Edit tour
Windows
Analysis Report
New Order_pdf_006534325.exe
Overview
General Information
| Sample name: | New Order_pdf_006534325.exe |
| Analysis ID: | 1607358 |
| MD5: | 502a5d91b19d266d46f6bf270a3ce0c8 |
| SHA1: | 1af86349a3c21d061baaf83bc5c7574ca85330af |
| SHA256: | 7f2ad4dae501f03a420ec1971af3a5ebe539d7c3430dd632bb4dfa614aa82207 |
| Tags: | exeuser-cocaman |
| Infos: |  |
 | |
Detection
GuLoader
| Score: | 96 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows task manager (taskmgr)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Classification
- System is w10x64
New Order_pdf_006534325.exe (PID: 7452 cmdline: "C:\Users\ user\Deskt op\New Ord er_pdf_006 534325.exe " MD5: 502A5D91B19D266D46F6BF270A3CE0C8) - New Order_pdf_006534325.exe (PID: 7848 cmdline:
"C:\Users\ user\Deskt op\New Ord er_pdf_006 534325.exe " MD5: 502A5D91B19D266D46F6BF270A3CE0C8)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-02-05T12:52:23.736174+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.8 | 49710 | 132.226.8.169 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-02-05T12:52:17.654811+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.8 | 49708 | 216.58.206.78 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Code function: | 5_2_38965360 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004066F7 | |
| Source: | Code function: | 0_2_004065AD | |
| Source: | Code function: | 5_2_058485E8 | |
| Source: | Code function: | 5_2_05848028 | |
| Source: | Code function: | 5_2_058485DD | |
| Source: | Code function: | 5_2_058485D8 | |
| Source: | Code function: | 5_2_0584892F | |
| Source: | Code function: | 5_2_0584F8D8 | |
| Source: | Code function: | 5_2_381342C8 | |
| Source: | Code function: | 5_2_381342C8 | |
| Source: | Code function: | 5_2_38130498 | |
| Source: | Code function: | 5_2_38132890 | |
| Source: | Code function: | 5_2_38130A28 | |
| Source: | Code function: | 5_2_38137A72 | |
| Source: | Code function: | 5_2_38137B1C | |
| Source: | Code function: | 5_2_38131B88 | |
| Source: | Code function: | 5_2_38132CE8 | |
| Source: | Code function: | 5_2_38130E80 | |
| Source: | Code function: | 5_2_38131FE0 | |
| Source: | Code function: | 5_2_38130040 | |
| Source: | Code function: | 5_2_38133140 | |
| Source: | Code function: | 5_2_381312D8 | |
| Source: | Code function: | 5_2_38132438 | |
| Source: | Code function: | 5_2_38131730 | |
| Source: | Code function: | 5_2_381337C8 | |
| Source: | Code function: | 5_2_3896F1F8 | |
| Source: | Code function: | 5_2_38964718 | |
| Source: | Code function: | 5_2_3896E098 | |
| Source: | Code function: | 5_2_389664C0 | |
| Source: | Code function: | 5_2_3896E4F0 | |
| Source: | Code function: | 5_2_38965C10 | |
| Source: | Code function: | 5_2_3896DC40 | |
| Source: | Code function: | 5_2_38966068 | |
| Source: | Code function: | 5_2_389635B8 | |
| Source: | Code function: | 5_2_3896EDA0 | |
| Source: | Code function: | 5_2_389671C8 | |
| Source: | Code function: | 5_2_38966918 | |
| Source: | Code function: | 5_2_3896E948 | |
| Source: | Code function: | 5_2_38966D70 | |
| Source: | Code function: | 5_2_38963160 | |
| Source: | Code function: | 5_2_3896FAA8 | |
| Source: | Code function: | 5_2_389642C0 | |
| Source: | Code function: | 5_2_38963A10 | |
| Source: | Code function: | 5_2_3896F650 | |
| Source: | Code function: | 5_2_38963E68 | |
| Source: | Code function: | 5_2_3896D390 | |
| Source: | Code function: | 5_2_3896D7E8 | |
| Source: | Code function: | 5_2_3896CF38 | |
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004036DA | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_73902351 | |
| Source: | Code function: | 5_2_05848028 | |
| Source: | Code function: | 5_2_0584ACE8 | |
| Source: | Code function: | 5_2_0584F208 | |
| Source: | Code function: | 5_2_05848021 | |
| Source: | Code function: | 5_2_05842DD1 | |
| Source: | Code function: | 5_2_0584ACD8 | |
| Source: | Code function: | 5_2_0584ACE1 | |
| Source: | Code function: | 5_2_0584AC65 | |
| Source: | Code function: | 5_2_0584EFE8 | |
| Source: | Code function: | 5_2_0584E853 | |
| Source: | Code function: | 5_2_0584E85C | |
| Source: | Code function: | 5_2_0584F8D8 | |
| Source: | Code function: | 5_2_38135988 | |
| Source: | Code function: | 5_2_38135FD8 | |
| Source: | Code function: | 5_2_381342C8 | |
| Source: | Code function: | 5_2_38135340 | |
| Source: | Code function: | 5_2_38130498 | |
| Source: | Code function: | 5_2_38136628 | |
| Source: | Code function: | 5_2_38137788 | |
| Source: | Code function: | 5_2_38132890 | |
| Source: | Code function: | 5_2_38132880 | |
| Source: | Code function: | 5_2_38135978 | |
| Source: | Code function: | 5_2_38130A17 | |
| Source: | Code function: | 5_2_38130A28 | |
| Source: | Code function: | 5_2_38131B78 | |
| Source: | Code function: | 5_2_38131B88 | |
| Source: | Code function: | 5_2_38136C97 | |
| Source: | Code function: | 5_2_38136CA8 | |
| Source: | Code function: | 5_2_38132CD9 | |
| Source: | Code function: | 5_2_38132CE8 | |
| Source: | Code function: | 5_2_38130E70 | |
| Source: | Code function: | 5_2_38130E80 | |
| Source: | Code function: | 5_2_38131FD2 | |
| Source: | Code function: | 5_2_38135FC8 | |
| Source: | Code function: | 5_2_38131FE0 | |
| Source: | Code function: | 5_2_38130017 | |
| Source: | Code function: | 5_2_38130040 | |
| Source: | Code function: | 5_2_38133130 | |
| Source: | Code function: | 5_2_38133140 | |
| Source: | Code function: | 5_2_381342B9 | |
| Source: | Code function: | 5_2_381312D2 | |
| Source: | Code function: | 5_2_381312D8 | |
| Source: | Code function: | 5_2_3813532F | |
| Source: | Code function: | 5_2_38132438 | |
| Source: | Code function: | 5_2_38132428 | |
| Source: | Code function: | 5_2_3813048A | |
