Edit tour
Windows
Analysis Report
PO 0309494059506060609696007.exe
Overview
General Information
| Sample name: | PO 0309494059506060609696007.exe |
| Analysis ID: | 1577289 |
| MD5: | 0be2d87edbe429042bf5eb8791a40bfd |
| SHA1: | 56d20ae6ba8bcbf137164efe5ebb846b5dabfb3e |
| SHA256: | 447a4c0228f0f8c81f9159366e8cdda2af4a5603249f8bf6ceb6fe0d40f32b9a |
| Tags: | AgentTeslaexeGuLoaderuser-abuse_ch |
| Infos: |  |
 | |
Detection
AgentTesla, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
AI detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
PO 0309494059506060609696007.exe (PID: 6428 cmdline: "C:\Users\ user\Deskt op\PO 0309 4940595060 6060969600 7.exe" MD5: 0BE2D87EDBE429042BF5EB8791A40BFD) - PO 0309494059506060609696007.exe (PID: 2128 cmdline:
"C:\Users\ user\Deskt op\PO 0309 4940595060 6060969600 7.exe" MD5: 0BE2D87EDBE429042BF5EB8791A40BFD)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T11:07:28.264137+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49752 | 84.38.133.48 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00402868 | |
| Source: | Code function: | 0_2_004059CC | |
| Source: | Code function: | 0_2_004065FD | |
| Source: | Code function: | 4_2_00402868 | |
| Source: | Code function: | 4_2_004059CC | |
| Source: | Code function: | 4_2_004065FD | |
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00405461 | |
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_0040338F | |
| Source: | Code function: | 4_2_0040338F | |
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406B15 | |
| Source: | Code function: | 0_2_004072EC | |
| Source: | Code function: | 0_2_00404C9E | |
| Source: | Code function: | 0_2_6E421B5F | |
| Source: | Code function: | 4_2_00406B15 | |
| Source: | Code function: | 4_2_004072EC | |
| Source: | Code function: | 4_2_00404C9E | |
| Source: | Code function: | 4_2_0015A220 | |
| Source: | Code function: | 4_2_0015E360 | |
| Source: | Code function: | 4_2_0015A590 | |
| Source: | Code function: | 4_2_00154A58 | |
| Source: | Code function: | 4_2_0015AAAC | |
| Source: | Code function: | 4_2_00153E40 | |
| Source: | Code function: | 4_2_00154188 | |
| Source: | Code function: | 4_2_362592C8 | |
| Source: | Code function: | 4_2_3625BB90 | |
| Source: | Code function: | 4_2_3625A7DC | |
| Source: | Code function: | 4_2_362656A0 | |
| Source: | Code function: | 4_2_362666C0 | |
| Source: | Code function: | 4_2_3626C240 | |
| Source: | Code function: | 4_2_3626B2F0 | |
| Source: | Code function: | 4_2_36263158 | |
| Source: | Code function: | 4_2_36267760 | |
| Source: | Code function: | 4_2_3626E468 | |
| Source: | Code function: | 4_2_36265DB7 | |
| Source: | Code function: | 4_2_3626CAD0 | |
| Source: | Code function: | 4_2_36262370 | |
| Source: | Code function: | 4_2_36260040 | |
| Source: | Code function: | 4_2_36632C51 | |
| Source: | Code function: | 4_2_36260012 | |
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_0040338F | |
| Source: | Code function: | 4_2_0040338F | |
| Source: | Code function: | 0_2_00404722 | |
| Source: | Code function: | 0_2_00402104 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_6E421B5F | |
| Source: | Code function: | 4_2_36253FD5 | |
| Source: | Code function: | 4_2_3663058F | |
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | API coverage: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00402868 | |
| Source: | Code function: | 0_2_004059CC | |
| Source: | Code function: | 0_2_004065FD | |
| Source: | Code function: | 4_2_00402868 | |
| Source: | Code function: | 4_2_004059CC | |
| Source: | Code function: | 4_2_004065FD | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-4275 | ||
| Source: | API call chain: | graph_0-4429 | ||
| Source: | Code function: | 0_2_6E421B5F | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040338F | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | 2 OS Credential Dumping | 2 File and Directory Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 1 Deobfuscate/Decode Files or Information | 1 Credentials in Registry | 226 System Information Discovery | Remote Desktop Protocol | 2 Data from Local System | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 11 Process Injection | 2 Obfuscated Files or Information | Security Account Manager | 311 Security Software Discovery | SMB/Windows Admin Shares | 1 Email Collection | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 141 Virtualization/Sandbox Evasion | Distributed Component Object Model | 1 Clipboard Data | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Masquerading | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 141 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 System Network Configuration Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Access Token Manipulation | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 11 Process Injection | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 3% | ReversingLabs | |||
| 10% | Virustotal | Browse | ||
| 100% | Avira | HEUR/AGEN.1331786 |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| api.ipify.org | 104.26.12.205 | true | false | high | |
| concaribe.com | 192.185.13.234 | true | true | unknown | |
| ftp.concaribe.com | unknown | unknown | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 84.38.133.48 | unknown | Latvia | 203557 | DATACLUB-NL | false | |
| 104.26.12.205 | api.ipify.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 192.185.13.234 | concaribe.com | United States | 46606 | UNIFIEDLAYER-AS-1US | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1577289 |
| Start date and time: | 2024-12-18 11:05:28 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 49s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | PO 0309494059506060609696007.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/10@2/3 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 05:07:31 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 84.38.133.48 | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
| 104.26.12.205 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | TrojanRansom | Browse |
| ||
| Get hash | malicious | TrojanRansom | Browse |
| ||
| Get hash | malicious | RCRU64, TrojanRansom | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Targeted Ransomware | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Xmrig | Browse |
| ||
| Get hash | malicious | RDPWrap Tool | Browse |
| ||
| 192.185.13.234 | Get hash | malicious | AgentTesla, GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| api.ipify.org | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Edge Stealer | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| DATACLUB-NL | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Can Stealer | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Abobus Obfuscator, Braodo | Browse |
| ||
| UNIFIEDLAYER-AS-1US | Get hash | malicious | Mirai, Okiru | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Can Stealer | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | PureCrypter, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Abobus Obfuscator, Braodo | Browse |
| ||
| Get hash | malicious | Abobus Obfuscator, Braodo | Browse |
| ||
| Get hash | malicious | Abobus Obfuscator, Braodo | Browse |
| ||
| Get hash | malicious | PureCrypter, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Sliver | Browse |
| ||
| Get hash | malicious | Sliver | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RHADAMANTHYS | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nst14AC.tmp\LangDLL.dll | Get hash | malicious | Metasploit | Browse | ||
| Get hash | malicious | Metasploit | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | RedLine, SmokeLoader | Browse | |||
| Get hash | malicious | Glupteba, RedLine, SmokeLoader | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse |
| Process: | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 5632 |
| Entropy (8bit): | 3.818015063694808 |
| Encrypted: | false |
| SSDEEP: | 48:S46+/zTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mxofjLl:z5uPbOBtWZBV8jAWiAJCdv2CmAL |
| MD5: | AB1DB56369412FE8476FEFFFD11E4CC0 |
| SHA1: | DAAD036A83B2EE2FA86D840A34A341100552E723 |
| SHA-256: | 6F14C8F01F50A30743DAC68C5AC813451463DFB427EB4E35FCDFE2410E1A913B |
| SHA-512: | 8D886643B4FC24ADF78F76B663227D6E61863F89E0CBD49548F40DD040666CA94EA46BEC9E336850E4F300995D56E6DC85B689C8E09FF46758822D280F06B03D |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12288 |
| Entropy (8bit): | 5.719859767584478 |
| Encrypted: | false |
| SSDEEP: | 192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6 |
| MD5: | 0D7AD4F45DC6F5AA87F606D0331C6901 |
| SHA1: | 48DF0911F0484CBE2A8CDD5362140B63C41EE457 |
| SHA-256: | 3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA |
| SHA-512: | C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1850292 |
| Entropy (8bit): | 0.15787706683171052 |
| Encrypted: | false |
| SSDEEP: | 768:OoaZJLqGy5Qo+RU46dPn7e4O7QkhE/EtrgCN85RaQ7EMB+6r26REcybaHpJkCCXx:yHV |
| MD5: | F1B19352186CB57567C88C002F5AF9BD |
| SHA1: | 96BB06DBF3E930E8174E22C552E788BF62F8792E |
| SHA-256: | 9B172DB9C04C16B1C75AA5EEDFA5500FB4650BC59282BBCB5BB2D983C4B00406 |
| SHA-512: | AF16686666C2B9CB40C67D79DDA844550ECEA72CD2537F1CEAC0A944799409B5C157ACDA2700327998EAC3FD07A94CB6FA0A3708C24E24403844C092AA1A7AA2 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 98946 |
| Entropy (8bit): | 2.6636248398837403 |
| Encrypted: | false |
| SSDEEP: | 1536:8DeRh0t0aKxU6MwkA+F4+YxkQJffONLMyOMdR+znkFoWc1P:C69xfth0Q |
| MD5: | 547559994604F940A9B620E2F77CE622 |
| SHA1: | A88A27BAE97A5282AF86FF6E3D9F9EA141ED489E |
| SHA-256: | 2F5A92758B28AA496A7C0209549FF33A2C09F94DFAD8F48CF615CB1ABE7EEA45 |
| SHA-512: | 9A84CC3905FA12A44B17D4AEC87EB5945A0DC0E7553A8FDDE0B9E43606DC461C33C94AAC371B5FC3FD17AF04FE542E42C3BDDE048C33ADAB2E9B41D157DC4CA8 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3072070 |
| Entropy (8bit): | 0.1574149435101028 |
| Encrypted: | false |
| SSDEEP: | 768:GYkPCXTz5BZxw9NxlQnAyZSMNwxpqOKNcB5YdPpxk7r6s5WQxNUUlkwrvUcM0gg6:Ln/ |
| MD5: | 1A32E4C0027DC7FF10A50CA03C8A1DF9 |
| SHA1: | D4C66E381A195EF0E71110645E35C02FA642614D |
| SHA-256: | 323EDBC20508A0DB8FDB408E29A45ED0606E5366791CDA820E0ECD4C1A62B37E |
| SHA-512: | 94D2B7A01C557AE2C079785DC8756BDFA5F4EDD4AADFA389D1D8877F94BC122B58AC13731B286FF262C7CA68FEEA5552E99AB5FCB414493FE3C1CB739F89B1BE |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6157882 |
| Entropy (8bit): | 0.15896061425174612 |
| Encrypted: | false |
| SSDEEP: | 768:g7/K3a5vYm6xqf8FLfJI80SEtK8ccB6X76bD8kNTM5N1LshHe0X9Jk4BzFIpyTVI:w5wodUqLAH6 |
| MD5: | 45CD3902AC3254547F0E44C9A016B31B |
| SHA1: | 4B9F8CDFD0A8FADE68C4C8EF6D6A1726A601A750 |
| SHA-256: | FF0227B020CC3CC727C369F4E938722DC16E797EB2669C764DE823FC46992664 |
| SHA-512: | 8935B6547F93FAB6F5E4CA6A258B96AECD86E2785F8DACBAD1CB6C1A641289535A6593D5E0196A56E4E4E662B20279D369F3CA39D1571147A2A92EDD8C1E9DE3 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 345 |
| Entropy (8bit): | 4.294234517489459 |
| Encrypted: | false |
| SSDEEP: | 6:KGljJoxWTCrK0XuLmqarK5pCAyQvLoZ2kMXATrQvkt+fC3ba2AF/PXkSLAJRn:dlj+WTzJm1rKnCAyQvk2kWATrT5a2nNL |
| MD5: | 231F388B44C110D6FDD16605BBE17E52 |
| SHA1: | D2BEE1AAE2A003FD72A46FFDEDE1B5AB0BF89D86 |
| SHA-256: | 325DC82DFE4B64A6FE20E3824BBFE752C0156A6E4239A45AEA7BBC4F1751560D |
| SHA-512: | 5AE947D4694D5824D4BB9F64FC5F747660C7C6993CD1B4D86D41587FD0A92BB65657C0F4855010F2E6F4BF7F1689BB2C95EC32D29FC78D2664F52ABB5ACE9081 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 297180 |
| Entropy (8bit): | 7.566909397733076 |
| Encrypted: | false |
| SSDEEP: | 6144:P/Y7fQfN8/F0EYfqw0OfWKu4myakjWF94pmAE9zk:PgwNqo8VYJjWFPAK4 |
| MD5: | C806F8FCA8273EBB885B9BDAA9DADE90 |
| SHA1: | B03650911D10D0FDA8E577CD15B5A3EFADD8233A |
| SHA-256: | 35D5EAC09638EF49B6F69B24C32822AA52AC6E09884F78A20E240F459D04C9CC |
| SHA-512: | 123F661DB94B9DB4CF6C714190BBCE02CFEDC4F40B4811934E5219C9B04A067A0F66B8651EDA4F7C72F7F9BD91FA3F98BC45B42961180457D1EB244C20F31874 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1264154 |
| Entropy (8bit): | 0.15737251343733819 |
| Encrypted: | false |
| SSDEEP: | 768:Kz/OAFYCddplBJdxt7g7a6CgpChVGVUOgCwE6o5p5/wrS1jY:YTS |
| MD5: | 5F2597B55457B6EA842E218E8D3B098D |
| SHA1: | 0795BC493C7B065EF549AA73C4FE9E3384566E7A |
| SHA-256: | 6E30C08BC1D4AD6E942130B8F9EFA770DC1812938298114ACC187DD436DB6006 |
| SHA-512: | 1DBE04D8CDD6E4881EFB1FA0619728E983EC3E14445D8A9E70796DFB55DA950C255CA30856F6D8B3BF79EC71B9284C07ECD7CD1662E5C9ED2C51B947C4A79FA0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1785286 |
| Entropy (8bit): | 0.157818699705013 |
| Encrypted: | false |
| SSDEEP: | 768:igjhkFxRk4Cg3EFcNweXS+wUya8d0Dclmrwtx9Rh0hruNz5S2L8HeM+MQ4Ee4EsK:gT |
| MD5: | E75D60F1347F2887587045D4F6673154 |
| SHA1: | 56930A609A1C67A591A557F7610ACFFCD89AB025 |
| SHA-256: | CEDE7492DB5C81B0B046258187557EE9B2C6E791021631FF635409395ED6054A |
| SHA-512: | 76060B17EB25286EE47558B72A5C034EF2D0D5EDBE8205F57628740900CB39F81953EC5A5C917CE84FD7ED5FDA6F03AC9C819B598D58B9D2AF12CFB3F5385830 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.952645372285464 |
| TrID: |
|
| File name: | PO 0309494059506060609696007.exe |
| File size: | 810'408 bytes |
| MD5: | 0be2d87edbe429042bf5eb8791a40bfd |
| SHA1: | 56d20ae6ba8bcbf137164efe5ebb846b5dabfb3e |
| SHA256: | 447a4c0228f0f8c81f9159366e8cdda2af4a5603249f8bf6ceb6fe0d40f32b9a |
| SHA512: | 1ec02570405763f1369131cb9405f90cc8ce27f771917462c6331e584e35ba93f2c9bbf0eeeddee5f679bd978525a0dda9d9fa5ecb4ca71f1ac2dc1d43d6c005 |
| SSDEEP: | 24576:Gvdzpz6Jwl+mHDoR94vmsgnqVNO7qg+E5cnF:kMwQmoRkYn6NAqDE5cnF |
| TLSH: | 80052302B38D5243E971D27469224BB59FBC7D5838684B0377A83A0C7E3B356AD1FD62 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h......... |
 | |
| Icon Hash: | ec92131fb7aba8f4 |
| Entrypoint: | 0x40338f |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5C157F2E [Sat Dec 15 22:24:46 2018 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | b34f154ec913d2d2c435cbd644e91687 |
| Signature Valid: | false |
| Signature Issuer: | CN=Unlimitableness, E=Forpremierer@Raastoftilfrsele.Dra, O=Unlimitableness, L=Singer, OU="Xcl Decayed Stykkerne ", S=Louisiana, C=US |
| Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
| Error Number: | -2146762487 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 3E362D04FCB3222E9760E41D19853C86 |
| Thumbprint SHA-1: | 581045A2F76450A95157425B0D26D9F38845E01D |
| Thumbprint SHA-256: | B1F8915EF64E3A009BE0DB9729A7A697D37BEAA4436A8EC77E09BAB3E8369E60 |
| Serial: | 741FA8AE4858C7F138070A71A541E67BE284EF1A |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push esi |
| push edi |
| push 00000020h |
| pop edi |
| xor ebx, ebx |
| push 00008001h |
| mov dword ptr [esp+14h], ebx |
| mov dword ptr [esp+10h], 0040A2E0h |
| mov dword ptr [esp+1Ch], ebx |
| call dword ptr [004080A8h] |
| call dword ptr [004080A4h] |
| and eax, BFFFFFFFh |
| cmp ax, 00000006h |
| mov dword ptr [00434EECh], eax |
| je 00007FCA9CBCEA63h |
| push ebx |
| call 00007FCA9CBD1D15h |
| cmp eax, ebx |
| je 00007FCA9CBCEA59h |
| push 00000C00h |
| call eax |
| mov esi, 004082B0h |
| push esi |
| call 00007FCA9CBD1C8Fh |
| push esi |
| call dword ptr [00408150h] |
| lea esi, dword ptr [esi+eax+01h] |
| cmp byte ptr [esi], 00000000h |
| jne 00007FCA9CBCEA3Ch |
| push 0000000Ah |
| call 00007FCA9CBD1CE8h |
| push 00000008h |
| call 00007FCA9CBD1CE1h |
| push 00000006h |
| mov dword ptr [00434EE4h], eax |
| call 00007FCA9CBD1CD5h |
| cmp eax, ebx |
| je 00007FCA9CBCEA61h |
| push 0000001Eh |
| call eax |
| test eax, eax |
| je 00007FCA9CBCEA59h |
| or byte ptr [00434EEFh], 00000040h |
| push ebp |
| call dword ptr [00408044h] |
| push ebx |
| call dword ptr [004082A0h] |
| mov dword ptr [00434FB8h], eax |
| push ebx |
| lea eax, dword ptr [esp+34h] |
| push 000002B4h |
| push eax |
| push ebx |
| push 0042B208h |
| call dword ptr [00408188h] |
| push 0040A2C8h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8610 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x73000 | 0x7620 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0xc4f08 | 0xea0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6627 | 0x6800 | 37029c3103747b9cc70c8ecd944a9b83 | False | 0.6643629807692307 | data | 6.451784672975888 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x14a2 | 0x1600 | eecac1fed9cc6b447d50940d178404d8 | False | 0.4405184659090909 | data | 5.025178929113415 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x2aff8 | 0x600 | 939516377e7577b622eb1ffdc4b5db4a | False | 0.517578125 | data | 4.03532418489749 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x35000 | 0x3e000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x73000 | 0x7620 | 0x7800 | fa3a7dc11d759e32654dca4a134433ea | False | 0.511328125 | data | 5.487917299032731 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x73388 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.4786307053941909 |
| RT_ICON | 0x75930 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.5318949343339587 |
| RT_ICON | 0x769d8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688 | English | United States | 0.5804904051172708 |
| RT_ICON | 0x77880 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.5766393442622951 |
| RT_ICON | 0x78208 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States | 0.7026173285198556 |
| RT_ICON | 0x78ab0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 672 | English | United States | 0.8035714285714286 |
| RT_ICON | 0x79178 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | English | United States | 0.6286127167630058 |
| RT_ICON | 0x796e0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.6037234042553191 |
| RT_DIALOG | 0x79b48 | 0xb8 | data | English | United States | 0.6467391304347826 |
| RT_DIALOG | 0x79c00 | 0x144 | data | English | United States | 0.5216049382716049 |
| RT_DIALOG | 0x79d48 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x79e48 | 0x11c | data | English | United States | 0.6091549295774648 |
| RT_DIALOG | 0x79f68 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x79fc8 | 0x76 | data | English | United States | 0.6440677966101694 |
| RT_VERSION | 0x7a040 | 0x34c | data | English | United States | 0.4703791469194313 |
| RT_MANIFEST | 0x7a390 | 0x290 | XML 1.0 document, ASCII text, with very long lines (656), with no line terminators | English | United States | 0.5640243902439024 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
| USER32.dll | GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW |
| ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T11:07:28.264137+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.4 | 49752 | 84.38.133.48 | 80 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 18, 2024 11:07:26.913634062 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:27.033320904 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:27.033730030 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:27.033941984 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:27.153631926 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.264004946 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.264082909 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.264137030 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.264137030 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.264166117 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.264174938 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.264190912 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.264209986 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.264223099 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.264260054 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.340922117 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.340960979 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.340986013 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.341006994 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.341070890 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.341092110 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.341108084 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.341136932 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.341178894 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.383932114 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.383965969 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.384062052 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.384151936 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.388050079 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.388130903 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.456118107 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.456142902 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.456228018 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.458503008 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.458590031 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.458607912 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.458679914 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.467503071 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.467545033 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.467586040 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.467628956 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.475303888 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.475385904 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.475395918 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.475447893 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.483726978 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.483822107 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.483860970 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.483916044 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.492058039 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.492137909 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.532258034 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.532341003 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.532361984 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.532418013 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.536155939 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.536221027 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.536226034 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.536283970 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.543915987 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.543989897 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.544059992 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.544122934 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.551532030 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.551601887 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.551657915 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.551717043 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.559052944 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.559123993 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.559159040 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.559176922 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.566725016 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.566795111 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.566873074 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.566951990 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.576004982 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.576105118 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.647227049 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.647291899 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.647341013 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.650059938 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.650420904 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.650485992 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.650567055 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.650635004 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.655958891 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.656033039 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.656112909 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.656183958 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.664120913 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.664177895 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.664206028 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.664242029 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.669117928 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.669229984 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.669230938 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.669311047 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.674047947 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.674151897 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.674180031 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.674248934 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.680382013 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.680453062 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.680489063 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.680561066 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.686557055 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.686670065 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.686734915 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.686832905 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.692635059 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.692718983 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.692785025 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.692850113 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.698436022 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.698527098 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.698600054 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.698667049 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.703747034 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.703886986 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.723381042 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.723438978 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.723521948 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.723618031 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.725256920 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.725311041 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.725321054 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.725379944 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.728967905 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.729053974 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.729063988 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.729113102 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.733066082 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.733145952 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.733217001 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.733295918 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.737051964 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.737121105 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.737165928 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.737220049 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.740417004 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.740473986 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.740556955 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.740619898 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.744239092 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.744297981 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.744313002 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.744368076 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.748040915 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.748101950 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.748117924 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.748177052 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.751934052 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.751988888 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.752053022 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.752109051 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.755721092 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.755789042 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.755801916 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.755860090 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.759639025 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.759694099 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.759732962 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.759792089 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.763289928 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.763359070 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.838560104 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.838607073 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.838659048 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.838709116 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.840827942 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.840912104 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.840958118 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.841020107 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.845033884 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.845091105 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.845175028 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.848372936 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.848427057 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.848433971 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.848479986 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.852209091 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.852263927 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.852291107 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.852340937 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.855833054 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.855900049 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.855978966 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.856056929 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.859652996 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.859715939 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.859864950 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.859987974 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.863380909 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.863442898 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.863473892 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.863540888 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.867542028 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.867618084 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.867667913 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.867727041 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.871452093 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.871520996 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.871558905 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.871612072 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.874648094 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.874735117 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.874752998 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.874818087 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.877679110 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.877752066 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.877774000 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.877841949 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.881149054 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.881220102 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.881267071 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.881341934 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.884202957 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.884270906 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.884316921 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.884371042 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.887159109 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.887218952 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.887257099 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.887311935 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.890374899 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.890444040 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.914716005 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.914753914 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.914792061 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.914822102 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.916063070 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.916126013 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.916131020 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.916198969 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.919039011 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.919111967 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.919198990 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.919276953 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.922030926 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.922101974 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.922122002 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.922184944 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.924987078 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.925044060 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.925075054 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.925256968 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.928441048 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.928498030 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.928509951 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.928559065 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.931440115 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.931498051 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.931577921 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.931649923 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.934396982 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.934453011 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.934514046 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.934647083 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.937000036 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.937064886 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.937109947 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.937163115 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.940073967 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.940129042 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.940136909 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.940184116 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.943248034 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.943303108 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.943368912 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.943370104 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.945915937 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.945985079 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.946085930 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.946150064 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.948911905 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.948975086 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.949064016 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.949119091 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.951873064 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.951935053 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.952008963 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.952317953 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.954803944 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.954869986 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.954962015 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.955018997 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.957866907 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.957904100 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.957931042 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.957961082 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.960844994 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.960902929 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.960916042 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.960959911 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.963747025 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.963814020 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.963872910 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.963936090 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.966779947 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.966820002 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.966936111 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.969750881 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.969789028 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.969820023 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.969855070 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:28.972665071 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:28.972734928 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.034619093 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.034647942 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.034712076 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.034738064 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.035923004 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.035979986 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.036042929 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.036098957 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.038826942 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.038885117 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.038886070 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.038938999 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.041769981 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.041826010 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.041892052 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.041943073 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.044552088 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.044608116 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.044698000 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.044764996 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.047596931 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.047672033 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.047745943 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.047801971 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.050322056 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.050389051 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.050436974 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.050491095 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.053174019 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.053229094 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.053247929 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.053293943 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.055924892 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.055999041 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.056008101 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.056083918 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.058588982 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.058665037 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.058717012 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.058778048 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.061548948 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.061605930 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.061641932 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.061685085 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.063906908 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.063973904 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.064011097 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.064073086 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.066262960 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.066325903 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.066378117 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.066472054 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.068763971 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.068856955 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.068928957 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.068999052 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.071352005 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.071423054 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.071466923 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.071517944 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.073698997 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.073771000 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.073848009 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.073910952 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.075752974 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.075824976 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.075901031 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.075965881 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.077956915 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.078039885 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.078095913 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.078222990 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.080518007 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.080575943 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.080584049 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.080631018 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.082425117 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.082479954 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.082494020 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.082542896 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.084778070 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.084815979 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.084840059 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.084868908 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.086774111 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.086843967 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.086863995 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.086934090 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.088967085 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.089030981 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.089046001 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.089102983 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.091195107 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.091264963 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.091336966 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.091398001 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.092641115 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.092705965 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.092734098 CET | 80 | 49752 | 84.38.133.48 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.092798948 CET | 49752 | 80 | 192.168.2.4 | 84.38.133.48 |
| Dec 18, 2024 11:07:29.605180025 CET | 49759 | 443 | 192.168.2.4 | 104.26.12.205 |
| Dec 18, 2024 11:07:29.605236053 CET | 443 | 49759 | 104.26.12.205 | 192.168.2.4 |
| Dec 18, 2024 11:07:29.605484962 CET | 49759 | 443 | 192.168.2.4 | 104.26.12.205 |
| Dec 18, 2024 11:07:29.622454882 CET | 49759 | 443 | 192.168.2.4 | 104.26.12.205 |
| Dec 18, 2024 11:07:29.622473955 CET | 443 | 49759 | 104.26.12.205 | 192.168.2.4 |
| Dec 18, 2024 11:07:30.841131926 CET | 443 | 49759 | 104.26.12.205 | 192.168.2.4 |
| Dec 18, 2024 11:07:30.841248035 CET | 49759 | 443 | 192.168.2.4 | 104.26.12.205 |
| Dec 18, 2024 11:07:30.843880892 CET | 49759 | 443 | 192.168.2.4 | 104.26.12.205 |
| Dec 18, 2024 11:07:30.843899965 CET | 443 | 49759 | 104.26.12.205 | 192.168.2.4 |
| Dec 18, 2024 11:07:30.844185114 CET | 443 | 49759 | 104.26.12.205 | 192.168.2.4 |
| Dec 18, 2024 11:07:30.887723923 CET | 49759 | 443 | 192.168.2.4 | 104.26.12.205 |
| Dec 18, 2024 11:07:30.903805017 CET | 49759 | 443 | 192.168.2.4 | 104.26.12.205 |
| Dec 18, 2024 11:07:30.947335005 CET | 443 | 49759 | 104.26.12.205 | 192.168.2.4 |
| Dec 18, 2024 11:07:31.273915052 CET | 443 | 49759 | 104.26.12.205 | 192.168.2.4 |
| Dec 18, 2024 11:07:31.274066925 CET | 443 | 49759 | 104.26.12.205 | 192.168.2.4 |
| Dec 18, 2024 11:07:31.274481058 CET | 49759 | 443 | 192.168.2.4 | 104.26.12.205 |
| Dec 18, 2024 11:07:31.280457973 CET | 49759 | 443 | 192.168.2.4 | 104.26.12.205 |
| Dec 18, 2024 11:07:32.891582966 CET | 49767 | 21 | 192.168.2.4 | 192.185.13.234 |
| Dec 18, 2024 11:07:33.011343002 CET | 21 | 49767 | 192.185.13.234 | 192.168.2.4 |
| Dec 18, 2024 11:07:33.011428118 CET | 49767 | 21 | 192.168.2.4 | 192.185.13.234 |
| Dec 18, 2024 11:07:33.015301943 CET | 49767 | 21 | 192.168.2.4 | 192.185.13.234 |
| Dec 18, 2024 11:07:33.183453083 CET | 21 | 49767 | 192.185.13.234 | 192.168.2.4 |
| Dec 18, 2024 11:07:33.183866024 CET | 49767 | 21 | 192.168.2.4 | 192.185.13.234 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 18, 2024 11:07:29.461946964 CET | 61728 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 18, 2024 11:07:29.599057913 CET | 53 | 61728 | 1.1.1.1 | 192.168.2.4 |
| Dec 18, 2024 11:07:32.174330950 CET | 49873 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 18, 2024 11:07:32.890166998 CET | 53 | 49873 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 18, 2024 11:07:29.461946964 CET | 192.168.2.4 | 1.1.1.1 | 0x8b48 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 11:07:32.174330950 CET | 192.168.2.4 | 1.1.1.1 | 0x2715 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 18, 2024 11:07:29.599057913 CET | 1.1.1.1 | 192.168.2.4 | 0x8b48 | No error (0) | 104.26.12.205 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 11:07:29.599057913 CET | 1.1.1.1 | 192.168.2.4 | 0x8b48 | No error (0) | 104.26.13.205 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 11:07:29.599057913 CET | 1.1.1.1 | 192.168.2.4 | 0x8b48 | No error (0) | 172.67.74.152 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 11:07:32.890166998 CET | 1.1.1.1 | 192.168.2.4 | 0x2715 | No error (0) | concaribe.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 18, 2024 11:07:32.890166998 CET | 1.1.1.1 | 192.168.2.4 | 0x2715 | No error (0) | 192.185.13.234 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49752 | 84.38.133.48 | 80 | 2128 | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 18, 2024 11:07:27.033941984 CET | 178 | OUT | |
| Dec 18, 2024 11:07:28.264004946 CET | 1236 | IN | |
| Dec 18, 2024 11:07:28.264082909 CET | 1236 | IN | |
| Dec 18, 2024 11:07:28.264137030 CET | 1236 | IN | |
| Dec 18, 2024 11:07:28.264174938 CET | 1236 | IN | |
| Dec 18, 2024 11:07:28.264209986 CET | 896 | IN | |
| Dec 18, 2024 11:07:28.340922117 CET | 1236 | IN | |
| Dec 18, 2024 11:07:28.340960979 CET | 1236 | IN | |
| Dec 18, 2024 11:07:28.340986013 CET | 448 | IN | |
| Dec 18, 2024 11:07:28.341092110 CET | 1236 | IN | |
| Dec 18, 2024 11:07:28.341108084 CET | 1236 | IN | |
| Dec 18, 2024 11:07:28.383932114 CET | 1236 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49759 | 104.26.12.205 | 443 | 2128 | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 10:07:30 UTC | 155 | OUT | |
| 2024-12-18 10:07:31 UTC | 424 | IN | |
| 2024-12-18 10:07:31 UTC | 12 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 05:06:23 |
| Start date: | 18/12/2024 |
| Path: | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 810'408 bytes |
| MD5 hash: | 0BE2D87EDBE429042BF5EB8791A40BFD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 05:07:20 |
| Start date: | 18/12/2024 |
| Path: | C:\Users\user\Desktop\PO 0309494059506060609696007.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 810'408 bytes |
| MD5 hash: | 0BE2D87EDBE429042BF5EB8791A40BFD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 23.5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 19.5% |
| Total number of Nodes: | 1548 |
| Total number of Limit Nodes: | 40 |
Graph
Function 0040338F Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410stringfilecomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004059CC Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004039AA Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062DC Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 209stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405322 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402259 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004053F5 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405DB0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040586E Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E33 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E422993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040234E Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403347 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404266 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004058E6 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404253 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E422AAC Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E42121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404C9E Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404722 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E421B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004072EC Relevance: 2.8, Strings: 2, Instructions: 300COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406B15 Relevance: .3, Instructions: 334COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004043F0 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 204windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E42161D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E422569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E4218D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E422394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E4210E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 9.6% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 31 |
| Total number of Limit Nodes: | 4 |
Graph
Function 36263158 Relevance: 9.3, Strings: 7, Instructions: 545COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36262370 Relevance: 3.5, Strings: 2, Instructions: 1034COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015E360 Relevance: 2.8, Strings: 2, Instructions: 331COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015AAAC Relevance: 2.8, Instructions: 2764COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 362666C0 Relevance: 2.1, Strings: 1, Instructions: 812COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00153E40 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626C240 Relevance: .6, Instructions: 632COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 362656A0 Relevance: .6, Instructions: 586COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626B2F0 Relevance: .6, Instructions: 560COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015A220 Relevance: .4, Instructions: 366COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015A590 Relevance: .4, Instructions: 361COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154A58 Relevance: .3, Instructions: 266COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36264C68 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3625320A Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36253210 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36264C59 Relevance: 3.9, Strings: 3, Instructions: 139COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001587B9 Relevance: 3.1, Strings: 2, Instructions: 556COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36269200 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36268390 Relevance: 2.5, Strings: 2, Instructions: 40COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3625D7E4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3625D7F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36630040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36253450 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36253458 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36631780 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36632570 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015F2C6 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00153E34 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00157CA0 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 362646B8 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 362646D0 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626DB7D Relevance: 1.4, Strings: 1, Instructions: 125COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015F480 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 362621EB Relevance: 1.4, Strings: 1, Instructions: 106COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 362621F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00157D58 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00150848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00150838 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015E298 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015E2A8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156B60 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00159038 Relevance: .9, Instructions: 940COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00159048 Relevance: .9, Instructions: 934COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015DD90 Relevance: .3, Instructions: 333COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154A4F Relevance: .3, Instructions: 262COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 362662C0 Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36264399 Relevance: .2, Instructions: 227COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626FC68 Relevance: .2, Instructions: 176COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626FA28 Relevance: .2, Instructions: 163COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151108 Relevance: .1, Instructions: 139COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156C9C Relevance: .1, Instructions: 135COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156CA8 Relevance: .1, Instructions: 132COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36265511 Relevance: .1, Instructions: 132COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156F34 Relevance: .1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015EF10 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015E998 Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015E988 Relevance: .1, Instructions: 110COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151138 Relevance: .1, Instructions: 100COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015269C Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151660 Relevance: .1, Instructions: 93COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001526A8 Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00157E71 Relevance: .1, Instructions: 86COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015A100 Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36263B98 Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015A110 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36263BA8 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015A000 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154F48 Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151780 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD030 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015183C Relevance: .1, Instructions: 71COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015A010 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151848 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015134B Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151670 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154F58 Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36266DD8 Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015E7F8 Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015144B Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 362642F8 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36263CB8 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626EF0F Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151458 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626EE51 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD02B Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36263970 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36263978 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36264308 Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626A3C9 Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36263CA8 Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626EE60 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015A750 Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015F200 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626A3D8 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015F210 Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626C898 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36266540 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015E7D0 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015E7C0 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040338F Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 410stringfilecomCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404C9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36267760 Relevance: 14.2, Strings: 11, Instructions: 468COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004059CC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004039AA Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004043F0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404722 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062DC Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626AA00 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36267160 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004057F1 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36268498 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 362688B0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626AD88 Relevance: 5.2, Strings: 4, Instructions: 162COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3626AE14 Relevance: 5.1, Strings: 4, Instructions: 117COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|