Edit tour
Windows
Analysis Report
1258ad6Jpw.exe
Overview
General Information
| Sample name: | 1258ad6Jpw.exerenamed because original name is a hash value |
| Original sample name: | d953e4ecdd89c5bec7fa20b1d7f43ad83940c3505b9deaaf8dd79247d4178852.exe |
| Analysis ID: | 1632353 |
| MD5: | 8b0bd4c6a70334229181f7f0563e154b |
| SHA1: | cb0adf2e607fd383b5f1f2e298b0aee721d5716f |
| SHA256: | d953e4ecdd89c5bec7fa20b1d7f43ad83940c3505b9deaaf8dd79247d4178852 |
| Tags: | exeGuLoaderuser-adrian__luca |
| Infos: |  |
 | |
Detection
GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows task manager (taskmgr)
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Classification
- System is w10x64
1258ad6Jpw.exe (PID: 6940 cmdline:
"C:\Users\ user\Deskt op\1258ad6 Jpw.exe" MD5: 8B0BD4C6A70334229181F7F0563E154B) "C:\Users\ user\Deskt op\1258ad6 Jpw.exe" MD5: 8B0BD4C6A70334229181F7F0563E154B)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-07T22:44:13.116704+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.8 | 49691 | 158.101.44.242 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-07T22:44:06.947274+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.8 | 49689 | 142.250.184.238 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Code function: | 3_2_37549FC8 | |
| Source: | Code function: | 3_2_3754A6FB | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00405665 | |
| Source: | Code function: | 0_2_004060C7 | |
| Source: | Code function: | 0_2_0040270B | |
| Source: | Code function: | 3_2_00405665 | |
| Source: | Code function: | 3_2_0040270B | |
| Source: | Code function: | 3_2_004060C7 | |
| Source: | Code function: | 3_2_03FFA0F0 | |
| Source: | Code function: | 3_2_03FFA550 | |
| Source: | Code function: | 3_2_03FFA540 | |
| Source: | Code function: | 3_2_03FFA897 | |
| Source: | Code function: | 3_2_03FFED58 | |
| Source: | Code function: | 3_2_03FFF1B0 | |
| Source: | Code function: | 3_2_03FFF608 | |
| Source: | Code function: | 3_2_03FFFA60 | |
| Source: | Code function: | 3_2_37016130 | |
| Source: | Code function: | 3_2_37016130 | |
| Source: | Code function: | 3_2_3701563E | |
| Source: | Code function: | 3_2_370146F8 | |
| Source: | Code function: | 3_2_37013598 | |
| Source: | Code function: | 3_2_370115F8 | |
| Source: | Code function: | 3_2_37010498 | |
| Source: | Code function: | 3_2_37012300 | |
| Source: | Code function: | 3_2_370142A0 | |
| Source: | Code function: | 3_2_37013140 | |
| Source: | Code function: | 3_2_370111A0 | |
| Source: | Code function: | 3_2_37010040 | |
| Source: | Code function: | 3_2_37014FA8 | |
| Source: | Code function: | 3_2_37013E48 | |
| Source: | Code function: | 3_2_37011EA8 | |
| Source: | Code function: | 3_2_37010D48 | |
| Source: | Code function: | 3_2_37012CE8 | |
| Source: | Code function: | 3_2_37014B50 | |
| Source: | Code function: | 3_2_37011A50 | |
| Source: | Code function: | 3_2_370139F0 | |
| Source: | Code function: | 3_2_37012890 | |
| Source: | Code function: | 3_2_370198DB | |
| Source: | Code function: | 3_2_370108F0 | |
| Source: | Code function: | 3_2_37549360 | |
| Source: | Code function: | 3_2_37548F08 | |
| Source: | Code function: | 3_2_37548658 | |
| Source: | Code function: | 3_2_3754FA70 | |
| Source: | Code function: | 3_2_3754BE10 | |
| Source: | Code function: | 3_2_37548200 | |
| Source: | Code function: | 3_2_37548AB0 | |
| Source: | Code function: | 3_2_3754B560 | |
| Source: | Code function: | 3_2_3754B108 | |
| Source: | Code function: | 3_2_3754B9B8 | |
| Source: | Code function: | 3_2_37547DA8 | |
| Source: | Code function: | 3_2_3754A858 | |
| Source: | Code function: | 3_2_3754ACB0 | |
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_0040511A | |
| Source: | Code function: | 0_2_004031A3 | |
| Source: | Code function: | 3_2_004031A3 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00404959 | |
| Source: | Code function: | 0_2_00406D36 | |
| Source: | Code function: | 3_2_00404959 | |
| Source: | Code function: | 3_2_0040655F | |
| Source: | Code function: | 3_2_00406D36 | |
| Source: | Code function: | 3_2_03FFA0F0 | |
| Source: | Code function: | 3_2_03FF27B9 | |
| Source: | Code function: | 3_2_03FF2DD1 | |
| Source: | Code function: | 3_2_03FFD788 | |
| Source: | Code function: | 3_2_03FFA0E1 | |
| Source: | Code function: | 3_2_03FFE4B8 | |
| Source: | Code function: | 3_2_03FFE981 | |
| Source: | Code function: | 3_2_03FFED58 | |
| Source: | Code function: | 3_2_03FFF1B0 | |
| Source: | Code function: | 3_2_03FFF1A0 | |
| Source: | Code function: | 3_2_03FFF608 | |
| Source: | Code function: | 3_2_03FFF5F8 | |
| Source: | Code function: | 3_2_03FFFA60 | |
| Source: | Code function: | 3_2_03FFFA50 | |
| Source: | Code function: | 3_2_370177F0 | |
| Source: | Code function: | 3_2_370195FC | |
| Source: | Code function: | 3_2_37018490 | |
| Source: | Code function: | 3_2_37016130 | |
| Source: | Code function: | 3_2_370171A8 | |
| Source: | Code function: | 3_2_37017E40 | |
| Source: | Code function: | 3_2_370177E4 | |
| Source: | Code function: | 3_2_3701563E | |
| Source: | Code function: | 3_2_370146F2 | |
| Source: | Code function: | 3_2_370146F8 | |
| Source: | Code function: | 3_2_3701358A | |
| Source: | Code function: | 3_2_37013598 | |
| Source: | Code function: | 3_2_370115E8 | |
| Source: | Code function: | 3_2_370115F8 | |
| Source: | Code function: | 3_2_37010488 | |