| Source: | Code function: | 5_2_3813661C | |
| Source: | Code function: | 5_2_38131730 | |
| Source: | Code function: | 5_2_3813172A | |
| Source: | Code function: | 5_2_381337C8 | |
| Source: | Code function: | 5_2_3896A8A0 | |
| Source: | Code function: | 5_2_3896F1F8 | |
| Source: | Code function: | 5_2_38964D78 | |
| Source: | Code function: | 5_2_38969AB8 | |
| Source: | Code function: | 5_2_3896A2B9 | |
| Source: | Code function: | 5_2_38967620 | |
| Source: | Code function: | 5_2_38964718 | |
| Source: | Code function: | 5_2_3896E098 | |
| Source: | Code function: | 5_2_3896E088 | |
| Source: | Code function: | 5_2_389664BC | |
| Source: | Code function: | 5_2_389664C0 | |
| Source: | Code function: | 5_2_3896E4F0 | |
| Source: | Code function: | 5_2_3896E4E0 | |
| Source: | Code function: | 5_2_38965C10 | |
| Source: | Code function: | 5_2_38965C0B | |
| Source: | Code function: | 5_2_38960033 | |
| Source: | Code function: | 5_2_3896DC30 | |
| Source: | Code function: | 5_2_3896003C | |
| Source: | Code function: | 5_2_38960040 | |
| Source: | Code function: | 5_2_3896DC40 | |
| Source: | Code function: | 5_2_38966066 | |
| Source: | Code function: | 5_2_38966068 | |
| Source: | Code function: | 5_2_3896ED90 | |
| Source: | Code function: | 5_2_3896CDB0 | |
| Source: | Code function: | 5_2_389635B8 | |
| Source: | Code function: | 5_2_3896EDA0 | |
| Source: | Code function: | 5_2_389635AD | |
| Source: | Code function: | 5_2_389671C4 | |
| Source: | Code function: | 5_2_389671C8 | |
| Source: | Code function: | 5_2_3896F1E9 | |
| Source: | Code function: | 5_2_38966916 | |
| Source: | Code function: | 5_2_38966918 | |
| Source: | Code function: | 5_2_3896E938 | |
| Source: | Code function: | 5_2_3896315C | |
| Source: | Code function: | 5_2_3896E948 | |
| Source: | Code function: | 5_2_38966D70 | |
| Source: | Code function: | 5_2_38963160 | |
| Source: | Code function: | 5_2_38966D68 | |
| Source: | Code function: | 5_2_3896FA98 | |
| Source: | Code function: | 5_2_389642B4 | |
| Source: | Code function: | 5_2_3896FAA8 | |
| Source: | Code function: | 5_2_389642C0 | |
| Source: | Code function: | 5_2_38967617 | |
| Source: | Code function: | 5_2_38963A10 | |
| Source: | Code function: | 5_2_38963A0C | |
| Source: | Code function: | 5_2_3896F650 | |
| Source: | Code function: | 5_2_3896F641 | |
| Source: | Code function: | 5_2_38963E68 | |
| Source: | Code function: | 5_2_3896D390 | |
| Source: | Code function: | 5_2_3896D380 | |
| Source: | Code function: | 5_2_3896D7D8 | |
| Source: | Code function: | 5_2_38962BC0 | |
| Source: | Code function: | 5_2_3896D7E8 | |
| Source: | Code function: | 5_2_38964708 | |
| Source: | Code function: | 5_2_3896CF38 | |
| Source: | Code function: | 5_2_3909398C | |
| Source: | Code function: | 5_2_39094300 | |
| Source: | Code function: | 5_2_39099DF8 | |
| Source: | Code function: | 5_2_39092C70 | |
| Source: | Code function: | 5_2_39094FD1 | |
| Source: | Code function: | 5_2_3909168C | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004036DA | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File written: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_73902351 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Evaded block: | graph_0-3124 | ||
| Source: | Code function: | 0_2_004066F7 | |
| Source: | Code function: | 0_2_004065AD | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-3011 | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_73902351 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_004036DA | |
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry key created or modified: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 1 OS Credential Dumping | 211 Security Software Discovery | Remote Services | 1 Email Collection | 21 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 2 Virtualization/Sandbox Evasion | LSASS Memory | 2 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 31 Disable or Modify Tools | Security Account Manager | 1 System Network Configuration Discovery | SMB/Windows Admin Shares | 1 Data from Local System | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Access Token Manipulation | NTDS | 3 File and Directory Discovery | Distributed Component Object Model | Input Capture | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Process Injection | LSA Secrets | 214 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Obfuscated Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 34% | Virustotal | Browse | ||
| 26% | ReversingLabs | Win32.Trojan.Generic |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 216.58.206.78 | true | false | high | |
| drive.usercontent.google.com | 216.58.206.65 | true | false | high | |
| reallyfreegeoip.org | 104.21.48.1 | true | false | high | |
| checkip.dyndns.com | 132.226.8.169 | true | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 132.226.8.169 | checkip.dyndns.com | United States | 16989 | UTMEMUS | false | |
| 104.21.48.1 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 216.58.206.78 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
| 216.58.206.65 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1607358 |
| Start date and time: | 2025-02-05 12:50:18 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 14s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | New Order_pdf_006534325.exe |
| Detection: | MAL |
| Classification: | mal96.troj.spyw.evad.winEXE@3/17@4/4 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 52.149.20.212
