Play interactive tour
Edit tourAnalysis Report New Inquiry015 02-12-2020.exe
Overview
General Information
| Sample Name: | New Inquiry015 02-12-2020.exe |
| Analysis ID: | 326332 |
| MD5: | 927fab3ec236804c2a332e74eebfc470 |
| SHA1: | 9d53579e681124074b4c568d01bc3a405d55bd89 |
| SHA256: | 52eaa2efa586bbcabbba08c6bb8f4b139ef7133c3f8fd1e5df73b19412b73acd |
| Tags: | AgentTeslaexe |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large strings
Installs a global keyboard hook
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Username: ": "WVWbQTBst", "URL: ": "https://K10aXlbvtt.com", "To: ": "markchez@divasvalves.com", "ByHost: ": "smtp.divasvalves.com:587", "Password: ": "FfVLcmdRdZNwTBR", "From: ": "markchez@divasvalves.com"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 5 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | ReversingLabs: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing: | |
|---|
| Installs a global keyboard hook | Show sources | ||
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Window created: | Jump to behavior | ||
System Summary: | |
|---|
| .NET source code contains very large strings | Show sources | ||
| Source: | Long String: | ||
| Source: | Long String: | ||
| Source: | Long String: | ||
| Source: | Long String: | ||
| Source: | Long String: | ||
| Source: | Code function: | 0_2_0186A458 | |
| Source: | Code function: | 0_2_0186A908 | |
| Source: | Code function: | 0_2_01869CF0 | |
| Source: | Code function: | 0_2_01867F70 | |
| Source: | Code function: | 0_2_018669F8 | |
| Source: | Code function: | 0_2_01867F7F | |
| Source: | Code function: | 0_2_00E8AFE1 | |
| Source: | Code function: | 1_3_00F059E8 | |
| Source: | Code function: | 1_3_00F059E8 | |
| Source: | Code function: | 1_3_00F07A6D | |
| Source: | Code function: | 1_3_00F07A6D | |
| Source: | Code function: | 1_3_00F059E8 | |
| Source: | Code function: | 1_3_00F059E8 | |
| Source: | Code function: | 1_3_00F07A6D | |
| Source: | Code function: | 1_3_00F07A6D | |
| Source: | Code function: | 1_2_01074860 | |
| Source: | Code function: | 1_2_0107479C | |
| Source: | Code function: | 1_2_0107DBE0 | |
| Source: | Code function: | 1_2_0066AFE1 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0186C871 | |
| Source: | Code function: | 1_3_00F0C8D6 | |
| Source: | Code function: | 1_3_00F0C8D6 | |
| Source: | Code function: | 1_3_00F09716 | |
| Source: | Code function: | 1_3_00F09716 | |
| Source: | Code function: | 1_3_00F0C8D6 | |
| Source: | Code function: | 1_3_00F0C8D6 | |
| Source: | Code function: | 1_3_00F09716 | |
| Source: | Code function: | 1_3_00F09716 | |
| Source: | Static PE information: | ||
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Moves itself to temp directory | Show sources | ||
| Source: | File moved: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Yara detected AntiVM_3 | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | Path Interception | Process Injection12 | Masquerading11 | OS Credential Dumping2 | Query Registry1 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion13 | Input Capture11 | Security Software Discovery211 | Remote Desktop Protocol | Input Capture11 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Disable or Modify Tools1 | Credentials in Registry1 | Virtualization/Sandbox Evasion13 | SMB/Windows Admin Shares | Archive Collected Data1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection12 | NTDS | Process Discovery2 | Distributed Component Object Model | Data from Local System2 | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information2 | LSA Secrets | Application Window Discovery1 | SSH | Clipboard Data1 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing3 | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | System Information Discovery114 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 29% | ReversingLabs | Win32.Trojan.Wacatac | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| us2.smtp.mailhostbox.com | 208.91.198.143 | true | false | high | |
| smtp.divasvalves.com | unknown | unknown | true | unknown |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| low | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| true |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 208.91.198.143 | unknown | United States | 394695 | PUBLIC-DOMAIN-REGISTRYUS | false |
General Information |
|---|
| Joe Sandbox Version: | 31.0.0 Red Diamond |
| Analysis ID: | 326332 |
| Start date: | 03.12.2020 |
| Start time: | 10:00:17 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 7m 58s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | New Inquiry015 02-12-2020.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 15 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/2@2/1 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 10:01:11 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 208.91.198.143 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| us2.smtp.mailhostbox.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\New Inquiry015 02-12-2020.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 792 |
| Entropy (8bit): | 5.331449916613832 |
| Encrypted: | false |
| SSDEEP: | 24:MLKE4K5E4Ks29E4Kx1qE4x84qXKDE4KhK3VZ9pKhk:MuHK5HKX9HKx1qHxviYHKhQnok |
| MD5: | 48C35637F4E5AE32A768BDF159A4B32E |
| SHA1: | C27B5E37426D6496AF195A39B7882DF50341EE4A |
| SHA-256: | 43567270C0C1C1BCD458595B138034B2A6F6DC4B2DFFA475AE7D629BE4C93BD2 |
| SHA-512: | B4E98A592CC5EDB8E3379283756A01B7712922748BF4FC19E41B1205DD404367C11357BB17824419A2C4B2CE007BEAA55EBA97F602BC5B361EABC222CBC0374D |
| Malicious: | true |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\New Inquiry015 02-12-2020.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 0.7006690334145785 |
| Encrypted: | false |
| SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ |
| MD5: | A7FE10DA330AD03BF22DC9AC76BBB3E4 |
| SHA1: | 1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803 |
| SHA-256: | 8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8 |
| SHA-512: | 1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.972928552890045 |
| TrID: |
|
| File name: | New Inquiry015 02-12-2020.exe |
| File size: | 669696 |
| MD5: | 927fab3ec236804c2a332e74eebfc470 |
| SHA1: | 9d53579e681124074b4c568d01bc3a405d55bd89 |
| SHA256: | 52eaa2efa586bbcabbba08c6bb8f4b139ef7133c3f8fd1e5df73b19412b73acd |
| SHA512: | eddf68ec625e3b2762898334ea110ce50896b18c74437ffa41607e540ca027570b2b7b05297ee778260af935d33e3c0ac5977630c80a95893217ebacd6ec7211 |
| SSDEEP: | 12288:R1YN3HcZOc5y2m7VVVwBjc4XQaEKPoOXa8Bv+nSXcJygY022qPVGNbTuMuKBD7h2:RCGtm7VVWVc47EKxR1XHgY0KST0sDd |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_............................nM... ........@.. ....................................@................................ |
File Icon |
|---|
 | |
| Icon Hash: | 00828e8e8686b000 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x4a4d6e |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x5FC88A9F [Thu Dec 3 06:50:07 2020 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | v4.0.30319 |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| jmp dword ptr [00402000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa4d18 | 0x53 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xa6000 | 0x600 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xa8000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x2000 | 0xa2d74 | 0xa2e00 | False | 0.701539116462 | data | 6.982280721 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rsrc | 0xa6000 | 0x600 | 0x600 | False | 0.423828125 | data | 4.12641764671 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xa8000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_VERSION | 0xa6090 | 0x33c | data | ||
| RT_MANIFEST | 0xa63dc | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
|---|
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
Version Infos |
|---|
| Description | Data |
|---|---|
| Translation | 0x0000 0x04b0 |
| LegalCopyright | Copyright 2011 |
| Assembly Version | 1.0.0.0 |
| InternalName | Comparison.exe |
| FileVersion | 1.0.0.0 |
| CompanyName | |
| LegalTrademarks | |
| Comments | |
| ProductName | LoginWindowsApp |
| ProductVersion | 1.0.0.0 |
| FileDescription | LoginWindowsApp |
| OriginalFilename | Comparison.exe |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 12/03/20-10:02:55.988113 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| 12/03/20-10:02:58.530516 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 3, 2020 10:02:54.815262079 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:54.955060959 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:54.955190897 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:55.129978895 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:55.130573034 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:55.270167112 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:55.270190954 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:55.273320913 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:55.413796902 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:55.414503098 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:55.557017088 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:55.557873964 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:55.698493004 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:55.698824883 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:55.846493959 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:55.846761942 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:55.986730099 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:55.988112926 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:55.989460945 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:55.991358042 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:55.991436958 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:56.129251003 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:56.131319046 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:56.194679976 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:56.238949060 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:57.214791059 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:57.355056047 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:57.355082035 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:57.355763912 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:57.355990887 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:57.387542009 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:57.495573044 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:57.527240038 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:57.527512074 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:57.670902967 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:57.671999931 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:57.811760902 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:57.811790943 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:57.812258005 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:57.952862024 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:57.953417063 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:58.095611095 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:58.096184969 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:58.236953020 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:58.237379074 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:58.387217045 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:58.388664961 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:58.528650045 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:58.530353069 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:58.530515909 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:58.530735016 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:58.531007051 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:58.531420946 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:58.531714916 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:58.531852961 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:58.531996012 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
| Dec 3, 2020 10:02:58.670317888 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:58.670655966 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:58.671144009 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:58.671432972 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:58.711273909 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:58.729501009 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 |
| Dec 3, 2020 10:02:58.770420074 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 3, 2020 10:01:08.365770102 CET | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:08.392812967 CET | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:13.526911020 CET | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:13.554215908 CET | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:14.232656002 CET | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:14.259566069 CET | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:14.950529099 CET | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:14.985944033 CET | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:15.796560049 CET | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:15.823668003 CET | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:16.665685892 CET | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:16.703291893 CET | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:17.368021011 CET | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:17.395117998 CET | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:18.281007051 CET | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:18.308002949 CET | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:19.149399042 CET | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:19.176372051 CET | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:19.949589014 CET | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:19.976723909 CET | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:20.661941051 CET | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:20.689091921 CET | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:21.390635967 CET | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:21.417792082 CET | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:22.068269968 CET | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:22.095283985 CET | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:23.007288933 CET | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:23.034295082 CET | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:23.886585951 CET | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:23.923487902 CET | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:25.304847956 CET | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:25.340215921 CET | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:29.985838890 CET | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:30.032525063 CET | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:47.429356098 CET | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:47.474276066 CET | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:48.009885073 CET | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:48.047204018 CET | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:48.442094088 CET | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:48.477776051 CET | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:48.766396046 CET | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:48.801888943 CET | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:49.152143002 CET | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:49.187629938 CET | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:49.201802015 CET | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:49.228899002 CET | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:49.575659990 CET | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:49.611291885 CET | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:50.070584059 CET | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:50.106129885 CET | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:50.756815910 CET | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:50.792040110 CET | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:51.047612906 CET | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:51.074728966 CET | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:51.373884916 CET | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:51.409874916 CET | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:01:51.720226049 CET | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:01:51.755512953 CET | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:02:04.225805044 CET | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:02:04.252681971 CET | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:02:04.421952009 CET | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:02:04.473043919 CET | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:02:08.635235071 CET | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:02:08.672954082 CET | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:02:38.401024103 CET | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:02:38.428143024 CET | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:02:39.954230070 CET | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:02:39.989928007 CET | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:02:54.613017082 CET | 60542 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:02:54.648587942 CET | 53 | 60542 | 8.8.8.8 | 192.168.2.4 |
| Dec 3, 2020 10:02:54.662266016 CET | 60689 | 53 | 192.168.2.4 | 8.8.8.8 |
| Dec 3, 2020 10:02:54.702991962 CET | 53 | 60689 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Dec 3, 2020 10:02:54.613017082 CET | 192.168.2.4 | 8.8.8.8 | 0x18df | Standard query (0) | A (IP address) | IN (0x0001) | |
| Dec 3, 2020 10:02:54.662266016 CET | 192.168.2.4 | 8.8.8.8 | 0xe717 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Dec 3, 2020 10:02:54.648587942 CET | 8.8.8.8 | 192.168.2.4 | 0x18df | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
| Dec 3, 2020 10:02:54.648587942 CET | 8.8.8.8 | 192.168.2.4 | 0x18df | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
| Dec 3, 2020 10:02:54.648587942 CET | 8.8.8.8 | 192.168.2.4 | 0x18df | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
| Dec 3, 2020 10:02:54.648587942 CET | 8.8.8.8 | 192.168.2.4 | 0x18df | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | ||
| Dec 3, 2020 10:02:54.648587942 CET | 8.8.8.8 | 192.168.2.4 | 0x18df | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) | ||
| Dec 3, 2020 10:02:54.702991962 CET | 8.8.8.8 | 192.168.2.4 | 0xe717 | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
| Dec 3, 2020 10:02:54.702991962 CET | 8.8.8.8 | 192.168.2.4 | 0xe717 | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
| Dec 3, 2020 10:02:54.702991962 CET | 8.8.8.8 | 192.168.2.4 | 0xe717 | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
| Dec 3, 2020 10:02:54.702991962 CET | 8.8.8.8 | 192.168.2.4 | 0xe717 | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | ||
| Dec 3, 2020 10:02:54.702991962 CET | 8.8.8.8 | 192.168.2.4 | 0xe717 | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Dec 3, 2020 10:02:55.129978895 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 | 220 us2.outbound.mailhostbox.com ESMTP Postfix |
| Dec 3, 2020 10:02:55.130573034 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 | EHLO 413794 |
| Dec 3, 2020 10:02:55.270190954 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 | 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
| Dec 3, 2020 10:02:55.273320913 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 | AUTH login bWFya2NoZXpAZGl2YXN2YWx2ZXMuY29t |
| Dec 3, 2020 10:02:55.413796902 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 | 334 UGFzc3dvcmQ6 |
| Dec 3, 2020 10:02:55.557017088 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 | 235 2.7.0 Authentication successful |
| Dec 3, 2020 10:02:55.557873964 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 | MAIL FROM:<markchez@divasvalves.com> |
| Dec 3, 2020 10:02:55.698493004 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 | 250 2.1.0 Ok |
| Dec 3, 2020 10:02:55.698824883 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 | RCPT TO:<markchez@divasvalves.com> |
| Dec 3, 2020 10:02:55.846493959 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 | 250 2.1.5 Ok |
| Dec 3, 2020 10:02:55.846761942 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 | DATA |
| Dec 3, 2020 10:02:55.986730099 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 | 354 End data with <CR><LF>.<CR><LF> |
| Dec 3, 2020 10:02:55.991436958 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 | . |
| Dec 3, 2020 10:02:56.194679976 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 | 250 2.0.0 Ok: queued as BE2201C1F43 |
| Dec 3, 2020 10:02:57.214791059 CET | 49765 | 587 | 192.168.2.4 | 208.91.198.143 | QUIT |
| Dec 3, 2020 10:02:57.355056047 CET | 587 | 49765 | 208.91.198.143 | 192.168.2.4 | 221 2.0.0 Bye |
| Dec 3, 2020 10:02:57.670902967 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 | 220 us2.outbound.mailhostbox.com ESMTP Postfix |
| Dec 3, 2020 10:02:57.671999931 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 | EHLO 413794 |
| Dec 3, 2020 10:02:57.811790943 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 | 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
| Dec 3, 2020 10:02:57.812258005 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 | AUTH login bWFya2NoZXpAZGl2YXN2YWx2ZXMuY29t |
| Dec 3, 2020 10:02:57.952862024 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 | 334 UGFzc3dvcmQ6 |
| Dec 3, 2020 10:02:58.095611095 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 | 235 2.7.0 Authentication successful |
| Dec 3, 2020 10:02:58.096184969 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 | MAIL FROM:<markchez@divasvalves.com> |
| Dec 3, 2020 10:02:58.236953020 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 | 250 2.1.0 Ok |
| Dec 3, 2020 10:02:58.237379074 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 | RCPT TO:<markchez@divasvalves.com> |
| Dec 3, 2020 10:02:58.387217045 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 | 250 2.1.5 Ok |
| Dec 3, 2020 10:02:58.388664961 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 | DATA |
| Dec 3, 2020 10:02:58.528650045 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 | 354 End data with <CR><LF>.<CR><LF> |
| Dec 3, 2020 10:02:58.531996012 CET | 49766 | 587 | 192.168.2.4 | 208.91.198.143 | . |
| Dec 3, 2020 10:02:58.729501009 CET | 587 | 49766 | 208.91.198.143 | 192.168.2.4 | 250 2.0.0 Ok: queued as 4DFF41C2110 |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 10:01:08 |
| Start date: | 03/12/2020 |
| Path: | C:\Users\user\Desktop\New Inquiry015 02-12-2020.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe80000 |
| File size: | 669696 bytes |
| MD5 hash: | 927FAB3EC236804C2A332E74EEBFC470 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 10:01:12 |
| Start date: | 03/12/2020 |
| Path: | C:\Users\user\Desktop\New Inquiry015 02-12-2020.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x660000 |
| File size: | 669696 bytes |
| MD5 hash: | 927FAB3EC236804C2A332E74EEBFC470 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Function 0186A908, Relevance: 1.0, Instructions: 979COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01869CF0, Relevance: .6, Instructions: 564COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01867F70, Relevance: .5, Instructions: 459COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01867F7F, Relevance: .4, Instructions: 376COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0186A458, Relevance: .3, Instructions: 328COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01867804, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0186612C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01861737, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01861488, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01861498, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016DD1E9, Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016DD1E8, Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 018669F8, Relevance: 4.3, Strings: 3, Instructions: 571COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01073F08, Relevance: 1.8, APIs: 1, Instructions: 275COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0107430C, Relevance: 1.6, APIs: 1, Instructions: 122COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01075244, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01075250, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01076A34, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01074268, Relevance: 1.6, APIs: 1, Instructions: 77COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01076D20, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01076D28, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0107C778, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01072FF4, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|