| Source: | Code function: | 3_2_3701848E | |
| Source: | Code function: | 3_2_37010498 | |
| Source: | Code function: | 3_2_37012300 | |
| Source: | Code function: | 3_2_37014290 | |
| Source: | Code function: | 3_2_370142A0 | |
| Source: | Code function: | 3_2_370122F2 | |
| Source: | Code function: | 3_2_37016122 | |
| Source: | Code function: | 3_2_37013130 | |
| Source: | Code function: | 3_2_37013140 | |
| Source: | Code function: | 3_2_37011191 | |
| Source: | Code function: | 3_2_37017197 | |
| Source: | Code function: | 3_2_370111A0 | |
| Source: | Code function: | 3_2_37010040 | |
| Source: | Code function: | 3_2_37014F98 | |
| Source: | Code function: | 3_2_37014FA8 | |
| Source: | Code function: | 3_2_37017E37 | |
| Source: | Code function: | 3_2_37013E39 | |
| Source: | Code function: | 3_2_37013E48 | |
| Source: | Code function: | 3_2_37011E98 | |
| Source: | Code function: | 3_2_37011EA8 | |
| Source: | Code function: | 3_2_37010D39 | |
| Source: | Code function: | 3_2_37010D48 | |
| Source: | Code function: | 3_2_37012CDA | |
| Source: | Code function: | 3_2_37012CE8 | |
| Source: | Code function: | 3_2_37018B0E | |
| Source: | Code function: | 3_2_37018B10 | |
| Source: | Code function: | 3_2_37014B41 | |
| Source: | Code function: | 3_2_37014B50 | |
| Source: | Code function: | 3_2_37011A40 | |
| Source: | Code function: | 3_2_37011A50 | |
| Source: | Code function: | 3_2_370139E0 | |
| Source: | Code function: | 3_2_370139F0 | |
| Source: | Code function: | 3_2_3701287F | |
| Source: | Code function: | 3_2_37012890 | |
| Source: | Code function: | 3_2_370108E0 | |
| Source: | Code function: | 3_2_370108F0 | |
| Source: | Code function: | 3_2_37524F51 | |
| Source: | Code function: | 3_2_375246E1 | |
| Source: | Code function: | 3_2_37523450 | |
| Source: | Code function: | 3_2_3752A318 | |
| Source: | Code function: | 3_2_3752208C | |
| Source: | Code function: | 3_2_3754E358 | |
| Source: | Code function: | 3_2_37549360 | |
| Source: | Code function: | 3_2_3754C268 | |
| Source: | Code function: | 3_2_37544560 | |
| Source: | Code function: | 3_2_375499C0 | |
| Source: | Code function: | 3_2_37540040 | |
| Source: | Code function: | 3_2_37544340 | |
| Source: | Code function: | 3_2_3754934F | |
| Source: | Code function: | 3_2_37548F08 | |
| Source: | Code function: | 3_2_37543BB8 | |
| Source: | Code function: | 3_2_37543BA8 | |
| Source: | Code function: | 3_2_3754C25E | |
| Source: | Code function: | 3_2_37548658 | |
| Source: | Code function: | 3_2_37548647 | |
| Source: | Code function: | 3_2_3754FA70 | |
| Source: | Code function: | 3_2_3754BE10 | |
| Source: | Code function: | 3_2_37548200 | |
| Source: | Code function: | 3_2_3754BE01 | |
| Source: | Code function: | 3_2_37548EFB | |
| Source: | Code function: | 3_2_37548A9F | |
| Source: | Code function: | 3_2_37548AB0 | |
| Source: | Code function: | 3_2_3754B55B | |
| Source: | Code function: | 3_2_3754B560 | |
| Source: | Code function: | 3_2_3754B108 | |
| Source: | Code function: | 3_2_375481EF | |
| Source: | Code function: | 3_2_37547D98 | |
| Source: | Code function: | 3_2_3754B9B8 | |
| Source: | Code function: | 3_2_375499BB | |
| Source: | Code function: | 3_2_37547DA8 | |
| Source: | Code function: | 3_2_3754B9A8 | |
| Source: | Code function: | 3_2_3754A858 | |
| Source: | Code function: | 3_2_3754A847 | |
| Source: | Code function: | 3_2_3754F4D8 | |
| Source: | Code function: | 3_2_3754B0F8 | |
| Source: | Code function: | 3_2_3754ACB0 | |
| Source: | Code function: | 3_2_3754ACA0 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004031A3 | |
| Source: | Code function: | 3_2_004031A3 | |
| Source: | Code function: | 0_2_004043E6 | |
| Source: | Code function: | 0_2_004020CD | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_10001A5D | |
| Source: | Code function: | 0_2_10002D4E | |
| Source: | Code function: | 3_2_37546F1D | |
| Source: | Code function: | 3_2_37544ED7 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | API coverage: | ||
| Source: | Code function: | 0_2_00405665 | |
| Source: | Code function: | 0_2_004060C7 | |
| Source: | Code function: | 0_2_0040270B | |
| Source: | Code function: | 3_2_00405665 | |
| Source: | Code function: | 3_2_0040270B | |
| Source: | Code function: | 3_2_004060C7 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-3705 | ||
| Source: | API call chain: | graph_0-3879 | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_10001A5D | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405DE5 | |
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry key created or modified: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 11 Masquerading | 1 OS Credential Dumping | 211 Security Software Discovery | Remote Services | 1 Email Collection | 21 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 2 Virtualization/Sandbox Evasion | LSASS Memory | 2 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 31 Disable or Modify Tools | Security Account Manager | 1 System Network Configuration Discovery | SMB/Windows Admin Shares | 1 Data from Local System | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Access Token Manipulation | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | 1 Clipboard Data | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Process Injection | LSA Secrets | 215 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Deobfuscate/Decode Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 3 Obfuscated Files or Information | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 72% | Virustotal | Browse | ||