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 132.226.8.169 | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | DBatLoader, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Agent Tesla, AgentTesla | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DBatLoader, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, XWorm | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| reallyfreegeoip.org | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | DBatLoader, MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DBatLoader, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| checkip.dyndns.com | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | DBatLoader, MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DBatLoader, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| UTMEMUS | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DBatLoader, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Agent Tesla, AgentTesla | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | DBatLoader, MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DBatLoader, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| |
| Get hash | malicious | Discord Token Stealer, GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nsnD7DE.tmp\System.dll | Get hash | malicious | AgentTesla, GuLoader | Browse | ||
| Get hash | malicious | AgentTesla, GuLoader | Browse | |||
| Get hash | malicious | AgentTesla, GuLoader | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla, GuLoader | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 189063 |
| Entropy (8bit): | 1.2466467334231734 |
| Encrypted: | false |
| SSDEEP: | 768:IucEIs7WGo6HKuvpy6wIG5fNvBoJKc5ius4Ky9KqSGzMM4ClF0oHXpOKm9rD3QcM:J1JGpI5fKGKMVftlYXIL8y |
| MD5: | F342E7BA488BE2AC57BB244F6048BB39 |
| SHA1: | 7C3121E57E1B8CF1E9BD7836B7BA3161418220D9 |
| SHA-256: | 8D060A3F682C8D5B044DAE09B37AFDA95CB21753BBB23F7A5B0DC2C8E4F63762 |
| SHA-512: | 1B0CFFCFB59C8BB0B2EAD98E22C7A25F4C70444FA4F747DF3BA4096A1415F7D8BC4E5C4992937A3D3A7FEF7D1A5C20DA38361CFD3F824C242F07D299B4B7D888 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12701 |
| Entropy (8bit): | 7.747193130113565 |
| Encrypted: | false |
| SSDEEP: | 192:L1qavgSgIA/UZ1bEqNSc6nEKFL+2Q8TPwnMPW/77/JC6eRz+3E37HAYCRuCeKc5:JXvgSgIuUkc6nEuS2Q8TPwn8o7YW/je |
| MD5: | C16D7E9CDD76E6C6A6C2C55A3DF4C22F |
| SHA1: | A8FF93F63CEF29DF4DC4C9908A98B39CFE2D0F77 |
| SHA-256: | FA7B89DE19926538DE22EFFFA7556D3B887804B9EE59481EFE13042EBC2A7622 |
| SHA-512: | DBEE6C0092D6DCDD38B1E782FB862D09A93FECC722E16240E531C53F9B6D83D1C8313CF927CE89D74FC9371E2F5CFEC88A98B0A8FA0B5D36A6E5CB85B0A533FC |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 337931 |
| Entropy (8bit): | 1.2558232954108735 |
| Encrypted: | false |
| SSDEEP: | 1536:GepnQBvtfYcZNZRoH8bZHp4oI0kQkYiPGN:TpnUVf7XPDcolbkYiPA |
| MD5: | 3C9245261AB5761879EE306E1F5FD738 |
| SHA1: | 5D39971BA7FC8C1A840B772B3F0970656770CA8B |
| SHA-256: | AF7641E47F4AE7BB1720749AC9C8D9BC00586A88AABFC8DA07AB33850F1AC664 |
| SHA-512: | 87325164FDA0F2D76856D08565AEFA4B02540F85D16EE723224DEC34A3B73F3B264CF510A45CEFC9DDAB6CCE508DD11DFC36A0E8D52F8BEA927B2E5B7A0A494B |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12043 |
| Entropy (8bit): | 7.7581095712795385 |
| Encrypted: | false |
| SSDEEP: | 192:L1qavgSgIA/UZ1bEqNSc6nEKFL+2Q8TPwnMPW/77/JC6eRz+3E37HAYCRuA:JXvgSgIuUkc6nEuS2Q8TPwn8o7YW/7 |
| MD5: | D238CAECE8765BF9760626569559BF74 |
| SHA1: | A2F3AA1BB52DB3315B83FC1A830CB45B725F88F6 |
| SHA-256: | 426E8B9E2FAC611DA0286E2F41EC92B725AD2E4D8B9C2B87718EF81F9281390D |
| SHA-512: | 0DE0DF60DDCBF02CC313AE836848DD8E079E3CC68CD5980BFEB1257443924AA70196C727C32D2923C090DCAC2BD7A932DA5315C3A3206F52F9966BA2ABD9E189 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 13920 |
| Entropy (8bit): | 7.670983997234752 |
| Encrypted: | false |
| SSDEEP: | 384:JXvgSgIuUkc6nEuS2Q8TPwn8o7YW/jHgd:J/sUZUEu1Qht7Y2e |
| MD5: | 36FCD7598115FDA310BC57936D594A17 |
| SHA1: | 3486B8BA6AB5719AF1EADA21FE6E090ADCEEB0E0 |
| SHA-256: | D6C9DADC5DCFEC9E635C54E1DD3AD5B9454E44EA6968E5EC28FC3908A99552AA |
| SHA-512: | 37772C27E1B907C460273C46916CC00651C22D1E0AACF1535DB05CED7C8CED0A6D5A660A6538DD00655D1EF1011FB5DC127C46E2057B4057952C6C94531CF031 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 60152 |
| Entropy (8bit): | 7.965494045463898 |
| Encrypted: | false |
| SSDEEP: | 1536:UmJekwHrnQiUOTxPs1aLh3VMeV8lTCw8dGsBs7TdMZUzoUoR:pgLhlBF7Tw8osa7TdMZUEUO |
| MD5: | 5C84AFA67CD76D69E53E6E8AF66EB94A |
| SHA1: | 786E28BCE32C44E621BBD1390A2F55E08A6B6AE1 |
| SHA-256: | 0E75C6649C3A5B5A7E590C6FB72048C8DA6CF5095222FB72AD2E51528C62B2DD |
| SHA-512: | 9543B72ABC6A9CCF1A2B6BC3F383FACFC73CE55A79E59537FA4AA1351E8E08541ADA34949F4F42B7244F681C8E3958561987FCD423CBAD8599D217AB2A3E25F9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 13315 |
| Entropy (8bit): | 7.714747869336622 |
| Encrypted: | false |
| SSDEEP: | 192:L1qavgSgIA/UZ1bEqNSc6nEKFL+2Q8TPwnMPW/77/JC6eRz+3E37HAYCRuCeKchK:JXvgSgIuUkc6nEuS2Q8TPwn8o7YW/jH/ |
| MD5: | DED55C4E40D3BB009F6D039C604786E9 |
| SHA1: | 8CA3D9C7F53F3CC2AFD3A1EFE10E79D265747DCD |
| SHA-256: | 41E704DF5363EC94ADECE028466FC7B8CC8AE4753BC5E722871497C759E60F81 |
| SHA-512: | 6BA2152BBEFDF8CB07BC063C460AB909AD65033A3F51E796C22A9529867D7D81BB0AD05B2BCEE7606A6ECCB7BF4A11B70603A5F574D1733C4615FA8C0FD2B202 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 21698 |
| Entropy (8bit): | 7.953660499253525 |
| Encrypted: | false |
| SSDEEP: | 384:vw8+ayqZ4ALy8VWjmIZvsp0eeaILupt6JnHovz+KlNSjuIh2aXBTonNRWG:vw8+5Au8Qw0naoupmhh2U0NX |
| MD5: | 2475386FD6465CB63552C04518117CC6 |
| SHA1: | 5962256529202CCA6A2E643BFDAD222346D69F8E |
| SHA-256: | 239EC6D95E63166C4DC153E96593619C58E58578BE24C85F10AC0A81FE9BDDA7 |
| SHA-512: | D50BD6A82BA31D495ED031D4DB484A002D7EDC4AC5EA7754EAB1CCFEFD93A84CC3252DEE4B5A2BB610B4E9491C3C3A8E8425FE0C402AAEE30964455836DCC635 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6835 |
| Entropy (8bit): | 7.74969139576544 |
| Encrypted: | false |
| SSDEEP: | 192:LmUYxmVeZsegZLmEg6wDlUacWkDzGaJIPSTSI:yxQemZLzg66lqDyavSI |
