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP |
| Nov 4, 2024 10:00:37.739248991 CET | 587 | 49815 | 67.23.226.139 | 192.168.2.5 | 220 TLS go ahead |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 03:59:52 |
| Start date: | 04/11/2024 |
| Path: | C:\Users\user\Desktop\Quotation.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'208'728 bytes |
| MD5 hash: | 9ED064F0FEB2397BB999563751C20B92 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 04:00:15 |
| Start date: | 04/11/2024 |
| Path: | C:\Users\user\Desktop\Quotation.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'208'728 bytes |
| MD5 hash: | 9ED064F0FEB2397BB999563751C20B92 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 30.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 16.4% |
| Total number of Nodes: | 827 |
| Total number of Limit Nodes: | 18 |
Graph
Function 004036DA Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 416stringfilecomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 733F2351 Relevance: 18.7, APIs: 12, Instructions: 705stringlibrarymemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004066F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004065AD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404F70 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374windowstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A1C Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 225stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040154A Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 441stringtimesleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004033CB Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 178memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E98 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76stringwindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E1C Relevance: 6.0, APIs: 4, Instructions: 37COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 733F167A Relevance: 4.6, APIs: 3, Instructions: 123COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406616 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004066B4 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004068F9 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 733F2D14 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004069E9 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406926 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 733F1A4A Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004054C6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004054E1 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062E4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405739 Relevance: 12.1, APIs: 8, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040362D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 733F2209 Relevance: 9.1, APIs: 6, Instructions: 101COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 733F10C7 Relevance: 8.9, APIs: 7, Instructions: 162memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 733F2049 Relevance: 7.6, APIs: 5, Instructions: 129memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 733F1F7B Relevance: 7.5, APIs: 5, Instructions: 38memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 733F1F1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406534 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 733F1CC7 Relevance: 6.2, APIs: 4, Instructions: 209COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403367 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 10% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 97 |
| Total number of Limit Nodes: | 9 |
Graph
Function 36D53108 Relevance: 10.5, Strings: 8, Instructions: 545COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D52338 Relevance: 4.8, Strings: 3, Instructions: 1038COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D57E20 Relevance: 4.2, Strings: 3, Instructions: 470COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015A950 Relevance: 2.9, Instructions: 2857COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D56698 Relevance: 2.1, Strings: 1, Instructions: 831COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D55648 Relevance: 1.8, Strings: 1, Instructions: 595COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5C220 Relevance: .6, Instructions: 644COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5B2BA Relevance: .6, Instructions: 566COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015A500 Relevance: .4, Instructions: 360COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015DCA8 Relevance: .3, Instructions: 347COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154A98 Relevance: .3, Instructions: 266COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00153E80 Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5B6E8 Relevance: 10.5, Strings: 8, Instructions: 470COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5AF2D Relevance: 10.2, Strings: 8, Instructions: 211COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158729 Relevance: 6.8, Strings: 5, Instructions: 557COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37235E79 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37235E88 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D591E8 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5CFE0 Relevance: 4.6, Strings: 3, Instructions: 800COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015A1D1 Relevance: 4.0, Strings: 3, Instructions: 294COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5AFB0 Relevance: 4.0, Strings: 3, Instructions: 215COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D54C10 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015F930 Relevance: 3.9, Strings: 3, Instructions: 148COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015ECC8 Relevance: 2.9, Strings: 2, Instructions: 397COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D591D8 Relevance: 2.7, Strings: 2, Instructions: 172COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D52071 Relevance: 2.6, Strings: 2, Instructions: 98COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D52080 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015A072 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015A080 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00159F70 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00159F80 Relevance: 2.6, Strings: 2, Instructions: 70COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FEE8 Relevance: 2.5, Strings: 2, Instructions: 48COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FEF8 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37232372 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37232378 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37235CBC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 372360C8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 372360D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 372397E9 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 372397F0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37235E6C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37235D14 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37237298 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37237B66 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156ED8 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00157C38 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00157D28 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D54C01 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5DB55 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D521AD Relevance: 1.4, Strings: 1, Instructions: 109COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D521C0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00157D98 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001526DC Relevance: 1.3, Strings: 1, Instructions: 91COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015F638 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015F640 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FD6F Relevance: 1.3, Strings: 1, Instructions: 79COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156BA0 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151878 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015E1C0 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00150838 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00150848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015E1D0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015F879 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015EBAC Relevance: 1.3, Strings: 1, Instructions: 20COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154A8C Relevance: .3, Instructions: 259COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00153E74 Relevance: .2, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D56298 Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D54348 Relevance: .2, Instructions: 224COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D54664 Relevance: .2, Instructions: 221COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D54678 Relevance: .2, Instructions: 210COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5FD29 Relevance: .2, Instructions: 174COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5FAD8 Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5FAE8 Relevance: .2, Instructions: 163COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D55637 Relevance: .1, Instructions: 144COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156CDE Relevance: .1, Instructions: 137COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D554B8 Relevance: .1, Instructions: 135COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156CE8 Relevance: .1, Instructions: 132COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151128 Relevance: .1, Instructions: 122COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151138 Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FB49 Relevance: .1, Instructions: 107COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5DA08 Relevance: .1, Instructions: 100COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015E720 Relevance: .1, Instructions: 98COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00155098 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001526E8 Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001550A8 Relevance: .1, Instructions: 89COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D53B48 Relevance: .1, Instructions: 83COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D53B58 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FD80 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001516A0 Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151382 Relevance: .1, Instructions: 73COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD044 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154F88 Relevance: .1, Instructions: 71COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151888 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001516B0 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D56DB8 Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154F98 Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D53921 Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D53C68 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001517C0 Relevance: .1, Instructions: 58COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D542A9 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5EE31 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D53C57 Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD03F Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151498 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5A399 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D53928 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D542B8 Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5EE40 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5A3A8 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5C878 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015F8B0 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015F2F0 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00157EB0 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D56519 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015E6E8 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015E6F8 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D57740 Relevance: 15.5, Strings: 12, Instructions: 468COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5A9C8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D57140 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D58470 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D58AC0 Relevance: 5.3, Strings: 4, Instructions: 262COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D58888 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36D5BCF8 Relevance: 5.1, Strings: 4, Instructions: 116COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|