| 62% | ReversingLabs | Win32.Trojan.Guloader | ||
| 100% | Avira | TR/Injector.kjjjr |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 142.250.184.238 | true | false | high | |
| drive.usercontent.google.com | 142.250.185.97 | true | false | high | |
| reallyfreegeoip.org | 104.21.16.1 | true | false | high | |
| checkip.dyndns.com | 158.101.44.242 | true | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.16.1 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 142.250.184.238 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
| 158.101.44.242 | checkip.dyndns.com | United States | 31898 | ORACLE-BMC-31898US | false | |
| 142.250.185.97 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1632353 |
| Start date and time: | 2025-03-07 22:42:18 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 39s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 12 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 1258ad6Jpw.exerenamed because original name is a hash value |
| Original Sample Name: | d953e4ecdd89c5bec7fa20b1d7f43ad83940c3505b9deaaf8dd79247d4178852.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/9@4/4 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 23.60.203.209
- Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.16.1 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| 158.101.44.242 | Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| checkip.dyndns.com | Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| reallyfreegeoip.org | Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| ORACLE-BMC-31898US | Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | GuLoader | Browse |
| |
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nsk64CB.tmp\System.dll | Get hash | malicious | GuLoader | Browse | ||
| Get hash | malicious | Discord Token Stealer, GuLoader | Browse | |||
| Get hash | malicious | Discord Token Stealer, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | Discord Token Stealer, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | Discord Token Stealer, GuLoader | Browse | |||
| Get hash | malicious | Discord Token Stealer, GuLoader | Browse |
| Process: | C:\Users\user\Desktop\1258ad6Jpw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11264 |
| Entropy (8bit): | 5.7711167426271945 |
| Encrypted: | false |
| SSDEEP: | 192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn |
| MD5: | 3F176D1EE13B0D7D6BD92E1C7A0B9BAE |
| SHA1: | FE582246792774C2C9DD15639FFA0ACA90D6FD0B |
| SHA-256: | FA4AB1D6F79FD677433A31ADA7806373A789D34328DA46CCB0449BBF347BD73E |
| SHA-512: | 0A69124819B7568D0DEA4E9E85CE8FE61C7BA697C934E3A95E2DCFB9F252B1D9DA7FAF8774B6E8EFD614885507ACC94987733EBA09A2F5E7098B774DFC8524B6 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\1258ad6Jpw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 311848 |
| Entropy (8bit): | 7.6875593798526936 |
| Encrypted: | false |
| SSDEEP: | 6144:ad3VjstO0TAii/WWmdfeCq40lcPz+m/H0EoXINkuAF:ad3VjstO0Ex/ugLlcPzTH0EmOr+ |
| MD5: | A6DBA8021145F75869C20E62A05BB501 |
| SHA1: | B0069FD18DB57FC277C9FAE3C1EACDD25AE9B2F8 |
| SHA-256: | 295F0B043C70D95666E700C212C3702B57E0D4B553D1E9799827E77813B475E5 |
| SHA-512: | CD2C50C5AD4836EC89B931CE540BEBE20CFDBFBF1F185CBD570305C49362CF421236B34A3B0B15B2D2E5538A38B7CD89B5560BE9B12C0D29EBD2A7D74A121EE9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\1258ad6Jpw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 134729 |
| Entropy (8bit): | 4.612292450829367 |
| Encrypted: | false |
| SSDEEP: | 1536:ONxcPexIuEixExsZUtROtE4sTBnEwQq9sP3heWckIraJH1lWQpctCvZehFVRLd:ONoevEimCUtk6J6PReLE6QpTZehX |
| MD5: | EEF6A68F72261899E0466739548115A6 |
| SHA1: | A75F288B9892361D553B41A948EC4E16B2F32561 |
| SHA-256: | 2CE4DF66D10327F6F10259E5A03D36C1C291867C03A26D1B31620B81A89B0D81 |
| SHA-512: | 2C92F62B1D0BC03B54139AF08CFAAB89E4151963194ABBF04BB69956B878EE82AF16177B93E5E58BD4A933CB31B031FB6EE6EBCFCA1F589CB1E2933D811886D1 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\1258ad6Jpw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 33551 |
| Entropy (8bit): | 7.956268181390171 |
| Encrypted: | false |
| SSDEEP: | 768:Y3BEzLhyMSuCE5OTO/R+5oEdZ0/EqdZceab:Y2xyM4EfYokZ0pTcTb |
| MD5: | 7395345F8F9FA1C2C012F30387FBE6BC |
| SHA1: | E2ECA72547487EBC02E2C37A3B997E3B6C318F0E |
| SHA-256: | FE0871EB8DC89CEAACDEA8439DED372446CC9B7A5C8E4B25530DA1B9F69B6E83 |
| SHA-512: | F4760E97752416734AA323722FFF672D85FD23E057D70296DE304CCFD7C813AAE1E2091006F1ACC9758A16ACFF8B61C00164AEE116AE9AC2FAAEC34E186DB7A1 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\1258ad6Jpw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 317679 |
| Entropy (8bit): | 1.2663999773114714 |
| Encrypted: | false |
| SSDEEP: | 1536:+C6MIq7nr4cwrdrXpUMOn0mJk0qsrHSJ+crTe:5NLLdCjsfKArHSJBe |
| MD5: | 4B4E2FDEFF2DC5AF4E442DB8042A4ECA |
| SHA1: | 11B4AE1475CA6474615B2FBE921C8DE02202D0A7 |
| SHA-256: | C2BB0DD5C0CF12B535B2EB67D6DF11E6542C8B9A28C47996AD5A955EDD5F6FC7 |
| SHA-512: | 7F327729126D6A31FC6458540A4BB799FC3E5EA000DF5994FDDD6E16702C80130D472EF215E87279470DD014E0A4FB3BFC47A7A092BA37B6A484EDEDF8ECE32A |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\1258ad6Jpw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 24425 |
| Entropy (8bit): | 7.966022811010688 |