| MD5: | 3831C556867D436A133A9B5FDF79684B |
| SHA1: | 13AE2213B073F3196ABB859E38F83F95555B3938 |
| SHA-256: | 78A17C216A3BF8284794D00947540106614D492D316C77551F4EF1BA6C5C0A62 |
| SHA-512: | 2D52B046644156640F2FBF925C1BBF6B3711C1F0AA884382AE7F7CCCDE950FAA308AD2E25F70C8C8DC4A3462CD874204FBF1CB07F6E96E08E2FD3C1E5FDEBA92 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 67235 |
| Entropy (8bit): | 7.971625352258901 |
| Encrypted: | false |
| SSDEEP: | 1536:MQJM3Mn2nS9V8F1ybMLoh7C6dwFRWjVlcc3YWw3twgMkNfTr1:TJM3Mn2n88FMMXewFRecKYTr1 |
| MD5: | 253FBA4328C0BD2A6A545B30A3EB2774 |
| SHA1: | 7FE8F395AF1D8830F75E7E745AEB2CDDE9F0E061 |
| SHA-256: | 600306A1ABC1CB0582DC243C1488739470F08244FAC2576714B3503C6059CB19 |
| SHA-512: | 046CB1B41F366B88960AFE4EB841FDB07AB4AC76627141149C0202111912F8DF2C13182D5FE8B7AFED553920BFB60BC0A496AAD138BB9F18F1515A6E5F59756E |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11778 |
| Entropy (8bit): | 7.750183257585458 |
| Encrypted: | false |
| SSDEEP: | 192:L1qavgSgIA/UZ1bEqNSc6nEKFL+2Q8TPwnMPW/77/JC6eRz+3E37HAYCRn:JXvgSgIuUkc6nEuS2Q8TPwn8o7YW/p |
| MD5: | 93066B05F4D44458FCA79AE8F224EB61 |
| SHA1: | 53AED2782BDCED333A43B4BA2E44626BE9523A7D |
| SHA-256: | D201C46604EA15C19901F24F0EFFC0E0C1092B20A979DDBBF44775AEA7114400 |
| SHA-512: | 12D6F4CB1F2A5F6AC4DD4994317CA3020BEDD4F51B2ED8CC5A2A1BD684D9B8A1914F0645754578CA8C45AE531CAB09AB9B21B9D471481EAB42E283CE172044DB |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 204648 |
| Entropy (8bit): | 1.2604476925020542 |
| Encrypted: | false |
| SSDEEP: | 768:WXmsv9pSjlQaOvcHQi1qS+9i5JytPRctWMP7yOWS7twXm8kQhMjORtOyc1oH27xH:sqYcPpyRYDNVE4F9x |
| MD5: | DD342206FF527188A6C6170732D0546A |
| SHA1: | 3557869F7DE168B288DA8386A1EF6DB5E2477FC9 |
| SHA-256: | F5C8AFDD60C6C815F21560765AF73EDE0DA98573A9DA398467ABDCE30E994C9B |
| SHA-512: | 421B988BC9D5356F402CF4BAE5816E78CD28D35931C0667CE7947B06B65131F5E95ADAD485A11564C5C8627AC7FE279452EBAD1B917E0FEC53796C913F19AD74 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6682 |
| Entropy (8bit): | 7.739313239785198 |
| Encrypted: | false |
| SSDEEP: | 192:LmUYxmVeZsegZLmEg6wDlUacWkDzGaJIPSTSj:yxQemZLzg66lqDyavSj |
| MD5: | 4EA3437E960B9E8F828B52D8D4F3F1AB |
| SHA1: | B3320414E43EC606E7DD397A365BFCDE9A794008 |
| SHA-256: | 15107DDDCA248ED0D61A5E1E38846406E3605BB49042D7C9F98C54BC8C00D0FC |
| SHA-512: | DA0BE4D89C7AFC5F2CDEAC99AFFA420107B2AAA1AD9393C87506C09B062367329E30E796677939E76F0C8F8F8C924AF309C7F0FBEBFC6D249FA9CFADFB6988B6 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 14434 |
| Entropy (8bit): | 7.6279871505246915 |
| Encrypted: | false |
| SSDEEP: | 384:JXvgSgIuUkc6nEuS2Q8TPwn8o7YW/jHgNi:J/sUZUEu1Qht7Y2L |
| MD5: | 014E3A9B91F05D3500163479B611D3B8 |
| SHA1: | 54FE4CC79EDC9158616D5067516EC3AC21E68F06 |
| SHA-256: | 44693D40851185E37036C2164E23850DC7AD163B55AC0289D7B11AB3257164C5 |
| SHA-512: | EFFE15A7A31CC924BD48871A89B83CFD27F4C04A548E6BFDF14F78F0DB34E109287121B11640CDDAF756314DA82316CB06AE59BB6A9181A2030F5253FF9931E4 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 34495 |
| Entropy (8bit): | 4.586616586125473 |
| Encrypted: | false |
| SSDEEP: | 768:GGB/mx3Hll8vKyntugB1uXSbf1Rhydk45bkYVxA:GGM3Hlldywg3uXST1Gpkr |
| MD5: | 98446B319DD151E913BCC4D7739AD50D |
| SHA1: | 7A02561A2029C99D7C3372A1F54A242130ABC975 |
| SHA-256: | EC22B5F2F2B9B25F6A4699FEC64FD2AC4887E782DD660416BD5E91BF44FBB4E5 |
| SHA-512: | B5F4C583DF093CF0442A84BA8262A3E60FF13A046543F97D8998850A8C28A6D0A560E5B34AABB644213BF3958BB707177D5E91F15B6DE3CE4FECF07505D0B703 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 247809 |
| Entropy (8bit): | 7.81833772902162 |
| Encrypted: | false |
| SSDEEP: | 6144:bxjtK7y6jNd6/pdtEgNG6IZe0QlGict2zy3NhLU81C:d5EhWGbaAiS2mLRg |
| MD5: | E0E6B8FAC05C378049A3439690189271 |
| SHA1: | 346146381E66B133F56B9A4214F817B006D2876D |
| SHA-256: | F637DC2FB895F2E4DD3886066024870A517121B74F06C36EDE660F5FF3FA61F1 |
| SHA-512: | 0B636FC9F0C9DF2C0F336199328312C1F48EDEAF1AC3D9209403820AF8D51DF072EDEFC70F42A295B688CEF765DB3AE6946508869551A8812807AA9A2617F2B2 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12288 |
| Entropy (8bit): | 5.97694153396788 |
| Encrypted: | false |
| SSDEEP: | 192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw |
| MD5: | D6F54D2CEFDF58836805796F55BFC846 |
| SHA1: | B980ADDC1A755B968DD5799179D3B4F1C2DE9D2D |
| SHA-256: | F917AEF484D1FBB4D723B2E2D3045CB6F5F664E61FBB3D5C577BD1C215DE55D9 |
| SHA-512: | CE67DA936A93D46EF7E81ABC8276787C82FD844C03630BA18AFC3528C7E420C3228BFE82AEDA083BB719F2D1314AFAE913362ABD1E220CB364606519690D45DB |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| File type: | |
| Entropy (8bit): | 7.737154966643079 |
| TrID: |
|
| File name: | New Order_pdf_006534325.exe |
| File size: | 829'138 bytes |
| MD5: | 502a5d91b19d266d46f6bf270a3ce0c8 |
| SHA1: | 1af86349a3c21d061baaf83bc5c7574ca85330af |
| SHA256: | 7f2ad4dae501f03a420ec1971af3a5ebe539d7c3430dd632bb4dfa614aa82207 |
| SHA512: | 114232bcd480d72642688731cf8e4d2839266c5966c6ed5aaab0982ef42057d7e4ea707e0fd97f2c1124e0cd85ab9f32de4f27d8d5bb3e1eca5ee2c25ce314de |
| SSDEEP: | 24576:Q4nbY9dZZZZZZZZZZyNag3sXrEMvvV3HQmhQ436/zc:Q+qZZZZZZZZZZyX3Invv1wzq6A |
| TLSH: | A105F193E68449B3DD68077588772A3215B7AE3E5A70931E535C3072BFB334361AB60B |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............o...o...o...k...o...i...o...n...o...n...o.I.k...o.I.....o.I.m...o.Rich..o.................PE..L...!.*c.................n. |
 | |
| Icon Hash: | 8282b2b0b0a0e061 |
| Entrypoint: | 0x4036da |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x632AE721 [Wed Sep 21 10:27:45 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 3f91aceea750f765ef2ba5d9988e6a00 |
| Instruction |
|---|
| sub esp, 000003ECh |
| push ebx |
| push ebp |
| push esi |
| push edi |
| xor ebx, ebx |
| mov edi, 00408528h |
| push 00008001h |
| mov dword ptr [esp+14h], ebx |
| mov ebp, ebx |
| call dword ptr [00408170h] |
| mov esi, dword ptr [004080ACh] |
| lea eax, dword ptr [esp+2Ch] |
| xorps xmm0, xmm0 |
| mov dword ptr [esp+40h], ebx |
| push eax |
| movlpd qword ptr [esp+00000144h], xmm0 |
| mov dword ptr [esp+30h], 0000011Ch |
| call esi |
| test eax, eax |
| jne 00007FE8CCFCFCC9h |
| lea eax, dword ptr [esp+2Ch] |
| mov dword ptr [esp+2Ch], 00000114h |
| push eax |
| call esi |
| push 00000053h |
| pop eax |
| mov dl, 04h |
| mov byte ptr [esp+00000146h], dl |
| cmp word ptr [esp+40h], ax |
| jne 00007FE8CCFCFCA3h |
| mov eax, dword ptr [esp+5Ah] |
| add eax, FFFFFFD0h |
| mov word ptr [esp+00000140h], ax |
| jmp 00007FE8CCFCFC9Dh |
| xor eax, eax |
| jmp 00007FE8CCFCFC84h |
| mov dl, byte ptr [esp+00000146h] |
| cmp dword ptr [esp+30h], 0Ah |
| jnc 00007FE8CCFCFC9Dh |
| movzx eax, word ptr [esp+38h] |
| mov dword ptr [esp+38h], eax |
| jmp 00007FE8CCFCFC96h |
| mov eax, dword ptr [esp+38h] |
| mov dword ptr [007A8638h], eax |
| movzx eax, byte ptr [esp+30h] |
| shl ax, 0008h |
| movzx ecx, ax |
| movzx eax, byte ptr [esp+34h] |
| or ecx, eax |
| movzx eax, byte ptr [esp+00000140h] |
| shl ax, 0008h |
| shl ecx, 10h |
| movzx eax, word ptr [eax] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8a00 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3dc000 | 0x28818 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6c0b | 0x6e00 | 9178309eee1a86dc5ef945d6826a6897 | False | 0.6605823863636363 | data | 6.398414552532143 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x1896 | 0x1a00 | 0885e83a553c38819d1fab2908ca0cf5 | False | 0.4307391826923077 | data | 4.86610208699674 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x39e640 | 0x200 | 5c0f03a1a77f205400c2cbabec9976c4 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x3a9000 | 0x33000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x3dc000 | 0x28818 | 0x28a00 | 9bd07bb7e2b03cb2af6afb2e0d8df776 | False | 0.37796875 | data | 5.6074169892503285 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0x3dc3b8 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States | 0.23623853211009174 |
| RT_ICON | 0x3dc720 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.30814503726487635 |
| RT_ICON | 0x3ecf48 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 38016 | English | United States | 0.40732079041412655 |
| RT_ICON | 0x3f63f0 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 21600 | English | United States | 0.4375693160813309 |
| RT_ICON | 0x3fb878 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.4142654700047237 |
| RT_ICON | 0x3ffaa0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.4994813278008299 |
| RT_ICON | 0x402048 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.5269699812382739 |
| RT_ICON | 0x4030f0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.6409836065573771 |
| RT_ICON | 0x403a78 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.6737588652482269 |
| RT_DIALOG | 0x403ee0 | 0x120 | data | English | United States | 0.53125 |
| RT_DIALOG | 0x404000 | 0x118 | data | English | United States | 0.5678571428571428 |
| RT_DIALOG | 0x404118 | 0x140 | data | English | United States | 0.46875 |
| RT_DIALOG | 0x404258 | 0xf8 | data | English | United States | 0.6330645161290323 |
| RT_DIALOG | 0x404350 | 0xa0 | data | English | United States | 0.6125 |
| RT_DIALOG | 0x4043f0 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x404450 | 0x76 | data | English | United States | 0.7542372881355932 |
| RT_MANIFEST | 0x4044c8 | 0x349 | XML 1.0 document, ASCII text, with very long lines (841), with no line terminators | English | United States | 0.5529131985731273 |
| DLL | Import |
|---|---|
| ADVAPI32.dll | RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW |
| SHELL32.dll | ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation |
| ole32.dll | OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance |
| COMCTL32.dll | ImageList_Destroy, ImageList_AddMasked, ImageList_Create |
| USER32.dll | DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW |
| GDI32.dll | SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW |
| KERNEL32.dll | WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-02-05T12:52:17.654811+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.8 | 49708 | 216.58.206.78 | 443 | TCP |
| 2025-02-05T12:52:23.736174+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.8 | 49710 | 132.226.8.169 | 80 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 5, 2025 12:52:16.517793894 CET | 49708 | 443 | 192.168.2.8 | 216.58.206.78 |
| Feb 5, 2025 12:52:16.517904043 CET | 443 | 49708 | 216.58.206.78 | 192.168.2.8 |
| Feb 5, 2025 12:52:16.518035889 CET | 49708 | 443 | 192.168.2.8 | 216.58.206.78 |
| Feb 5, 2025 12:52:16.538898945 CET | 49708 | 443 | 192.168.2.8 | 216.58.206.78 |
| Feb 5, 2025 12:52:16.538991928 CET | 443 | 49708 | 216.58.206.78 | 192.168.2.8 |
| Feb 5, 2025 12:52:17.263900995 CET | 443 | 49708 | 216.58.206.78 | 192.168.2.8 |
| Feb 5, 2025 12:52:17.263982058 CET | 49708 | 443 | 192.168.2.8 | 216.58.206.78 |
| Feb 5, 2025 12:52:17.264607906 CET | 443 | 49708 | 216.58.206.78 | 192.168.2.8 |
| Feb 5, 2025 12:52:17.264662981 CET | 49708 | 443 | 192.168.2.8 | 216.58.206.78 |
| Feb 5, 2025 12:52:17.337186098 CET | 49708 | 443 | 192.168.2.8 | 216.58.206.78 |
| Feb 5, 2025 12:52:17.337269068 CET | 443 | 49708 | 216.58.206.78 | 192.168.2.8 |
| Feb 5, 2025 12:52:17.337620974 CET | 443 | 49708 | 216.58.206.78 | 192.168.2.8 |
| Feb 5, 2025 12:52:17.337690115 CET | 49708 | 443 | 192.168.2.8 | 216.58.206.78 |
| Feb 5, 2025 12:52:17.341737032 CET | 49708 | 443 | 192.168.2.8 | 216.58.206.78 |
| Feb 5, 2025 12:52:17.383351088 CET | 443 | 49708 | 216.58.206.78 | 192.168.2.8 |
| Feb 5, 2025 12:52:17.654797077 CET | 443 | 49708 | 216.58.206.78 | 192.168.2.8 |
| Feb 5, 2025 12:52:17.655469894 CET | 443 | 49708 | 216.58.206.78 | 192.168.2.8 |
| Feb 5, 2025 12:52:17.655635118 CET | 49708 | 443 | 192.168.2.8 | 216.58.206.78 |
| Feb 5, 2025 12:52:17.657067060 CET | 49708 | 443 | 192.168.2.8 | 216.58.206.78 |
| Feb 5, 2025 12:52:17.657093048 CET | 443 | 49708 | 216.58.206.78 | 192.168.2.8 |
| Feb 5, 2025 12:52:17.691212893 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:17.691262007 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:17.691323042 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:17.691638947 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:17.691654921 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:18.441793919 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:18.441926003 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:18.446501970 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:18.446517944 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:18.446789026 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:18.446860075 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:18.451764107 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:18.495327950 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:20.999713898 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:20.999771118 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:20.999851942 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:20.999923944 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:20.999984026 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:20.999984980 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.014828920 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.015012026 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.015033007 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.015095949 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.090111971 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.090209007 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.090255022 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.090317011 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.090336084 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.090384960 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.090396881 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.090449095 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.090459108 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.090517998 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.095118999 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.095177889 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.095191956 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.095258951 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.101488113 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.101581097 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.101599932 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.101661921 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.107733965 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.107795954 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.107808113 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.107880116 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.113953114 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.114041090 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.114058971 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.114126921 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.119707108 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.119770050 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.119791985 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.119853973 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.125438929 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.125502110 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.125528097 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.125587940 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.131275892 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.131346941 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.131407976 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.131464958 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.136823893 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.136894941 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.136939049 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.137000084 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.142457962 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.142514944 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.142529011 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.142584085 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.148121119 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.148196936 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.180627108 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.180787086 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.180800915 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.180831909 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.180864096 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.180918932 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.180932999 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.181001902 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.181013107 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.181061983 