Play interactive tour
Edit tourAnalysis Report PRODUCT INQUIRY FROM PAKISTAN.exe
Overview
General Information
| Sample Name: | PRODUCT INQUIRY FROM PAKISTAN.exe |
| Analysis ID: | 412582 |
| MD5: | 6efee5c2282e20bafb495451512c5ca7 |
| SHA1: | 72d3a5bac34e50b19f4df7ae42f37a950e099e5c |
| SHA256: | 860b99eb4a09674fe70d72bb997b2cf38bfc62eb2794a13d623048d5f5b422d2 |
| Tags: | exe |
| Infos: | |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Moves itself to temp directory
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Exfil Mode": "SMTP", "SMTP Info": "staffs@globaloffs-site.comyLxCDRZ2smtp.globaloffs-site.com"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 6 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 1 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | ReversingLabs: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_02301718 | |
| Source: | Code function: | 0_2_023016D1 | |
| Source: | Code function: | 0_2_04946F14 | |
| Source: | Code function: | 0_2_0494A948 | |
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing: | |
|---|
| Contains functionality to register a low level keyboard hook | Show sources | ||
| Source: | Code function: | 4_2_01402298 | |
| Installs a global keyboard hook | Show sources | ||
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Window created: | Jump to behavior | ||
System Summary: | |
|---|
| .NET source code contains very large array initializations | Show sources | ||
| Source: | Large array initialization: | ||
| PE file contains section with special chars | Show sources | ||
| Source: | Static PE information: | ||
| PE file has nameless sections | Show sources | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_02303690 | |
| Source: | Code function: | 0_2_0230B288 | |
| Source: | Code function: | 0_2_02309FD0 | |
| Source: | Code function: | 0_2_02302CC0 | |
| Source: | Code function: | 0_2_02300538 | |
| Source: | Code function: | 0_2_02302520 | |
| Source: | Code function: | 0_2_02304578 | |
| Source: | Code function: | 0_2_02304A08 | |
| Source: | Code function: | 0_2_0230A2A8 | |
| Source: | Code function: | 0_2_02303680 | |
| Source: | Code function: | 0_2_023066C0 | |
| Source: | Code function: | 0_2_02306B50 | |
| Source: | Code function: | 0_2_02305431 | |
| Source: | Code function: | 0_2_02306010 | |
| Source: | Code function: | 0_2_02302478 | |
| Source: | Code function: | 0_2_02305440 | |
| Source: | Code function: | 0_2_0230A8B0 | |
| Source: | Code function: | 0_2_02302CB2 | |
| Source: | Code function: | 0_2_02307898 | |
| Source: | Code function: | 0_2_02304489 | |
| Source: | Code function: | 0_2_023068F8 | |
| Source: | Code function: | 0_2_023068E8 | |
| Source: | Code function: | 0_2_02306D30 | |
| Source: | Code function: | 0_2_02306D20 | |
| Source: | Code function: | 0_2_0230052A | |
| Source: | Code function: | 0_2_02303158 | |
| Source: | Code function: | 0_2_02301948 | |
| Source: | Code function: | 0_2_02303149 | |
| Source: | Code function: | 0_2_04949261 | |
| Source: | Code function: | 0_2_04945628 | |
| Source: | Code function: | 0_2_04948030 | |
| Source: | Code function: | 0_2_04D59C70 | |
| Source: | Code function: | 0_2_04D57DDF | |
| Source: | Code function: | 0_2_04D55560 | |
| Source: | Code function: | 0_2_04D55E68 | |
| Source: | Code function: | 0_2_04D50054 | |
| Source: | Code function: | 0_2_04D589D0 | |
| Source: | Code function: | 0_2_04D55948 | |
| Source: | Code function: | 0_2_04D5D298 | |
| Source: | Code function: | 0_2_04D59260 | |
| Source: | Code function: | 0_2_04D55230 | |
| Source: | Code function: | 0_2_04D533B0 | |
| Source: | Code function: | 0_2_04D5CC80 | |
| Source: | Code function: | 0_2_04D5CC70 | |
| Source: | Code function: | 0_2_04D55551 | |
| Source: | Code function: | 0_2_04D5CE91 | |
| Source: | Code function: | 0_2_04D5CEA0 | |
| Source: | Code function: | 0_2_04D57E51 | |
| Source: | Code function: | 0_2_04D55E5B | |
| Source: | Code function: | 0_2_04D5C630 | |
| Source: | Code function: | 0_2_04D5C621 | |
| Source: | Code function: | 0_2_04D55768 | |
| Source: | Code function: | 0_2_04D5D098 | |
| Source: | Code function: | 0_2_04D5D0A8 | |
| Source: | Code function: | 0_2_04D589BB | |
| Source: | Code function: | 4_2_00BE51B2 | |
| Source: | Code function: | 4_2_012BC768 | |
| Source: | Code function: | 4_2_012B5B90 | |
| Source: | Code function: | 4_2_012BDA80 | |
| Source: | Code function: | 4_2_012B1ECC | |
| Source: | Code function: | 4_2_012BA70E | |
| Source: | Code function: | 4_2_012BA770 | |
| Source: | Code function: | 4_2_012B82D0 | |
| Source: | Code function: | 4_2_0140D100 | |
| Source: | Code function: | 4_2_0140C118 | |
| Source: | Code function: | 4_2_014016E8 | |
| Source: | Code function: | 4_2_014B5DC0 | |
| Source: | Code function: | 4_2_014B64F8 | |
| Source: | Code function: | 4_2_014B57C8 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Data Obfuscation: | |
|---|
| Detected unpacking (changes PE section rights) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_000BFFC8 | |
| Source: | Code function: | 0_2_02308617 | |
| Source: | Code function: | 0_2_02308621 | |
| Source: | Code function: | 0_2_04949EA1 | |
| Source: | Code function: | 4_2_00BE76F0 | |
| Source: | Code function: | 4_2_00BE7A9E | |
| Source: | Code function: | 4_2_00BE76AE | |
| Source: | Code function: | 4_2_00BE7BFA | |
| Source: | Code function: | 4_2_00BE7672 | |
| Source: | Code function: | 4_2_00BE7BF4 | |
| Source: | Code function: | 4_2_00BE7BD6 | |
| Source: | Code function: | 4_2_00BE7672 | |
| Source: | Code function: | 4_2_014BB5E9 | |
| Source: | Static PE information: | ||
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Moves itself to temp directory | Show sources | ||