| Encrypted: | false |
| SSDEEP: | 384:hejmQNhLRG3tOg2Q2FewajHVoWrO/zQQ1SHTpKLZTuNtTpb9PzWzpl4kO/uzvl:heJNGpKajHVDO/zQk1TuFb9PkO/ubl |
| MD5: | 50C4365542D93FD8A313440ADDA9017D |
| SHA1: | DEF4FD0B74AA6D981AA001BDEA66125BCDD94235 |
| SHA-256: | 461AD2638A4BD638EC62FE4D1E467B80A2FD0C9888D99C853D196FB693D98866 |
| SHA-512: | 7CC979865AAC0E3B4562C55B30A3D868306E3D792F94DA62876673CD6E4B08752953BB45ECB2C57A23645CFE894C3D2116CA9FB97F9E61B51B76D911786C4DFB |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\1258ad6Jpw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 33077 |
| Entropy (8bit): | 7.9576023926668045 |
| Encrypted: | false |
| SSDEEP: | 768:Y3BEzLhyMSuCE5OTO/R+5oEdZ0/EqdZceam:Y2xyM4EfYokZ0pTcTm |
| MD5: | 422D904C045D4AC8205AE56D0D413CF9 |
| SHA1: | 8EDD159E33B5FEED673EB21561923B6311952D6A |
| SHA-256: | 896685BAA3D8B6C65622F6D6241A3C2121A1E26434875E8F03C544EBE54AF56D |
| SHA-512: | 087B0A02B40ACA8792B2E60280B8E7645E086AC19919C55F078530EEACAC6AA44FC12E5104C1D7EA25A2B2367E4721BB9CB20DE6E65D98756AC8C5395D8ED4E1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\1258ad6Jpw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 490637 |
| Entropy (8bit): | 1.247791588729088 |
| Encrypted: | false |
| SSDEEP: | 1536:Iwj7QkU4Succftrx4E1tOkzEF62k8SPnkxFDhTB7FTIo:IIQkHCcfkCxYFLk8S6FBxJ |
| MD5: | 454BFA40F950359C0C5FEDFCE885DB5D |
| SHA1: | 3FCD8AE2AFC5D784A1759315B9E1744E9873E950 |
| SHA-256: | 92CB9A933F564E207A2F8A9387DC6F4852A5AA53AC6C95120FE77D3B684CA3A4 |
| SHA-512: | 4A8B956FBF7072B676F6A8526D6F909A7D6F43C4F67C7AEA12E275799B42B78E8500A7CAA5387EFF5607D90D578210C6FC230238B6B95401392115A0AA49DBEA |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\1258ad6Jpw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 95158 |
| Entropy (8bit): | 1.2550487729623385 |
| Encrypted: | false |
| SSDEEP: | 768:RtbjIxO6JaLTYpLJL8Ku9ytaVXzM3gdDENCc2wqlx9:z6gLTIgt9Krox9 |
| MD5: | 4E17CFAE8BE669DC88BB9343F971862B |
| SHA1: | 642EA7D1C06F438146D2DF1B132AC7E85A261917 |
| SHA-256: | 25615665769858EFD92342269955C6ACD095520D8FE5B5FB1633D28ED92CD840 |
| SHA-512: | 7209C60BD74062F9E689A8389F671C0E0B531B764858957C5724AE548E28A163809B5A7B998D680250AFD84D1BC28414EAD65D12D8D352CF4D4B0E9E4BAC2237 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.621271816812706 |
| TrID: |
|
| File name: | 1258ad6Jpw.exe |
| File size: | 1'113'012 bytes |
| MD5: | 8b0bd4c6a70334229181f7f0563e154b |
| SHA1: | cb0adf2e607fd383b5f1f2e298b0aee721d5716f |
| SHA256: | d953e4ecdd89c5bec7fa20b1d7f43ad83940c3505b9deaaf8dd79247d4178852 |
| SHA512: | 3ed928d686dd3f565152d9da88a3d67990bec27c37e9d523a904b2ca7014d2783e690a3754e5674eff59c183454b180b3a3312b251d62ef455065cdba58ae2e1 |
| SSDEEP: | 24576:LzOEC045qGBczSaixgooBOkclvNG5HgapE:eEe0UIixgoUOkc6NgV |
| TLSH: | E5351287FA7445E7F8384231A82ADD781E31BC2A340C5A4AB2F7B79F6C337406649536 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...<.MX.................b...|..... |
 | |
| Icon Hash: | 07970e4547277670 |
| Entrypoint: | 0x4031a3 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x584DCA3C [Sun Dec 11 21:50:52 2016 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | b78ecf47c0a3e24a6f4af114e2d1f5de |
| Instruction |
|---|
| sub esp, 00000184h |
| push ebx |
| push esi |
| push edi |
| xor ebx, ebx |
| push 00008001h |
| mov dword ptr [esp+18h], ebx |
| mov dword ptr [esp+10h], 0040A198h |
| mov dword ptr [esp+20h], ebx |
| mov byte ptr [esp+14h], 00000020h |
| call dword ptr [004080A8h] |
| call dword ptr [004080A4h] |
| cmp ax, 00000006h |
| je 00007F4CC8D88893h |
| push ebx |
| call 00007F4CC8D8B801h |
| cmp eax, ebx |
| je 00007F4CC8D88889h |
| push 00000C00h |
| call eax |
| mov esi, 00408298h |
| push esi |
| call 00007F4CC8D8B77Dh |
| push esi |
| call dword ptr [004080A0h] |
| lea esi, dword ptr [esi+eax+01h] |
| cmp byte ptr [esi], bl |
| jne 00007F4CC8D8886Dh |
| push ebp |
| push 00000009h |
| call 00007F4CC8D8B7D4h |
| push 00000007h |
| call 00007F4CC8D8B7CDh |
| mov dword ptr [0042F404h], eax |
| call dword ptr [00408044h] |
| push ebx |
| call dword ptr [00408288h] |
| mov dword ptr [0042F4B8h], eax |
| push ebx |
| lea eax, dword ptr [esp+38h] |
| push 00000160h |
| push eax |
| push ebx |
| push 00429828h |
| call dword ptr [00408174h] |
| push 0040A188h |
| push 0042EC00h |
| call 00007F4CC8D8B3F7h |
| call dword ptr [0040809Ch] |
| mov ebp, 00435000h |
| push eax |
| push ebp |
| call 00007F4CC8D8B3E5h |
| push ebx |
| call dword ptr [00408154h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8534 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x46000 | 0x6edf8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x298 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6071 | 0x6200 | 86ec2a2da0012903b23e33f511180572 | False | 0.6687659438775511 | data | 6.434342820031866 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x1352 | 0x1400 | cd090b7c5bd9ae3da2a43d4f02ef98b7 | False | 0.4599609375 | data | 5.237297010093776 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x254f8 | 0x600 | e98382d1559cdefaafaf45200fe1faf0 | False | 0.4544270833333333 | data | 4.037252180314336 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x30000 | 0x16000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x46000 | 0x6edf8 | 0x6ee00 | 2bdfae43485366cb4915bf38e81a67ea | False | 0.28867715966741825 | data | 3.520926376921896 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0x46430 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States | 0.23623853211009174 |
| RT_ICON | 0x46798 | 0x42028 | Device independent bitmap graphic, 256 x 512 x 32, image size 262144 | English | United States | 0.19849764772021186 |
| RT_ICON | 0x887c0 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536 | English | United States | 0.23927895421743758 |
| RT_ICON | 0x98fe8 | 0x96fe | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9903502871630362 |
| RT_ICON | 0xa26e8 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 36864 | English | United States | 0.2592495270128232 |
| RT_ICON | 0xabb90 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384 | English | United States | 0.2900330656589514 |
| RT_ICON | 0xafdb8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | English | United States | 0.30632780082987554 |
| RT_ICON | 0xb2360 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | English | United States | 0.35553470919324576 |
| RT_ICON | 0xb3408 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | English | United States | 0.40737704918032785 |
| RT_ICON | 0xb3d90 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | English | United States | 0.44680851063829785 |
| RT_DIALOG | 0xb41f8 | 0x144 | data | English | United States | 0.5216049382716049 |
| RT_DIALOG | 0xb4340 | 0x13c | data | English | United States | 0.5506329113924051 |
| RT_DIALOG | 0xb4480 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0xb4580 | 0x11c | data | English | United States | 0.6091549295774648 |
| RT_DIALOG | 0xb46a0 | 0xc4 | data | English | United States | 0.5918367346938775 |
| RT_DIALOG | 0xb4768 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0xb47c8 | 0x84 | data | English | United States | 0.7045454545454546 |
| RT_VERSION | 0xb4850 | 0x264 | data | English | United States | 0.47058823529411764 |
| RT_MANIFEST | 0xb4ab8 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States | 0.5542168674698795 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc |
| USER32.dll | ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA |
| ADVAPI32.dll | RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Description | Data |
|---|---|
| Comments | secondment monkshoods noeolles |
| CompanyName | tubehearted torchlights |
| InternalName | baggrundsmaterialet encroachment.exe |
| OriginalFilename | baggrundsmaterialet encroachment.exe |
| Translation | 0x0409 0x04e4 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-07T22:44:06.947274+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.8 | 49689 | 142.250.184.238 | 443 | TCP |
| 2025-03-07T22:44:13.116704+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.8 | 49691 | 158.101.44.242 | 80 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 7, 2025 22:44:04.566147089 CET | 49689 | 443 | 192.168.2.8 | 142.250.184.238 |
| Mar 7, 2025 22:44:04.566191912 CET | 443 | 49689 | 142.250.184.238 | 192.168.2.8 |
| Mar 7, 2025 22:44:04.566261053 CET | 49689 | 443 | 192.168.2.8 | 142.250.184.238 |
| Mar 7, 2025 22:44:04.573894024 CET | 49689 | 443 | 192.168.2.8 | 142.250.184.238 |
| Mar 7, 2025 22:44:04.573908091 CET | 443 | 49689 | 142.250.184.238 | 192.168.2.8 |
| Mar 7, 2025 22:44:06.300354958 CET | 443 | 49689 | 142.250.184.238 | 192.168.2.8 |
| Mar 7, 2025 22:44:06.300537109 CET | 49689 | 443 | 192.168.2.8 | 142.250.184.238 |
| Mar 7, 2025 22:44:06.301140070 CET | 443 | 49689 | 142.250.184.238 | 192.168.2.8 |
| Mar 7, 2025 22:44:06.301208019 CET | 49689 | 443 | 192.168.2.8 | 142.250.184.238 |
| Mar 7, 2025 22:44:06.361663103 CET | 49689 | 443 | 192.168.2.8 | 142.250.184.238 |
| Mar 7, 2025 22:44:06.361700058 CET | 443 | 49689 | 142.250.184.238 | 192.168.2.8 |
| Mar 7, 2025 22:44:06.362065077 CET | 443 | 49689 | 142.250.184.238 | 192.168.2.8 |
| Mar 7, 2025 22:44:06.362126112 CET | 49689 | 443 | 192.168.2.8 | 142.250.184.238 |
| Mar 7, 2025 22:44:06.365973949 CET | 49689 | 443 | 192.168.2.8 | 142.250.184.238 |
| Mar 7, 2025 22:44:06.408334970 CET | 443 | 49689 | 142.250.184.238 | 192.168.2.8 |
| Mar 7, 2025 22:44:06.947259903 CET | 443 | 49689 | 142.250.184.238 | 192.168.2.8 |
| Mar 7, 2025 22:44:06.947407007 CET | 49689 | 443 | 192.168.2.8 | 142.250.184.238 |
| Mar 7, 2025 22:44:06.947438955 CET | 443 | 49689 | 142.250.184.238 | 192.168.2.8 |
| Mar 7, 2025 22:44:06.947491884 CET | 49689 | 443 | 192.168.2.8 | 142.250.184.238 |
| Mar 7, 2025 22:44:06.949279070 CET | 49689 | 443 | 192.168.2.8 | 142.250.184.238 |
| Mar 7, 2025 22:44:06.949347019 CET | 443 | 49689 | 142.250.184.238 | 192.168.2.8 |
| Mar 7, 2025 22:44:06.949465990 CET | 49689 | 443 | 192.168.2.8 | 142.250.184.238 |
| Mar 7, 2025 22:44:06.978539944 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:06.978581905 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:06.978648901 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:06.978951931 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:06.978962898 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:08.775430918 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:08.775602102 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:08.780064106 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:08.780075073 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:08.780368090 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:08.780441046 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:08.780873060 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:08.824331999 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.633253098 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.633373022 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.640095949 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.640207052 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.653686047 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.653767109 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.653793097 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.653832912 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.717633009 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.717794895 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.734308004 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.734406948 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.734431028 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.734473944 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.737482071 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.737555981 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.737624884 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.737674952 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.744966984 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.745063066 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.745081902 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.745126963 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.752950907 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.753065109 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.753092051 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.753139019 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.761257887 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.761332035 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.761356115 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.761404991 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.768687963 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.768893003 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.768898964 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.768944979 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.776797056 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.776870012 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.776913881 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.777120113 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.784274101 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.784338951 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.784348011 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.784389019 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.792125940 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.792201042 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.792222977 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.792268038 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.800277948 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.800368071 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.800391912 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.800450087 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.808751106 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.808815002 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.808840036 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.808897018 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.841448069 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.841528893 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.841553926 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.841604948 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.844443083 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.844528913 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.844559908 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.844614029 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.852478027 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.852541924 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.852547884 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.852606058 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.860678911 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.860729933 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.860734940 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.860774040 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.867579937 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.867638111 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.867645025 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.867677927 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.876962900 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.877016068 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.877022028 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.877059937 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.882922888 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.882972002 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.882987976 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.882993937 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.883016109 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.883044004 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.891429901 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.891531944 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.891545057 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.891586065 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.899204016 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.899276018 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.899281979 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.899327040 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.906021118 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.906095982 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.906106949 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.906157017 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.916024923 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.916114092 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.916145086 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.916210890 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.922405958 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.922461033 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.922487020 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.922530890 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.930627108 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.930699110 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.930722952 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.930761099 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.938133001 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.938211918 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.938236952 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.938277960 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.946950912 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.947016001 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.947040081 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.947082996 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.952919960 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.952985048 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.953007936 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.953049898 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.956594944 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.956681967 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.956701040 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.956743956 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.959614992 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.959675074 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.959691048 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.959737062 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.966543913 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.966617107 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.966624022 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.966634989 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.966660023 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.966727972 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.966737032 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.966782093 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.966823101 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:11.966856003 CET | 443 | 49690 | 142.250.185.97 | 192.168.2.8 |
| Mar 7, 2025 22:44:11.966908932 CET | 49690 | 443 | 192.168.2.8 | 142.250.185.97 |
| Mar 7, 2025 22:44:12.278911114 CET | 49691 | 80 | 192.168.2.8 | 158.101.44.242 |
| Mar 7, 2025 22:44:12.283987045 CET | 80 | 49691 | 158.101.44.242 | 192.168.2.8 |
| Mar 7, 2025 22:44:12.284058094 CET | 49691 | 80 | 192.168.2.8 | 158.101.44.242 |
| Mar 7, 2025 22:44:12.284291029 CET | 49691 | 80 | 192.168.2.8 | 158.101.44.242 |
| Mar 7, 2025 22:44:12.289319038 CET | 80 | 49691 | 158.101.44.242 | 192.168.2.8 |
| Mar 7, 2025 22:44:12.902137995 CET | 80 | 49691 | 158.101.44.242 | 192.168.2.8 |
| Mar 7, 2025 22:44:12.911372900 CET | 49691 | 80 | 192.168.2.8 | 158.101.44.242 |
| Mar 7, 2025 22:44:12.916698933 CET | 80 | 49691 | 158.101.44.242 | 192.168.2.8 |
| Mar 7, 2025 22:44:13.069559097 CET | 80 | 49691 | 158.101.44.242 | 192.168.2.8 |
| Mar 7, 2025 22:44:13.082401991 CET | 49692 | 443 | 192.168.2.8 | 104.21.16.1 |
| Mar 7, 2025 22:44:13.082500935 CET | 443 | 49692 | 104.21.16.1 | 192.168.2.8 |
| Mar 7, 2025 22:44:13.082576036 CET | 49692 | 443 | 192.168.2.8 | 104.21.16.1 |
| Mar 7, 2025 22:44:13.085259914 CET | 49692 | 443 | 192.168.2.8 | 104.21.16.1 |
| Mar 7, 2025 22:44:13.085288048 CET | 443 | 49692 | 104.21.16.1 | 192.168.2.8 |
| Mar 7, 2025 22:44:13.116703987 CET | 49691 | 80 | 192.168.2.8 | 158.101.44.242 |
| Mar 7, 2025 22:44:14.632355928 CET | 443 | 49692 | 104.21.16.1 | 192.168.2.8 |
| Mar 7, 2025 22:44:14.632486105 CET | 49692 | 443 | 192.168.2.8 | 104.21.16.1 |
| Mar 7, 2025 22:44:14.636451006 CET | 49692 | 443 | 192.168.2.8 | 104.21.16.1 |
| Mar 7, 2025 22:44:14.636478901 CET | 443 | 49692 | 104.21.16.1 | 192.168.2.8 |
| Mar 7, 2025 22:44:14.636842966 CET | 443 | 49692 | 104.21.16.1 | 192.168.2.8 |
| Mar 7, 2025 22:44:14.641181946 CET | 49692 | 443 | 192.168.2.8 | 104.21.16.1 |
| Mar 7, 2025 22:44:14.688318968 CET | 443 | 49692 | 104.21.16.1 | 192.168.2.8 |
| Mar 7, 2025 22:44:15.078079939 CET | 443 | 49692 | 104.21.16.1 | 192.168.2.8 |
| Mar 7, 2025 22:44:15.078150034 CET | 443 | 49692 | 104.21.16.1 | 192.168.2.8 |
| Mar 7, 2025 22:44:15.078236103 CET | 49692 | 443 | 192.168.2.8 | 104.21.16.1 |
| Mar 7, 2025 22:44:15.085170984 CET | 49692 | 443 | 192.168.2.8 | 104.21.16.1 |
| Mar 7, 2025 22:45:18.070789099 CET | 80 | 49691 | 158.101.44.242 | 192.168.2.8 |
| Mar 7, 2025 22:45:18.071006060 CET | 49691 | 80 | 192.168.2.8 | 158.101.44.242 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 7, 2025 22:44:04.549715996 CET | 55035 | 53 | 192.168.2.8 | 1.1.1.1 |
| Mar 7, 2025 22:44:04.558989048 CET | 53 | 55035 | 1.1.1.1 | 192.168.2.8 |
| Mar 7, 2025 22:44:06.970402956 CET | 63958 | 53 | 192.168.2.8 | 1.1.1.1 |
| Mar 7, 2025 22:44:06.977683067 CET | 53 | 63958 | 1.1.1.1 | 192.168.2.8 |
| Mar 7, 2025 22:44:12.266731977 CET | 62078 | 53 | 192.168.2.8 | 1.1.1.1 |
| Mar 7, 2025 22:44:12.273967981 CET | 53 | 62078 | 1.1.1.1 | 192.168.2.8 |
| Mar 7, 2025 22:44:13.071512938 CET | 62837 | 53 | 192.168.2.8 | 1.1.1.1 |
| Mar 7, 2025 22:44:13.081583023 CET | 53 | 62837 | 1.1.1.1 | 192.168.2.8 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 7, 2025 22:44:04.549715996 CET | 192.168.2.8 | 1.1.1.1 | 0xecd1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 7, 2025 22:44:06.970402956 CET | 192.168.2.8 | 1.1.1.1 | 0xf13f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 7, 2025 22:44:12.266731977 CET | 192.168.2.8 | 1.1.1.1 | 0x7096 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 7, 2025 22:44:13.071512938 CET | 192.168.2.8 | 1.1.1.1 | 0x37fe | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 7, 2025 22:44:04.558989048 CET | 1.1.1.1 | 192.168.2.8 | 0xecd1 | No error (0) | 142.250.184.238 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:06.977683067 CET | 1.1.1.1 | 192.168.2.8 | 0xf13f | No error (0) | 142.250.185.97 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:12.273967981 CET | 1.1.1.1 | 192.168.2.8 | 0x7096 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:12.273967981 CET | 1.1.1.1 | 192.168.2.8 | 0x7096 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:12.273967981 CET | 1.1.1.1 | 192.168.2.8 | 0x7096 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:12.273967981 CET | 1.1.1.1 | 192.168.2.8 | 0x7096 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:12.273967981 CET | 1.1.1.1 | 192.168.2.8 | 0x7096 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:12.273967981 CET | 1.1.1.1 | 192.168.2.8 | 0x7096 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:13.081583023 CET | 1.1.1.1 | 192.168.2.8 | 0x37fe | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:13.081583023 CET | 1.1.1.1 | 192.168.2.8 | 0x37fe | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:13.081583023 CET | 1.1.1.1 | 192.168.2.8 | 0x37fe | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:13.081583023 CET | 1.1.1.1 | 192.168.2.8 | 0x37fe | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:13.081583023 CET | 1.1.1.1 | 192.168.2.8 | 0x37fe | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:13.081583023 CET | 1.1.1.1 | 192.168.2.8 | 0x37fe | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 22:44:13.081583023 CET | 1.1.1.1 | 192.168.2.8 | 0x37fe | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.8 | 49691 | 158.101.44.242 | 80 | 4664 | C:\Users\user\Desktop\1258ad6Jpw.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 7, 2025 22:44:12.284291029 CET | 151 | OUT | |
| Mar 7, 2025 22:44:12.902137995 CET | 321 | IN | |
| Mar 7, 2025 22:44:12.911372900 CET | 127 | OUT | |
| Mar 7, 2025 22:44:13.069559097 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.8 | 49689 | 142.250.184.238 | 443 | 4664 | C:\Users\user\Desktop\1258ad6Jpw.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 21:44:06 UTC | 216 | OUT | |
| 2025-03-07 21:44:06 UTC | 1610 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.8 | 49690 | 142.250.185.97 | 443 | 4664 | C:\Users\user\Desktop\1258ad6Jpw.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 21:44:08 UTC | 258 | OUT | |
| 2025-03-07 21:44:11 UTC | 5016 | IN | |
| 2025-03-07 21:44:11 UTC | 5016 | IN | |
| 2025-03-07 21:44:11 UTC | 4665 | IN | |
| 2025-03-07 21:44:11 UTC | 1323 | IN | |
| 2025-03-07 21:44:11 UTC | 1378 | IN | |
| 2025-03-07 21:44:11 UTC | 1378 | IN | |
| 2025-03-07 21:44:11 UTC | 1378 | IN | |
| 2025-03-07 21:44:11 UTC | 1378 | IN | |
| 2025-03-07 21:44:11 UTC | 1378 | IN | |
| 2025-03-07 21:44:11 UTC | 1378 | IN | |
| 2025-03-07 21:44:11 UTC | 1378 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.8 | 49692 | 104.21.16.1 | 443 | 4664 | C:\Users\user\Desktop\1258ad6Jpw.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 21:44:14 UTC | 85 | OUT | |
| 2025-03-07 21:44:15 UTC | 861 | IN | |
| 2025-03-07 21:44:15 UTC | 362 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 16:43:12 |
| Start date: | 07/03/2025 |
| Path: | C:\Users\user\Desktop\1258ad6Jpw.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'113'012 bytes |
| MD5 hash: | 8B0BD4C6A70334229181F7F0563E154B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 16:43:50 |
| Start date: | 07/03/2025 |
| Path: | C:\Users\user\Desktop\1258ad6Jpw.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'113'012 bytes |
| MD5 hash: | 8B0BD4C6A70334229181F7F0563E154B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |