Edit tour
Windows
Analysis Report
PO_203-25.exe
Overview
General Information
| Sample name: | PO_203-25.exe |
| Analysis ID: | 1562304 |
| MD5: | bcf1b4c359d89892cbdeddcac52fd4d7 |
| SHA1: | 3c12d1efe6438fed0bcec88c23c5994c44066e43 |
| SHA256: | 915903938dd1c51abd0f1e2f35e0fca67040694d9f5b1edd5825533a70a7269f |
| Tags: | exeRemcosRATuser-adrian__luca |
| Infos: |   |
 | |
Detection
Remcos, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected Remcos RAT
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
PO_203-25.exe (PID: 7780 cmdline: "C:\Users\ user\Deskt op\PO_203- 25.exe" MD5: BCF1B4C359D89892CBDEDDCAC52FD4D7) - PO_203-25.exe (PID: 7892 cmdline:
"C:\Users\ user\Deskt op\PO_203- 25.exe" MD5: BCF1B4C359D89892CBDEDDCAC52FD4D7)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"Host:Port:Password": ["192.3.176.134:7062:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-9BZQTI", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Stealing of Sensitive Information |   |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-25T13:41:17.748952+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.3 | 49716 | 192.3.176.134 | 7062 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-25T13:41:20.399125+0100 | 2803304 | 3 | Unknown Traffic | 192.168.2.3 | 49717 | 178.237.33.50 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-25T13:40:57.582700+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.3 | 49714 | 172.67.200.96 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00406010 | |
| Source: | Code function: | 0_2_004055AE | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | IPs: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | Windows user hook set: | Jump to behavior | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_004030EC | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004030EC | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_10001A5D | |
| Source: | Code function: | 0_2_10002D4E | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406010 | |
| Source: | Code function: | 0_2_004055AE | |
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-2208 | ||
| Source: | API call chain: | graph_0-2420 | ||
| Source: | Code function: | 0_2_10001A5D | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_004030EC | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | Mutex created: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 11 Input Capture | 21 Security Software Discovery | Remote Services | 11 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 12 Process Injection | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Remote Access Software | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Access Token Manipulation | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 12 Process Injection | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | 113 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 22 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 53% | ReversingLabs | Win32.Backdoor.Remcos | ||
| 100% | Avira | HEUR/AGEN.1331786 | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| s24.filetransfer.io | 172.67.200.96 | true | false | high | |
| geoplugin.net | 178.237.33.50 | true | false | high | |
| filetransfer.io | 172.67.200.96 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.200.96 | s24.filetransfer.io | United States | 13335 | CLOUDFLARENETUS | false | |
| 192.3.176.134 | unknown | United States | 36352 | AS-COLOCROSSINGUS | true | |
| 178.237.33.50 | geoplugin.net | Netherlands | 8455 | ATOM86-ASATOM86NL | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1562304 |
| Start date and time: | 2024-11-25 13:39:15 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 8m 43s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 10 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | PO_203-25.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/11@3/3 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
- Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target PO_203-25.exe, PID 7892 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: PO_203-25.exe
| Time | Type | Description |
|---|---|---|
| 07:41:47 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.200.96 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| 178.237.33.50 | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| filetransfer.io | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| s24.filetransfer.io | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| geoplugin.net | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Phisher | Browse |
| |
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| AS-COLOCROSSINGUS | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher, Lokibot | Browse |
| ||
| Get hash | malicious | Cobalt Strike, Remcos, HTMLPhisher | Browse |
| ||
| Get hash | malicious | Cobalt Strike, FormBook, HTMLPhisher | Browse |
| ||
| ATOM86-ASATOM86NL | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | DarkCloud | Browse |
| |
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nsk6706.tmp\System.dll | Get hash | malicious | Remcos, GuLoader | Browse | ||
| Get hash | malicious | Remcos, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse |
| Process: | C:\Users\user\Desktop\PO_203-25.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 144 |
| Entropy (8bit): | 3.365630494294252 |
| Encrypted: | false |
| SSDEEP: | 3:rhlKlf4y86i5JWRal2Jl+7R0DAlBG45klovDl6v:6lfd8x5YcIeeDAlOWAv |
| MD5: | 7E009772293F5B2FE2D7487020C8EF82 |
| SHA1: | 409B14393B4959176DC46B98C263301E519B8166 |
| SHA-256: | 1C740EBF498D6831D3C1DA23B5383E960DB50BFC14DA52E410902B059D0FB850 |
| SHA-512: | A8C65C07346F6081B2D17E0BD0EB7B53946E0C6DFDA8E5841380E7E3B78596739A35FBCF8BDEE819F1B8F3021854317F919A049B6FE4C0232AD65024080B64C3 |
| Malicious: | true |
| Yara Hits: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\PO_203-25.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 962 |
| Entropy (8bit): | 5.015105568788186 |
| Encrypted: | false |
| SSDEEP: | 12:tkluQ+nd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qluQydRNuKyGX85jvXhNlT3/7AcV9Wro |
| MD5: | 8937B63DC0B37E949F38E7874886D999 |
| SHA1: | 62FD17BF5A029DDD3A5CFB4F5FC9FE83A346FFFC |
| SHA-256: | AB2F31E4512913B1E7F7ACAB4B72D6E741C960D0A482F09EA6F9D96FED842A66 |
| SHA-512: | 077176C51DC10F155EE08326270C1FE3E6CF36C7ABA75611BDB3CCDA2526D6F0360DBC2FBF4A9963051F0F01658017389FD898980ACF7BB3B29B287F188EE7B9 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\PO_203-25.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11264 |
| Entropy (8bit): | 5.771243767149499 |
| Encrypted: | false |
| SSDEEP: | 192:MPtkumJX7zB22kGwfy0mtVgkCPOs91un:9702k5qpds9Qn |
| MD5: | 375E8A08471DC6F85F3828488B1147B3 |
| SHA1: | 1941484AC710FC301A7D31D6F1345E32A21546AF |
| SHA-256: | 4C86B238E64ECFAABE322A70FD78DB229A663CCC209920F3385596A6E3205F78 |
| SHA-512: | 5BA29DB13723DDF27B265A4548606274B850D076AE1F050C64044F8CCD020585AD766C85C3E20003A22F356875F76FB3679C89547B0962580D8E5A42B082B9A8 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\PO_203-25.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 312412 |
| Entropy (8bit): | 1.2500659479081568 |
| Encrypted: | false |
| SSDEEP: | 768:QX7lOX/3JCSDtHImPOGjCMN1Qwy+yw5qphE5wMQppPxLh9/cP+Elx/dybUFv6pEq:Jj6gV4hrCAp2YbhsMgeZHkiBE3+5 |
| MD5: | E2BFE58E79651BB45DA1E99AF3E9FA25 |
| SHA1: | 36CF563D284AE65C5EC37A1770B4E51947C8207A |
| SHA-256: | 3A33A0F9AAD93E4055D40CEA6312D3B3D1EB129F1A3C8C321467DA89F014FDC8 |
| SHA-512: | 2408F3405F2886A757124C00F352B2292041F1295A00A0DEA7C905C17BC84B172F7DCA463C3A6A401DB3BC77843C22BAE0C823B9D0B884C4D1DAB21D8C891676 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\PO_203-25.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 143372 |
| Entropy (8bit): | 4.603558127145193 |
| Encrypted: | false |
| SSDEEP: | 3072:r0Q1U1T2LPEY4S4aSbueC0oa8h4YlQbHKlJCyS:oOVwY4BaB3lprCyS |
| MD5: | E7C6C6D40045245ED7379563D608EE4E |
| SHA1: | 809729D794E55CEE01F6F4EC27A762B36D4962C8 |
| SHA-256: | BCF3A73B7D79A360924894A7D2FEB20BEB22A05C83FA7CE0C97FCC46A91E763C |
| SHA-512: | 474ADCC2C65D4AF4C462D5631CBF9594B48D3D858C250869182A349D0926A79A4208B835CADA5F01524103383A35785C25551C67A126BFF1DE697D91871E2877 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\PO_203-25.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 454047 |
| Entropy (8bit): | 1.2505435420421065 |
| Encrypted: | false |
| SSDEEP: | 768:e76cXoLGuJRckoY8lCCcGyHqZB1+R8RYoKeXemBfRamFdP0D3DQqR+q67OvYbaT9:NkJkmEkn8IotDAwqXgp410PeIA7Y |
| MD5: | 75EF339273C7DDEC322205D23C62CFFD |
| SHA1: | 21DA7EDE40DC198A5C3533950318703CA25A1EC7 |
| SHA-256: | 3A0BE07E38397FC93AE0E699C76418EF4C63DAA6B05689B8E6D6E62A724AC052 |
| SHA-512: | 351B4E16C5A35C08FD2BAE00B6BADBCEAF91A6FE14529AD574DC350021860BAF81DED6230448E9F3E89B568071F6DDB67FCC9060F1D5557494D710DD08698897 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\PO_203-25.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 380892 |
| Entropy (8bit): | 7.633867639410607 |
| Encrypted: | false |
| SSDEEP: | 6144:16+2OrAKYssWvCmRopppeJ7CkM3jg156OTouSUdraAKKzWB/YInjJnkLFo4vuQQI:Qtr6zvChppw7SkL6gouJEWqB/rjJnCxN |
| MD5: | 035BEDAD0927187D77836715E03BC8C0 |
| SHA1: | CF8D1F87BCBF69455AA14E719A0E1004AD0D02B9 |
| SHA-256: | 0FD22D73EC632F2DA1991A229A92668A3D6D8C7F7D888B04BF86771F84F90F4D |
| SHA-512: | D8B3BFCFBA47CBDCBFAC114BCF359BF62537C6D1AF6736E3396243CCFC62EF08BA268BFD45858065220DD5732C517439E18B6ECEB866761794C75C377F6D24B4 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\PO_203-25.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 329616 |
| Entropy (8bit): | 1.2556941931450516 |
| Encrypted: | false |
| SSDEEP: | 768:ghIGzhQz76G44OyLkPR6WAzlGcoZHCki+Hz1/10GJaZDKJsFv1WMSE6PeW7w1CwL:DWf95Lu+kC/wkTdX7UfyfNGwHNqOv1+/ |
| MD5: | A97FE872A9DEB61152EA1C3CC5430602 |
| SHA1: | C941CD396CE59666C46DA339F1E1A021224A3621 |
| SHA-256: | 8ECDBBE068CDC639A96DCC307C4D9FCF7EAC911B009E726693F69BCE3C95B35C |
| SHA-512: | ECE02E3E1C214AC01DC55AAA6406DD4815FD54159EBFDF60435D0A6A0D4FED0D359F79D980040FCCE408F54719C5DF2EA4BD8D83F19C1A21A878ADCC56A102E2 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\PO_203-25.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 401382 |
| Entropy (8bit): | 1.2557772811513337 |
| Encrypted: | false |
| SSDEEP: | 1536:vbmqXCcTXKZfOtOO3ZQkkUB7PUq8nudcHcxeFxi7CL:vyX86ZGRBnj8nOy |
| MD5: | F21E9CC8C12DB8B0A5E6F1372407EDF6 |
| SHA1: | 23533ACADDDA630630C2D8169F2BAAF81CB13F9E |
| SHA-256: | F959C2FEC98B52B5C4D014B237D1092141C8F4CDB333B012C3694EAB856A6AC3 |
| SHA-512: | E3495BC2A6534ECA8D9936D66A58348000E3877331742D09E619F2FEFBA42D84397F4351BBD5364493FFD4F3E9D67A0BF6D7E7B7D0BF593926A9AA59ED49866F |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\PO_203-25.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 429858 |
| Entropy (8bit): | 1.2467208624993744 |
| Encrypted: | false |
| SSDEEP: | 1536:Y/M4mr7UiKCZ5Xr3THeV6ae9Da6LH3cucuA:Y/M4q0w5XLG6CysuY |
| MD5: | 683F7A8CA1E6F857F84463A9F9F7F2B9 |
| SHA1: | DD477140CFF795A1EEA082D93E721D5913102F52 |
| SHA-256: | AD31FD468B90B03A64EBDA64A4EAEFD3D207DF0F699CC8FEFAFDAF4BF022DF7E |
| SHA-512: | A69E97F0D85F29EA7BCB3C425D8E6F8D33040B5E3CEC02608DD8579B41D4CEE9B0107B0FB2BE5A16BDC5EC8F59369F65EB8D4638D8C518F523EFB878A544042D |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\PO_203-25.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 451 |
| Entropy (8bit): | 4.173047622517136 |
| Encrypted: | false |
| SSDEEP: | 12:qdyPa4vhNQvKkTyIhA6xEicAcMDtIgSXWQZSikY:qShNQvF6/ApZSmG |
| MD5: | 4A9C590318347BEBA8FE8A97EBCC0EFD |
| SHA1: | 12EA7DAC204791DC389D37B7B1A2D8109C1B88DF |
| SHA-256: | 4B8916CF18402F51ECDB56923F5AA1AA226EBA01A583914577EDDBCC1F285771 |
| SHA-512: | 95F50B907F9FD02087D965264E8DDAD642EAA62BFE3E71A8347C702CF3FDD838ADADEE0D1132F2E5E9913B34670D457A166C410F1E98D53C3929F4B8E715423B |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.054288818733064 |
| TrID: |
|
| File name: | PO_203-25.exe |
| File size: | 1'135'960 bytes |
| MD5: | bcf1b4c359d89892cbdeddcac52fd4d7 |
| SHA1: | 3c12d1efe6438fed0bcec88c23c5994c44066e43 |
| SHA256: | 915903938dd1c51abd0f1e2f35e0fca67040694d9f5b1edd5825533a70a7269f |
| SHA512: | 8d7537428ac645f0e9211f0d2efb96b038901d9937c25426c6d518300a405389ec85e8ebe612c980fa1f8af53d618c29ef1b415bf645959b858acbc92cde48e9 |
| SSDEEP: | 12288:DYT2LK1jMVzATVewPQGKYkDWpktoYH3gUOQe7Vt8js7o8ucQPiEC6A:DYT2QMVzATgGKYkLoYXgLTE8ucQPi/6A |
| TLSH: | DA359C61BF78FDDBD48944F1D0268A2DC7165FF26419013EA3C23E59BEB636158B0CA2 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@............/...........s.../...............+.......Rich............................PE..L....{.W.................^....9.... |
 | |
| Icon Hash: | 302338b989879209 |
| Entrypoint: | 0x4030ec |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x57807BB9 [Sat Jul 9 04:21:13 2016 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | b78ecf47c0a3e24a6f4af114e2d1f5de |
| Signature Valid: | false |
| Signature Issuer: | CN=Fastlagt, O=Fastlagt, L=Thouars, C=FR |
| Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
| Error Number: | -2146762487 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | A855F3301D96B73BCFEA9871335C499D |
| Thumbprint SHA-1: | CDA2835BBC18D9452015B4664FAB2E1DDC49099A |
| Thumbprint SHA-256: | 982C6D1CA15396C88F0617B99F34AD4695FC6F86CD7361B50146A523ECC13834 |
| Serial: | 0B147D78B05181202C759689B6FFCF91AD76260B |
| Instruction |
|---|
| sub esp, 00000184h |
| push ebx |
| push esi |
| push edi |
| xor ebx, ebx |
| push 00008001h |
| mov dword ptr [esp+18h], ebx |
| mov dword ptr [esp+10h], 00409198h |
| mov dword ptr [esp+20h], ebx |
| mov byte ptr [esp+14h], 00000020h |
| call dword ptr [004070A8h] |
| call dword ptr [004070A4h] |
| cmp ax, 00000006h |
| je 00007FC7F0E97403h |
| push ebx |
| call 00007FC7F0E9A371h |
| cmp eax, ebx |
| je 00007FC7F0E973F9h |
| push 00000C00h |
| call eax |
| mov esi, 00407298h |
| push esi |
| call 00007FC7F0E9A2EDh |
| push esi |
| call dword ptr [004070A0h] |
| lea esi, dword ptr [esi+eax+01h] |
| cmp byte ptr [esi], bl |
| jne 00007FC7F0E973DDh |
| push ebp |
| push 00000009h |
| call 00007FC7F0E9A344h |
| push 00000007h |
| call 00007FC7F0E9A33Dh |
| mov dword ptr [007A1F44h], eax |
| call dword ptr [00407044h] |
| push ebx |
| call dword ptr [00407288h] |
| mov dword ptr [007A1FF8h], eax |
| push ebx |
| lea eax, dword ptr [esp+38h] |
| push 00000160h |
| push eax |
| push ebx |
| push 0079D500h |
| call dword ptr [00407174h] |
| push 00409188h |
| push 007A1740h |
| call 00007FC7F0E99F67h |
| call dword ptr [0040709Ch] |
| mov ebp, 007A8000h |
| push eax |
| push ebp |
| call 00007FC7F0E99F55h |
| push ebx |
| call dword ptr [00407154h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7428 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3bc000 | 0x56f00 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x114378 | 0x11e0 | .data |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x298 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5db6 | 0x5e00 | f367801e476b699be2b532039e0b583c | False | 0.6806848404255319 | data | 6.508470969322742 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x7000 | 0x1246 | 0x1400 | 43fab6a80651bd97af8f34ecf44cd8ac | False | 0.42734375 | data | 5.005029341587408 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x9000 | 0x399038 | 0x400 | 29ebcbec0bd7bd0fecb3d2937195c560 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x3a3000 | 0x19000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x3bc000 | 0x56f00 | 0x57000 | abc24a3b3437be2709f45b1cd210d1a8 | False | 0.15879242995689655 | data | 3.3786801766145547 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x3bc2c8 | 0x42028 | Device independent bitmap graphic, 256 x 512 x 32, image size 0 | English | United States | 0.1301483859514158 |
| RT_ICON | 0x3fe2f0 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 0 | English | United States | 0.21354844433928782 |
| RT_ICON | 0x40eb18 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States | 0.3350622406639004 |
| RT_ICON | 0x4110c0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.3946998123827392 |
| RT_ICON | 0x412168 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.49113475177304966 |
| RT_DIALOG | 0x4125d0 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x4126d0 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x4127f0 | 0xc4 | data | English | United States | 0.5918367346938775 |
| RT_DIALOG | 0x4128b8 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x412918 | 0x4c | data | English | United States | 0.7894736842105263 |
| RT_VERSION | 0x412968 | 0x258 | data | English | United States | 0.5116666666666667 |
| RT_MANIFEST | 0x412bc0 | 0x340 | XML 1.0 document, ASCII text, with very long lines (832), with no line terminators | English | United States | 0.5540865384615384 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc |
| USER32.dll | ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA |
| ADVAPI32.dll | RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-25T13:40:57.582700+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.3 | 49714 | 172.67.200.96 | 443 | TCP |
| 2024-11-25T13:41:17.748952+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.3 | 49716 | 192.3.176.134 | 7062 | TCP |
| 2024-11-25T13:41:20.399125+0100 | 2803304 | ETPRO MALWARE Common Downloader Header Pattern HCa | 3 | 192.168.2.3 | 49717 | 178.237.33.50 | 80 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 25, 2024 13:40:55.307952881 CET | 49714 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:55.307993889 CET | 443 | 49714 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:55.308063984 CET | 49714 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:55.325392962 CET | 49714 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:55.325414896 CET | 443 | 49714 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:56.639945984 CET | 443 | 49714 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:56.640074015 CET | 49714 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:56.804394960 CET | 49714 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:56.804414988 CET | 443 | 49714 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:56.804977894 CET | 443 | 49714 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:56.805035114 CET | 49714 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:56.809643984 CET | 49714 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:56.851337910 CET | 443 | 49714 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:57.582662106 CET | 443 | 49714 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:57.582763910 CET | 49714 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:57.582778931 CET | 443 | 49714 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:57.582825899 CET | 443 | 49714 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:57.582884073 CET | 49714 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:57.587634087 CET | 49714 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:57.587651968 CET | 443 | 49714 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:57.744329929 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:57.744362116 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:57.744524956 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:57.745245934 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:57.745258093 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:59.050179958 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:59.050297022 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:59.053848982 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:59.053855896 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:59.054207087 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:40:59.054286957 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:59.054569960 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:40:59.095335007 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.688070059 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.688119888 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.688153982 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.688184977 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.688189983 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.688208103 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.688220978 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.688241959 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.688271999 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.688281059 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.688296080 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.688330889 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.696248055 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.696332932 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.697942019 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.697999954 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.706337929 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.706408024 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.706511974 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.706562996 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958417892 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958472967 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958497047 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958501101 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958529949 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958545923 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958563089 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958570957 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958570957 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958581924 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958600998 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958612919 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958625078 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958631992 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958653927 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958684921 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958689928 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958697081 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958723068 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958733082 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958750963 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958755016 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958760977 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958791018 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958805084 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958817005 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958822012 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958848000 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958864927 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958873034 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.958884954 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.958915949 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:11.988559961 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:11.988641977 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.002847910 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.002913952 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.005352974 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.005423069 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.005429983 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.005477905 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.015860081 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.015938997 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.079454899 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.079518080 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.079547882 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.079590082 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.107268095 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.107355118 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.107373953 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.107426882 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.110980034 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.111058950 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.111073971 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.111155033 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.118936062 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.119008064 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.119024038 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.119081020 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.133805037 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.133873940 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.148953915 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.149034023 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.156454086 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.156521082 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.171555042 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.171622992 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.186724901 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.186810970 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.201807022 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.201877117 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.209500074 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.209579945 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.223983049 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.224050045 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.237396955 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.237466097 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.251024961 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.251091957 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:12.258079052 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:12.258137941 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.728880882 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.729053020 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.729928970 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.730000019 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.733642101 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.733705044 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.736394882 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.736448050 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.814894915 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.814960003 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.818109035 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.818171024 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.821974993 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.822040081 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.826898098 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.826962948 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.829579115 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.829641104 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.834758997 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.834822893 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.839797974 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.839862108 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.842386007 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.842444897 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.902218103 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.902462959 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.907144070 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.907213926 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.912343025 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.912405968 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.914443016 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.914506912 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.919209957 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.919272900 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.924549103 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.924614906 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.930327892 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.930393934 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.931701899 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.931760073 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.938338995 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.938405037 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.940710068 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.940772057 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.944752932 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.944814920 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.950871944 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.950933933 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.995168924 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.995286942 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:13.999351978 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:13.999447107 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.004355907 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.004415989 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.009505033 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.009602070 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.012126923 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.012192965 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.027802944 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.027816057 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.027853966 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.027956963 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.027981997 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.028053999 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.045649052 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.045671940 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.045794010 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.045804024 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.045924902 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.063169003 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.063191891 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.063252926 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.063266039 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.063349962 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.110178947 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.110203981 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.110253096 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.110270023 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.110285044 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.110308886 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.118591070 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.118611097 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.118670940 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.118679047 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.118721962 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.129146099 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.129165888 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.129287004 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.129293919 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.129370928 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.204050064 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.204075098 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.204174042 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.204184055 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.204231024 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.210848093 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.210869074 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.210978985 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.210987091 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.211036921 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.234926939 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.234951019 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.235022068 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.235038042 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.235070944 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.235080004 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.243695974 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.243724108 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.243767977 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.243776083 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.243804932 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.243813038 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.250432014 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.250452042 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.250544071 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.250550985 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.250598907 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.320820093 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.320846081 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.321027994 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.321048975 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.321098089 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.326878071 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.326900005 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.326968908 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.326976061 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.327023983 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.332932949 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.332952976 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.333125114 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.333133936 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.333183050 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.414597988 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.414627075 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.414714098 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.414742947 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.414783001 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.420176029 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.420197964 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.420273066 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.420280933 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.420321941 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.444732904 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.444756985 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.444883108 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.444899082 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.444947958 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.445657969 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.445722103 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.445729971 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.445741892 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.445777893 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.445806026 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.445825100 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.445846081 CET | 443 | 49715 | 172.67.200.96 | 192.168.2.3 |
| Nov 25, 2024 13:41:14.445858002 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:14.445899010 CET | 49715 | 443 | 192.168.2.3 | 172.67.200.96 |
| Nov 25, 2024 13:41:16.364991903 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:41:16.485126972 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:41:16.485238075 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:41:16.488739967 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:41:16.608642101 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:41:17.703305960 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:41:17.748951912 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:41:17.955852032 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:41:17.959943056 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:41:18.082653999 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:41:18.082783937 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:41:18.203536034 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:41:18.435528040 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:41:18.445836067 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:41:18.565809965 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:41:18.645670891 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:41:18.688925982 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:41:19.036031961 CET | 49717 | 80 | 192.168.2.3 | 178.237.33.50 |
| Nov 25, 2024 13:41:19.156070948 CET | 80 | 49717 | 178.237.33.50 | 192.168.2.3 |
| Nov 25, 2024 13:41:19.156143904 CET | 49717 | 80 | 192.168.2.3 | 178.237.33.50 |
| Nov 25, 2024 13:41:19.156443119 CET | 49717 | 80 | 192.168.2.3 | 178.237.33.50 |
| Nov 25, 2024 13:41:19.276364088 CET | 80 | 49717 | 178.237.33.50 | 192.168.2.3 |
| Nov 25, 2024 13:41:20.399060011 CET | 80 | 49717 | 178.237.33.50 | 192.168.2.3 |
| Nov 25, 2024 13:41:20.399125099 CET | 49717 | 80 | 192.168.2.3 | 178.237.33.50 |
| Nov 25, 2024 13:41:20.406326056 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:41:20.526566029 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:41:21.398705006 CET | 80 | 49717 | 178.237.33.50 | 192.168.2.3 |
| Nov 25, 2024 13:41:21.398799896 CET | 49717 | 80 | 192.168.2.3 | 178.237.33.50 |
| Nov 25, 2024 13:41:43.991451979 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:41:43.992767096 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:41:44.112869978 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:42:13.834279060 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:42:13.837121010 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:42:13.957578897 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:42:43.853943110 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:42:43.855282068 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:42:43.975583076 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:42:45.140333891 CET | 49717 | 80 | 192.168.2.3 | 178.237.33.50 |
| Nov 25, 2024 13:42:45.499093056 CET | 49717 | 80 | 192.168.2.3 | 178.237.33.50 |
| Nov 25, 2024 13:42:46.186561108 CET | 49717 | 80 | 192.168.2.3 | 178.237.33.50 |
| Nov 25, 2024 13:42:47.592854977 CET | 49717 | 80 | 192.168.2.3 | 178.237.33.50 |
| Nov 25, 2024 13:42:50.092866898 CET | 49717 | 80 | 192.168.2.3 | 178.237.33.50 |
| Nov 25, 2024 13:42:55.186578989 CET | 49717 | 80 | 192.168.2.3 | 178.237.33.50 |
| Nov 25, 2024 13:43:05.186655998 CET | 49717 | 80 | 192.168.2.3 | 178.237.33.50 |
| Nov 25, 2024 13:43:13.884793997 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:43:13.886358976 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:43:14.007394075 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:43:43.932385921 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:43:43.934004068 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:43:44.054022074 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:44:13.931302071 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:44:13.932791948 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:44:14.296056032 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:44:14.533921003 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:44:14.534039974 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Nov 25, 2024 13:44:14.534081936 CET | 49716 | 7062 | 192.168.2.3 | 192.3.176.134 |
| Nov 25, 2024 13:44:14.534146070 CET | 7062 | 49716 | 192.3.176.134 | 192.168.2.3 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 25, 2024 13:40:55.156371117 CET | 51558 | 53 | 192.168.2.3 | 1.1.1.1 |
| Nov 25, 2024 13:40:55.294013023 CET | 53 | 51558 | 1.1.1.1 | 192.168.2.3 |
| Nov 25, 2024 13:40:57.600332022 CET | 55868 | 53 | 192.168.2.3 | 1.1.1.1 |
| Nov 25, 2024 13:40:57.742448092 CET | 53 | 55868 | 1.1.1.1 | 192.168.2.3 |
| Nov 25, 2024 13:41:18.803141117 CET | 49487 | 53 | 192.168.2.3 | 1.1.1.1 |
| Nov 25, 2024 13:41:19.035244942 CET | 53 | 49487 | 1.1.1.1 | 192.168.2.3 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 25, 2024 13:40:55.156371117 CET | 192.168.2.3 | 1.1.1.1 | 0x52e0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 25, 2024 13:40:57.600332022 CET | 192.168.2.3 | 1.1.1.1 | 0xf0a3 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 25, 2024 13:41:18.803141117 CET | 192.168.2.3 | 1.1.1.1 | 0xf986 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 25, 2024 13:40:55.294013023 CET | 1.1.1.1 | 192.168.2.3 | 0x52e0 | No error (0) | 172.67.200.96 | A (IP address) | IN (0x0001) | false | ||
| Nov 25, 2024 13:40:55.294013023 CET | 1.1.1.1 | 192.168.2.3 | 0x52e0 | No error (0) | 104.21.13.139 | A (IP address) | IN (0x0001) | false | ||
| Nov 25, 2024 13:40:57.742448092 CET | 1.1.1.1 | 192.168.2.3 | 0xf0a3 | No error (0) | 172.67.200.96 | A (IP address) | IN (0x0001) | false | ||
| Nov 25, 2024 13:40:57.742448092 CET | 1.1.1.1 | 192.168.2.3 | 0xf0a3 | No error (0) | 104.21.13.139 | A (IP address) | IN (0x0001) | false | ||
| Nov 25, 2024 13:41:19.035244942 CET | 1.1.1.1 | 192.168.2.3 | 0xf986 | No error (0) | 178.237.33.50 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.3 | 49717 | 178.237.33.50 | 80 | 7892 | C:\Users\user\Desktop\PO_203-25.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Nov 25, 2024 13:41:19.156443119 CET | 71 | OUT | |
| Nov 25, 2024 13:41:20.399060011 CET | 1170 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.3 | 49714 | 172.67.200.96 | 443 | 7892 | C:\Users\user\Desktop\PO_203-25.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-25 12:40:56 UTC | 190 | OUT | |
| 2024-11-25 12:40:57 UTC | 1239 | IN | |
| 2024-11-25 12:40:57 UTC | 130 | IN | |
| 2024-11-25 12:40:57 UTC | 4 | IN | |
| 2024-11-25 12:40:57 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.3 | 49715 | 172.67.200.96 | 443 | 7892 | C:\Users\user\Desktop\PO_203-25.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-25 12:40:59 UTC | 281 | OUT | |
| 2024-11-25 12:41:11 UTC | 1248 | IN | |
| 2024-11-25 12:41:11 UTC | 121 | IN | |
| 2024-11-25 12:41:11 UTC | 1369 | IN | |
| 2024-11-25 12:41:11 UTC | 1369 | IN | |
| 2024-11-25 12:41:11 UTC | 1369 | IN | |
| 2024-11-25 12:41:11 UTC | 1369 | IN | |
| 2024-11-25 12:41:11 UTC | 1369 | IN | |
| 2024-11-25 12:41:11 UTC | 1369 | IN | |
| 2024-11-25 12:41:11 UTC | 1369 | IN | |
| 2024-11-25 12:41:11 UTC | 1369 | IN | |
| 2024-11-25 12:41:11 UTC | 1369 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 07:40:25 |
| Start date: | 25/11/2024 |
| Path: | C:\Users\user\Desktop\PO_203-25.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'135'960 bytes |
| MD5 hash: | BCF1B4C359D89892CBDEDDCAC52FD4D7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 07:40:48 |
| Start date: | 25/11/2024 |
| Path: | C:\Users\user\Desktop\PO_203-25.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'135'960 bytes |
| MD5 hash: | BCF1B4C359D89892CBDEDDCAC52FD4D7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 28.6% |
| Dynamic/Decrypted Code Coverage: | 29.3% |
| Signature Coverage: | 18.7% |
| Total number of Nodes: | 686 |
| Total number of Limit Nodes: | 15 |
Graph
Callgraph
Function 004030EC Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 357stringcomfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004055AE Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403A1E Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345windowstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040368C Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D2E Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404F25 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406037 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040586C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040549D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100027E8 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040597F Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405468 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004059F7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A26 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000270B Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403F3D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004030A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403F26 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403F13 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A55 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403F58 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402B7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040577E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402C02 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004057C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004058E4 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004030EC Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 83comstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406037 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|