| Source: | File moved: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Yara detected AntiVM3 | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
Anti Debugging: | |
|---|
| Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) | Show sources | ||
| Source: | Code function: | 0_2_02301718 | |
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 4_2_012B8D68 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Injects a PE file into a foreign processes | Show sources | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | Path Interception | Process Injection112 | Disable or Modify Tools1 | OS Credential Dumping2 | System Information Discovery114 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Deobfuscate/Decode Files or Information1 | Input Capture21 | Query Registry1 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information3 | Credentials in Registry1 | Security Software Discovery321 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing13 | NTDS | Process Discovery2 | Distributed Component Object Model | Input Capture21 | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading11 | LSA Secrets | Virtualization/Sandbox Evasion141 | SSH | Clipboard Data1 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion141 | Cached Domain Credentials | Application Window Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection112 | DCSync | Remote System Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 34% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| us2.smtp.mailhostbox.com | 208.91.199.224 | true | false | high | |
| smtp.globaloffs-site.com | unknown | unknown | true | unknown |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 208.91.199.224 | us2.smtp.mailhostbox.com | United States | 394695 | PUBLIC-DOMAIN-REGISTRYUS | false |
General Information |
|---|
| Joe Sandbox Version: | 32.0.0 Black Diamond |
| Analysis ID: | 412582 |
| Start date: | 12.05.2021 |
| Start time: | 19:43:13 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 48s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | PRODUCT INQUIRY FROM PAKISTAN.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 29 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/2@4/1 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 19:44:14 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 208.91.199.224 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| us2.smtp.mailhostbox.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\PRODUCT INQUIRY FROM PAKISTAN.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1314 |
| Entropy (8bit): | 5.350128552078965 |
| Encrypted: | false |
| SSDEEP: | 24:ML9E4Ks2f84jE4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MxHKXfvjHKx1qHiYHKhQnoPtHoxHhAHR |
| MD5: | 8198C64CE0786EABD4C792E7E6FC30E5 |
| SHA1: | 71E1676126F4616B18C751A0A775B2D64944A15A |
| SHA-256: | C58018934011086A883D1D56B21F6C1916B1CD83206ADD1865C9BDD29DADCBC4 |
| SHA-512: | EE293C0F88A12AB10041F66DDFAE89BC11AB3B3AAD8604F1A418ABE43DF0980245C3B7F8FEB709AEE8E9474841A280E073EC063045EA39948E853AA6B4EC0FB0 |
| Malicious: | true |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\PRODUCT INQUIRY FROM PAKISTAN.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 0.6969296358976265 |
| Encrypted: | false |
| SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBo2+tYeF+X:T5LLOpEO5J/Kn7U1uBo2UYeQ |
| MD5: | A9DBC7B8E523ABE3B02D77DBF2FCD645 |
| SHA1: | DF5EE16ECF4B3B02E312F935AE81D4C5D2E91CA8 |
| SHA-256: | 39B4E45A062DEA6F541C18FA1A15C5C0DB43A59673A26E2EB5B8A4345EE767AE |
| SHA-512: | 3CF87455263E395313E779D4F440D8405D86244E04B5F577BB9FA2F4A2069DE019D340F6B2F6EF420DEE3D3DEEFD4B58DA3FCA3BB802DE348E1A810D6379CC3B |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 7.966739726233845 |
| TrID: |
|
| File name: | PRODUCT INQUIRY FROM PAKISTAN.exe |
| File size: | 852992 |
| MD5: | 6efee5c2282e20bafb495451512c5ca7 |
| SHA1: | 72d3a5bac34e50b19f4df7ae42f37a950e099e5c |
| SHA256: | 860b99eb4a09674fe70d72bb997b2cf38bfc62eb2794a13d623048d5f5b422d2 |
| SHA512: | 939f453caaad2cce39923fbd8e087f0d68db727ef2c16dbbd18ab33d9b58d9d1ca45f75e513d45efaa1dada6c7c2d3fa6a94b35b57fa62db52cb31cca7eeb3f0 |
| SSDEEP: | 12288:pyO2UHJZ/6hAkXkyKLPPjAY5Ii/4mTX46632n05ZhYq/zYLmvk4FcXac0usx+zFt:NHJohAukyKLPLAxmSYqr5bZuyGSEV |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..`..............P......>.......`...@... ....@.. ....................................@................................ |
File Icon |
|---|
 | |
| Icon Hash: | f2d2e9fcc4ead362 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x4d600a |
| Entrypoint Section: | |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x609B854F [Wed May 12 07:35:43 2021 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | v4.0.30319 |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| jmp dword ptr [004D6000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc4914 | 0x57 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xd0000 | 0x34e8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xd4000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xd6000 | 0x8 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0xc4000 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| tOdw-f5 | 0x2000 | 0xc0430 | 0xc0600 | False | 1.00031854085 | data | 7.99978655824 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .text | 0xc4000 | 0xbf48 | 0xc000 | False | 0.444864908854 | data | 5.99523807789 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rsrc | 0xd0000 | 0x34e8 | 0x3600 | False | 0.361834490741 | data | 5.25644950333 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xd4000 | 0xc | 0x200 | False | 0.044921875 | data | 0.0980041756627 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| 0xd6000 | 0x10 | 0x200 | False | 0.044921875 | data | 0.142635768149 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0xd0130 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0 | ||
| RT_GROUP_ICON | 0xd26d8 | 0x14 | data | ||
| RT_VERSION | 0xd26ec | 0x394 | data | ||
| RT_MANIFEST | 0xd2a80 | 0xa65 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
|---|
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
Version Infos |
|---|
| Description | Data |
|---|---|
| Translation | 0x0000 0x04b0 |
| LegalCopyright | Copyright 2013 |
| Assembly Version | 3.0.0.0 |
| InternalName | SecuritySafeCriticalAttribute.exe |
| FileVersion | 3.0.0.0 |
| CompanyName | |
| LegalTrademarks | |
| Comments | |
| ProductName | ServerManager_Core |
| ProductVersion | 3.0.0.0 |
| FileDescription | ServerManager_Core |
| OriginalFilename | SecuritySafeCriticalAttribute.exe |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 05/12/21-19:45:56.368072 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| 05/12/21-19:45:59.211267 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 12, 2021 19:45:54.595738888 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:54.761893988 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:54.766186953 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:55.346564054 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:55.352231979 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:55.516464949 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:55.516491890 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:55.518551111 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:55.686163902 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:55.692404032 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:55.858733892 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:55.860264063 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:56.025664091 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:56.026678085 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:56.197799921 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:56.198604107 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:56.363210917 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:56.368072033 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:56.368257046 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:56.368385077 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:56.368483067 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:56.532382011 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:56.532553911 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:56.588491917 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:56.735131025 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:57.486198902 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:57.651779890 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:57.651809931 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:57.651875019 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:57.657607079 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:57.821738958 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:57.860732079 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:58.025146008 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:58.025234938 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:58.197154999 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:58.197532892 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:58.362965107 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:58.362986088 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:58.363831043 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:58.529488087 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:58.534030914 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:58.700325966 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:58.700753927 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:58.866141081 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:58.866465092 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:59.039623022 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:59.040100098 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:59.204902887 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:59.211168051 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:59.211266994 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:59.211455107 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:59.211469889 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:59.211596012 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:59.211663961 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:59.211725950 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:59.211798906 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
| May 12, 2021 19:45:59.375585079 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:59.375674963 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:59.375775099 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:59.375838995 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:59.415575027 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:59.431745052 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 |
| May 12, 2021 19:45:59.485426903 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 12, 2021 19:43:59.224813938 CEST | 56590 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:43:59.285340071 CEST | 53 | 56590 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:43:59.564558983 CEST | 60501 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:43:59.616162062 CEST | 53 | 60501 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:00.457453966 CEST | 53775 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:00.511548042 CEST | 53 | 53775 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:01.631833076 CEST | 51837 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:01.683595896 CEST | 53 | 51837 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:02.895919085 CEST | 55411 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:02.944668055 CEST | 53 | 55411 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:05.173396111 CEST | 63668 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:05.222266912 CEST | 53 | 63668 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:06.644130945 CEST | 54640 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:06.692852020 CEST | 53 | 54640 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:08.096457958 CEST | 58739 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:08.148211956 CEST | 53 | 58739 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:10.672255039 CEST | 60338 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:10.721375942 CEST | 53 | 60338 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:13.107789040 CEST | 58717 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:13.157049894 CEST | 53 | 58717 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:14.273667097 CEST | 59762 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:14.325664043 CEST | 53 | 59762 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:15.160633087 CEST | 54329 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:15.209743977 CEST | 53 | 54329 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:16.304476023 CEST | 58052 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:16.365219116 CEST | 53 | 58052 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:17.525924921 CEST | 54008 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:17.583611965 CEST | 53 | 54008 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:18.953445911 CEST | 59451 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:19.002532005 CEST | 53 | 59451 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:19.919316053 CEST | 52914 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:19.968133926 CEST | 53 | 52914 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:20.332041979 CEST | 64569 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:20.390768051 CEST | 53 | 64569 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:21.694616079 CEST | 52816 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:21.743330002 CEST | 53 | 52816 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:22.995572090 CEST | 50781 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:23.044259071 CEST | 53 | 50781 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:25.013695002 CEST | 54230 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:25.074450970 CEST | 53 | 54230 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:26.464652061 CEST | 54911 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:26.513268948 CEST | 53 | 54911 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:34.585084915 CEST | 49958 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:34.650090933 CEST | 53 | 49958 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:45.167170048 CEST | 50860 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:45.224750042 CEST | 53 | 50860 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:44:53.968266010 CEST | 50452 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:44:54.034739017 CEST | 53 | 50452 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:14.893815041 CEST | 59730 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:14.969223022 CEST | 53 | 59730 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:19.726541996 CEST | 59310 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:19.790828943 CEST | 53 | 59310 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:36.072041035 CEST | 51919 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:36.267502069 CEST | 53 | 51919 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:36.831161976 CEST | 64296 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:36.892123938 CEST | 53 | 64296 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:37.475807905 CEST | 56680 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:37.581991911 CEST | 53 | 56680 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:37.726138115 CEST | 58820 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:37.788824081 CEST | 53 | 58820 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:38.029793978 CEST | 60983 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:38.089878082 CEST | 53 | 60983 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:38.643950939 CEST | 49247 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:38.706350088 CEST | 53 | 49247 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:39.245731115 CEST | 52286 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:39.305742979 CEST | 53 | 52286 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:39.816066980 CEST | 56064 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:39.873152018 CEST | 53 | 56064 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:40.806899071 CEST | 63744 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:40.860469103 CEST | 53 | 63744 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:41.667094946 CEST | 61457 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:41.728502035 CEST | 53 | 61457 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:42.235435009 CEST | 58367 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:42.389705896 CEST | 53 | 58367 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:53.653337002 CEST | 60599 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:53.710711002 CEST | 53 | 60599 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:54.308971882 CEST | 59571 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:54.498368979 CEST | 53 | 59571 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:54.513879061 CEST | 52689 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:54.575346947 CEST | 53 | 52689 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:55.724800110 CEST | 50290 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:55.799751043 CEST | 53 | 50290 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:57.703577995 CEST | 60427 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:57.763330936 CEST | 53 | 60427 | 8.8.8.8 | 192.168.2.7 |
| May 12, 2021 19:45:57.801608086 CEST | 56209 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 12, 2021 19:45:57.858694077 CEST | 53 | 56209 | 8.8.8.8 | 192.168.2.7 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| May 12, 2021 19:45:54.308971882 CEST | 192.168.2.7 | 8.8.8.8 | 0xd480 | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 12, 2021 19:45:54.513879061 CEST | 192.168.2.7 | 8.8.8.8 | 0x8a60 | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 12, 2021 19:45:57.703577995 CEST | 192.168.2.7 | 8.8.8.8 | 0x1d54 | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 12, 2021 19:45:57.801608086 CEST | 192.168.2.7 | 8.8.8.8 | 0x9e07 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| May 12, 2021 19:45:54.498368979 CEST | 8.8.8.8 | 192.168.2.7 | 0xd480 | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
| May 12, 2021 19:45:54.498368979 CEST | 8.8.8.8 | 192.168.2.7 | 0xd480 | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:54.498368979 CEST | 8.8.8.8 | 192.168.2.7 | 0xd480 | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:54.498368979 CEST | 8.8.8.8 | 192.168.2.7 | 0xd480 | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:54.498368979 CEST | 8.8.8.8 | 192.168.2.7 | 0xd480 | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:54.575346947 CEST | 8.8.8.8 | 192.168.2.7 | 0x8a60 | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
| May 12, 2021 19:45:54.575346947 CEST | 8.8.8.8 | 192.168.2.7 | 0x8a60 | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:54.575346947 CEST | 8.8.8.8 | 192.168.2.7 | 0x8a60 | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:54.575346947 CEST | 8.8.8.8 | 192.168.2.7 | 0x8a60 | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:54.575346947 CEST | 8.8.8.8 | 192.168.2.7 | 0x8a60 | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:57.763330936 CEST | 8.8.8.8 | 192.168.2.7 | 0x1d54 | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
| May 12, 2021 19:45:57.763330936 CEST | 8.8.8.8 | 192.168.2.7 | 0x1d54 | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:57.763330936 CEST | 8.8.8.8 | 192.168.2.7 | 0x1d54 | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:57.763330936 CEST | 8.8.8.8 | 192.168.2.7 | 0x1d54 | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:57.763330936 CEST | 8.8.8.8 | 192.168.2.7 | 0x1d54 | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:57.858694077 CEST | 8.8.8.8 | 192.168.2.7 | 0x9e07 | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
| May 12, 2021 19:45:57.858694077 CEST | 8.8.8.8 | 192.168.2.7 | 0x9e07 | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:57.858694077 CEST | 8.8.8.8 | 192.168.2.7 | 0x9e07 | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:57.858694077 CEST | 8.8.8.8 | 192.168.2.7 | 0x9e07 | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 19:45:57.858694077 CEST | 8.8.8.8 | 192.168.2.7 | 0x9e07 | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| May 12, 2021 19:45:55.346564054 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 | 220 us2.outbound.mailhostbox.com ESMTP Postfix |
| May 12, 2021 19:45:55.352231979 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 | EHLO 347688 |
| May 12, 2021 19:45:55.516491890 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 | 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
| May 12, 2021 19:45:55.518551111 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 | AUTH login c3RhZmZzQGdsb2JhbG9mZnMtc2l0ZS5jb20= |
| May 12, 2021 19:45:55.686163902 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 | 334 UGFzc3dvcmQ6 |
| May 12, 2021 19:45:55.858733892 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 | 235 2.7.0 Authentication successful |
| May 12, 2021 19:45:55.860264063 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 | MAIL FROM:<staffs@globaloffs-site.com> |
| May 12, 2021 19:45:56.025664091 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 | 250 2.1.0 Ok |
| May 12, 2021 19:45:56.026678085 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 | RCPT TO:<staffs@globaloffs-site.com> |
| May 12, 2021 19:45:56.197799921 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 | 250 2.1.5 Ok |
| May 12, 2021 19:45:56.198604107 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 | DATA |
| May 12, 2021 19:45:56.363210917 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 | 354 End data with <CR><LF>.<CR><LF> |
| May 12, 2021 19:45:56.368483067 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 | . |
| May 12, 2021 19:45:56.588491917 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 | 250 2.0.0 Ok: queued as 203341C1AF1 |
| May 12, 2021 19:45:57.486198902 CEST | 49745 | 587 | 192.168.2.7 | 208.91.199.224 | QUIT |
| May 12, 2021 19:45:57.651779890 CEST | 587 | 49745 | 208.91.199.224 | 192.168.2.7 | 221 2.0.0 Bye |
| May 12, 2021 19:45:58.197154999 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 | 220 us2.outbound.mailhostbox.com ESMTP Postfix |
| May 12, 2021 19:45:58.197532892 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 | EHLO 347688 |
| May 12, 2021 19:45:58.362986088 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 | 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
| May 12, 2021 19:45:58.363831043 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 | AUTH login c3RhZmZzQGdsb2JhbG9mZnMtc2l0ZS5jb20= |
| May 12, 2021 19:45:58.529488087 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 | 334 UGFzc3dvcmQ6 |
| May 12, 2021 19:45:58.700325966 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 | 235 2.7.0 Authentication successful |
| May 12, 2021 19:45:58.700753927 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 | MAIL FROM:<staffs@globaloffs-site.com> |
| May 12, 2021 19:45:58.866141081 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 | 250 2.1.0 Ok |
| May 12, 2021 19:45:58.866465092 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 | RCPT TO:<staffs@globaloffs-site.com> |
| May 12, 2021 19:45:59.039623022 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 | 250 2.1.5 Ok |
| May 12, 2021 19:45:59.040100098 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 | DATA |
| May 12, 2021 19:45:59.204902887 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 | 354 End data with <CR><LF>.<CR><LF> |
| May 12, 2021 19:45:59.211798906 CEST | 49747 | 587 | 192.168.2.7 | 208.91.199.224 | . |
| May 12, 2021 19:45:59.431745052 CEST | 587 | 49747 | 208.91.199.224 | 192.168.2.7 | 250 2.0.0 Ok: queued as EDB881C2A04 |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 19:44:05 |
| Start date: | 12/05/2021 |
| Path: | C:\Users\user\Desktop\PRODUCT INQUIRY FROM PAKISTAN.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x10000 |
| File size: | 852992 bytes |
| MD5 hash: | 6EFEE5C2282E20BAFB495451512C5CA7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 19:44:15 |
| Start date: | 12/05/2021 |
| Path: | C:\Users\user\Desktop\PRODUCT INQUIRY FROM PAKISTAN.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xb20000 |
| File size: | 852992 bytes |
| MD5 hash: | 6EFEE5C2282E20BAFB495451512C5CA7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Function 02304578, Relevance: 4.0, Strings: 3, Instructions: 296COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0230B288, Relevance: 4.0, Strings: 3, Instructions: 272COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02309FD0, Relevance: 3.9, Strings: 3, Instructions: 175COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D55230, Relevance: 2.7, Strings: 2, Instructions: 218COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02304489, Relevance: 1.6, Strings: 1, Instructions: 390COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 023016D1, Relevance: 1.6, APIs: 1, Instructions: 120COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02301718, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02302478, Relevance: 1.5, Strings: 1, Instructions: 266COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D589BB, Relevance: 1.5, Strings: 1, Instructions: 211COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D589D0, Relevance: 1.5, Strings: 1, Instructions: 207COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02302520, Relevance: 1.5, Strings: 1, Instructions: 201COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D59260, Relevance: 1.4, Strings: 1, Instructions: 151COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02300538, Relevance: 1.4, Strings: 1, Instructions: 135COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0230052A, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D533B0, Relevance: .9, Instructions: 880COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D55768, Relevance: .4, Instructions: 438COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D50054, Relevance: .3, Instructions: 344COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04949261, Relevance: .3, Instructions: 328COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D55E68, Relevance: .3, Instructions: 301COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D55E5B, Relevance: .3, Instructions: 299COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D55948, Relevance: .3, Instructions: 298COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D55560, Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D55551, Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02302CB2, Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02302CC0, Relevance: .1, Instructions: 143COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D57DDF, Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D59C70, Relevance: .1, Instructions: 107COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02303690, Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5D298, Relevance: .1, Instructions: 71COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D57E51, Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02303680, Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 049427E9, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125threadCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 049427F8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D54D98, Relevance: 2.6, Strings: 2, Instructions: 118COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D54DEB, Relevance: 2.6, Strings: 2, Instructions: 79COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0494D530, Relevance: 1.8, APIs: 1, Instructions: 316COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D51FB1, Relevance: 1.7, Strings: 1, Instructions: 489COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04947848, Relevance: 1.7, APIs: 1, Instructions: 227COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04949A6C, Relevance: 1.7, APIs: 1, Instructions: 189COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04949A78, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0494F5D6, Relevance: 1.7, APIs: 1, Instructions: 161COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0494D564, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04942A18, Relevance: 1.6, APIs: 1, Instructions: 112COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04942A20, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0494AAD4, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02301838, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02309EC0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 023003E1, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04947A38, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D513B8, Relevance: .7, Instructions: 701COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D54238, Relevance: .5, Instructions: 516COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D50618, Relevance: .5, Instructions: 472COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D50BF8, Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5362B, Relevance: .1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D50E90, Relevance: .1, Instructions: 88COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D59479, Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D50EA0, Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D59488, Relevance: .1, Instructions: 82COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D57C43, Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D595B1, Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5B169, Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D52590, Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D52689, Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5B288, Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D55180, Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D53F08, Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5A2B2, Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D57E0F, Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D58636, Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D51E20, Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5A752, Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D57E20, Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 02305440, Relevance: 2.7, Strings: 2, Instructions: 180COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02305431, Relevance: 2.7, Strings: 2, Instructions: 178COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02303158, Relevance: 1.4, Strings: 1, Instructions: 165COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02303149, Relevance: 1.4, Strings: 1, Instructions: 163COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 023068F8, Relevance: 1.4, Strings: 1, Instructions: 161COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 023068E8, Relevance: 1.4, Strings: 1, Instructions: 161COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04948030, Relevance: .5, Instructions: 527COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04945628, Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0230A2A8, Relevance: .2, Instructions: 223COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02306010, Relevance: .2, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5C630, Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5C621, Relevance: .2, Instructions: 157COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5CE91, Relevance: .1, Instructions: 143COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5CEA0, Relevance: .1, Instructions: 143COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5D098, Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02307898, Relevance: .1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5D0A8, Relevance: .1, Instructions: 114COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 023066C0, Relevance: .1, Instructions: 113COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5CC70, Relevance: .1, Instructions: 110COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02304A08, Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02306B50, Relevance: .1, Instructions: 108COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04D5CC80, Relevance: .1, Instructions: 107COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0494A948, Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04946F14, Relevance: .1, Instructions: 88COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0230A8B0, Relevance: .1, Instructions: 85COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02301948, Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02306D30, Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02306D20, Relevance: .1, Instructions: 71COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01402298, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014B0A70, Relevance: 9.7, APIs: 4, Strings: 1, Instructions: 984libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01401308, Relevance: 1.6, APIs: 1, Instructions: 132COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01402778, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014013D8, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014CD01C, Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014CD006, Relevance: .1, Instructions: 62COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|