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.181071997 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.181118011 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.181132078 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.181178093 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.181381941 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.181442976 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.181488037 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.181534052 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.186350107 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.186542988 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.186563015 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.186621904 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.192053080 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.192130089 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.192145109 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.192209959 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.192241907 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.192297935 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.197738886 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.197801113 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.197841883 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.197895050 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.203409910 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.203474998 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.203494072 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.203553915 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.209176064 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.209242105 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.209258080 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.209311008 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.214871883 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.214936018 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.214952946 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.215014935 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.220555067 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.220623016 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.220650911 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.220711946 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.226098061 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.226180077 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.226191998 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.226246119 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.231139898 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.231220007 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.231231928 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.231288910 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.235771894 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.235848904 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.235861063 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.235970020 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.240206003 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.240298033 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.240309954 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.240365982 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.244385004 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.244471073 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.244505882 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.244565964 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.248454094 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.248542070 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.248573065 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.248632908 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.248645067 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.248699903 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.252469063 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.252553940 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.252615929 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.252676964 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.252711058 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:21.252720118 CET | 443 | 49709 | 216.58.206.65 | 192.168.2.8 |
| Feb 5, 2025 12:52:21.252779961 CET | 49709 | 443 | 192.168.2.8 | 216.58.206.65 |
| Feb 5, 2025 12:52:22.015990019 CET | 49710 | 80 | 192.168.2.8 | 132.226.8.169 |
| Feb 5, 2025 12:52:22.020977020 CET | 80 | 49710 | 132.226.8.169 | 192.168.2.8 |
| Feb 5, 2025 12:52:22.021059990 CET | 49710 | 80 | 192.168.2.8 | 132.226.8.169 |
| Feb 5, 2025 12:52:22.024262905 CET | 49710 | 80 | 192.168.2.8 | 132.226.8.169 |
| Feb 5, 2025 12:52:22.029165030 CET | 80 | 49710 | 132.226.8.169 | 192.168.2.8 |
| Feb 5, 2025 12:52:23.373843908 CET | 80 | 49710 | 132.226.8.169 | 192.168.2.8 |
| Feb 5, 2025 12:52:23.406383991 CET | 49710 | 80 | 192.168.2.8 | 132.226.8.169 |
| Feb 5, 2025 12:52:23.411326885 CET | 80 | 49710 | 132.226.8.169 | 192.168.2.8 |
| Feb 5, 2025 12:52:23.689941883 CET | 80 | 49710 | 132.226.8.169 | 192.168.2.8 |
| Feb 5, 2025 12:52:23.701893091 CET | 49711 | 443 | 192.168.2.8 | 104.21.48.1 |
| Feb 5, 2025 12:52:23.701919079 CET | 443 | 49711 | 104.21.48.1 | 192.168.2.8 |
| Feb 5, 2025 12:52:23.701989889 CET | 49711 | 443 | 192.168.2.8 | 104.21.48.1 |
| Feb 5, 2025 12:52:23.704605103 CET | 49711 | 443 | 192.168.2.8 | 104.21.48.1 |
| Feb 5, 2025 12:52:23.704615116 CET | 443 | 49711 | 104.21.48.1 | 192.168.2.8 |
| Feb 5, 2025 12:52:23.736174107 CET | 49710 | 80 | 192.168.2.8 | 132.226.8.169 |
| Feb 5, 2025 12:52:24.184853077 CET | 443 | 49711 | 104.21.48.1 | 192.168.2.8 |
| Feb 5, 2025 12:52:24.184912920 CET | 49711 | 443 | 192.168.2.8 | 104.21.48.1 |
| Feb 5, 2025 12:52:24.188322067 CET | 49711 | 443 | 192.168.2.8 | 104.21.48.1 |
| Feb 5, 2025 12:52:24.188333988 CET | 443 | 49711 | 104.21.48.1 | 192.168.2.8 |
| Feb 5, 2025 12:52:24.188700914 CET | 443 | 49711 | 104.21.48.1 | 192.168.2.8 |
| Feb 5, 2025 12:52:24.192270994 CET | 49711 | 443 | 192.168.2.8 | 104.21.48.1 |
| Feb 5, 2025 12:52:24.239324093 CET | 443 | 49711 | 104.21.48.1 | 192.168.2.8 |
| Feb 5, 2025 12:52:24.332187891 CET | 443 | 49711 | 104.21.48.1 | 192.168.2.8 |
| Feb 5, 2025 12:52:24.332256079 CET | 443 | 49711 | 104.21.48.1 | 192.168.2.8 |
| Feb 5, 2025 12:52:24.332338095 CET | 49711 | 443 | 192.168.2.8 | 104.21.48.1 |
| Feb 5, 2025 12:52:24.455830097 CET | 49711 | 443 | 192.168.2.8 | 104.21.48.1 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 5, 2025 12:52:16.504133940 CET | 62712 | 53 | 192.168.2.8 | 1.1.1.1 |
| Feb 5, 2025 12:52:16.511212111 CET | 53 | 62712 | 1.1.1.1 | 192.168.2.8 |
| Feb 5, 2025 12:52:17.683454037 CET | 51735 | 53 | 192.168.2.8 | 1.1.1.1 |
| Feb 5, 2025 12:52:17.690340042 CET | 53 | 51735 | 1.1.1.1 | 192.168.2.8 |
| Feb 5, 2025 12:52:22.000937939 CET | 56755 | 53 | 192.168.2.8 | 1.1.1.1 |
| Feb 5, 2025 12:52:22.008053064 CET | 53 | 56755 | 1.1.1.1 | 192.168.2.8 |
| Feb 5, 2025 12:52:23.691555023 CET | 62706 | 53 | 192.168.2.8 | 1.1.1.1 |
| Feb 5, 2025 12:52:23.701136112 CET | 53 | 62706 | 1.1.1.1 | 192.168.2.8 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Feb 5, 2025 12:52:16.504133940 CET | 192.168.2.8 | 1.1.1.1 | 0x759b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Feb 5, 2025 12:52:17.683454037 CET | 192.168.2.8 | 1.1.1.1 | 0x1b25 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Feb 5, 2025 12:52:22.000937939 CET | 192.168.2.8 | 1.1.1.1 | 0x1d09 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Feb 5, 2025 12:52:23.691555023 CET | 192.168.2.8 | 1.1.1.1 | 0x495f | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Feb 5, 2025 12:52:16.511212111 CET | 1.1.1.1 | 192.168.2.8 | 0x759b | No error (0) | 216.58.206.78 | A (IP address) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:17.690340042 CET | 1.1.1.1 | 192.168.2.8 | 0x1b25 | No error (0) | 216.58.206.65 | A (IP address) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:22.008053064 CET | 1.1.1.1 | 192.168.2.8 | 0x1d09 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:22.008053064 CET | 1.1.1.1 | 192.168.2.8 | 0x1d09 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:22.008053064 CET | 1.1.1.1 | 192.168.2.8 | 0x1d09 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:22.008053064 CET | 1.1.1.1 | 192.168.2.8 | 0x1d09 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:22.008053064 CET | 1.1.1.1 | 192.168.2.8 | 0x1d09 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:22.008053064 CET | 1.1.1.1 | 192.168.2.8 | 0x1d09 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:23.701136112 CET | 1.1.1.1 | 192.168.2.8 | 0x495f | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:23.701136112 CET | 1.1.1.1 | 192.168.2.8 | 0x495f | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:23.701136112 CET | 1.1.1.1 | 192.168.2.8 | 0x495f | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:23.701136112 CET | 1.1.1.1 | 192.168.2.8 | 0x495f | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:23.701136112 CET | 1.1.1.1 | 192.168.2.8 | 0x495f | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:23.701136112 CET | 1.1.1.1 | 192.168.2.8 | 0x495f | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Feb 5, 2025 12:52:23.701136112 CET | 1.1.1.1 | 192.168.2.8 | 0x495f | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.8 | 49710 | 132.226.8.169 | 80 | 7848 | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Feb 5, 2025 12:52:22.024262905 CET | 151 | OUT | |
| Feb 5, 2025 12:52:23.373843908 CET | 273 | IN | |
| Feb 5, 2025 12:52:23.406383991 CET | 127 | OUT | |
| Feb 5, 2025 12:52:23.689941883 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.8 | 49708 | 216.58.206.78 | 443 | 7848 | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-05 11:52:17 UTC | 216 | OUT | |
| 2025-02-05 11:52:17 UTC | 1610 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.8 | 49709 | 216.58.206.65 | 443 | 7848 | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-05 11:52:18 UTC | 258 | OUT | |
| 2025-02-05 11:52:20 UTC | 4940 | IN | |
| 2025-02-05 11:52:20 UTC | 4940 | IN | |
| 2025-02-05 11:52:21 UTC | 4818 | IN | |
| 2025-02-05 11:52:21 UTC | 1323 | IN | |
| 2025-02-05 11:52:21 UTC | 1390 | IN | |
| 2025-02-05 11:52:21 UTC | 1390 | IN | |
| 2025-02-05 11:52:21 UTC | 1390 | IN | |
| 2025-02-05 11:52:21 UTC | 1390 | IN | |
| 2025-02-05 11:52:21 UTC | 1390 | IN | |
| 2025-02-05 11:52:21 UTC | 1390 | IN | |
| 2025-02-05 11:52:21 UTC | 1390 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.8 | 49711 | 104.21.48.1 | 443 | 7848 | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-05 11:52:24 UTC | 85 | OUT | |
| 2025-02-05 11:52:24 UTC | 859 | IN | |
| 2025-02-05 11:52:24 UTC | 362 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 06:51:11 |
| Start date: | 05/02/2025 |
| Path: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 829'138 bytes |
| MD5 hash: | 502A5D91B19D266D46F6BF270A3CE0C8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 06:52:00 |
| Start date: | 05/02/2025 |
| Path: | C:\Users\user\Desktop\New Order_pdf_006534325.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 829'138 bytes |
| MD5 hash: | 502A5D91B19D266D46F6BF270A3CE0C8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |