Loading ...

Play interactive tourEdit tour

Analysis Report SBG-1100319PurchaseOrder.exe

Overview

General Information

Sample Name:SBG-1100319PurchaseOrder.exe
Analysis ID:388089
MD5:2dd62d78b9f7e9c5529502e085b55756
SHA1:151d4cd68958df35ae706cc232627a05e923307f
SHA256:c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992
Tags:exeRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

Remcos GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Sigma detected: Remcos
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SBG-1100319PurchaseOrder.exe (PID: 6224 cmdline: 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe' MD5: 2DD62D78B9F7E9C5529502E085B55756)
    • SBG-1100319PurchaseOrder.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe' MD5: 2DD62D78B9F7E9C5529502E085B55756)
  • wscript.exe (PID: 7152 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • filename1.exe (PID: 5936 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe MD5: 2DD62D78B9F7E9C5529502E085B55756)
      • filename1.exe (PID: 5516 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe MD5: 2DD62D78B9F7E9C5529502E085B55756)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: filename1.exe PID: 5516JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
        Process Memory Space: filename1.exe PID: 5516JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6224JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
            Click to see the 5 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: RemcosShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe, ProcessId: 6352, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2"}
            Source: SBG-1100319PurchaseOrder.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2
            Source: global trafficTCP traffic: 192.168.2.7:49722 -> 79.134.225.124:2048
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/b
            Source: SBG-1100319PurchaseOrder.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%21505&authkey=ANKqoxx
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000003.345228305.0000000000971000.00000004.00000001.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502175655.000000000094A000.00000004.00000020.sdmpString found in binary or memory: https://vug8la.am.files.1drv.com/
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmpString found in binary or memory: https://vug8la.am.files.1drv.com/y4mT1QYIp_fyTE8Fy0lLLYF_0s99rPZfbzgWA1b5QlZt4eQwn4RVNktZv9qdlLB64Ai

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Installs a global keyboard hookShow sources
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe
            Source: SBG-1100319PurchaseOrder.exe, 00000000.00000002.254532475.000000000075A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: SBG-1100319PurchaseOrder.exe
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056616E NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00565D24 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056645C NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566474 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056640C NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056642A NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005664D8 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00565CCB NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005664FA NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00565CE1 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056648A NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566174 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005661CE NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005661FE NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005661E8 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056618C NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005661B8 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056624A NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566264 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056621C NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005662CA NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005662F0 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566296 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566280 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005662B4 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056635A NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056636E NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566306 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056633C NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566324 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005663C8 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005663E0 NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056638E NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005663AE NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056616E NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560500 EnumWindows,NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00565D24 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560754 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00565787 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056645C NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566474 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056506E NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056640C NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056642A NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005664D8 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00565CCB NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005664FA NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00565CE1 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056648A NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560D56 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566174 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566569 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560D13 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560D28 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005661CE NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005605CA NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005605F2 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005661FE NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005661E8 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560586 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056618C NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005661B8 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560DA8 NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056624A NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560664 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566264 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056621C NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056062B NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005606D4 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005662CA NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005662F0 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566296 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560698 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566280 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005662B4 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056635A NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00564F76 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056636E NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566306 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056633C NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566324 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005663C8 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005663E0 NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056638E NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005663AE NtSetInformationThread,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_0223648A
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056648A
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00564700
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 12_2_021C648A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056648A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005665DA
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005629C7
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00564366
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00565363
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00564700
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005643B0
            Source: SBG-1100319PurchaseOrder.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: filename1.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SBG-1100319PurchaseOrder.exe, 00000000.00000002.254583063.0000000002200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SBG-1100319PurchaseOrder.exe
            Source: SBG-1100319PurchaseOrder.exe, 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehippoglossus.exe vs SBG-1100319PurchaseOrder.exe
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.507657061.000000001DEE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs SBG-1100319PurchaseOrder.exe
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000000.253118213.0000000000432000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehippoglossus.exe vs SBG-1100319PurchaseOrder.exe
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.507717247.000000001E030000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SBG-1100319PurchaseOrder.exe
            Source: SBG-1100319PurchaseOrder.exeBinary or memory string: OriginalFilenamehippoglossus.exe vs SBG-1100319PurchaseOrder.exe
            Source: SBG-1100319PurchaseOrder.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@8/3@62/1
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile created: C:\Users\user\AppData\Roaming\remcosJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeMutant created: \Sessions\1\BaseNamedObjects\idll-WT08JM
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs'
            Source: SBG-1100319PurchaseOrder.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile read: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
            Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: filename1.exe PID: 5516, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6224, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6352, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: filename1.exe PID: 5936, type: MEMORY
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: filename1.exe PID: 5516, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6224, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6352, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: filename1.exe PID: 5936, type: MEMORY
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_02235A0A push eax; ret
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00563B8E pushad ; ret
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 12_2_021C5A0A push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005629C7 pushad ; ret
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00563B8E pushad ; ret
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeJump to dropped file

            Boot Survival:

            barindex
            Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbsJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbsJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00562387
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005623A6
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile opened: C:\Program Files\qga\qga.exe
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: SBG-1100319PurchaseOrder.exe, filename1.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 000000000223033D second address: 00000000022346F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CC92A9h 0x00000010 jmp 00007F1880CC4246h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CC4246h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CC34DAh 0x00000032 jmp 00007F1880CC4242h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CC4242h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CC4242h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 00000000022346F2 second address: 0000000002234756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CB64F2h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CB65E9h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CB64F6h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 00000000022348F1 second address: 0000000002234988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CC4242h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CC4242h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CC4242h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CC4246h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CC4246h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 000000000056033D second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CBB559h 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CB64F6h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CB578Ah 0x00000032 jmp 00007F1880CB64F2h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CB64F2h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CB64F2h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 00000000005646F2 second address: 0000000000564756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CC4242h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CC4246h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CC4339h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CC4246h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 00000000005648F1 second address: 0000000000564988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CB64F2h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CB64F2h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CB64F2h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CB64F6h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CB64F6h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 00000000021C033D second address: 00000000021C46F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F18804EC169h 0x00000010 jmp 00007F18804E7106h 0x00000012 test dh, bh 0x00000014 jmp 00007F18804E7106h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F18804E639Ah 0x00000032 jmp 00007F18804E7102h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F18804E7102h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F18804E7102h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 00000000021C46F2 second address: 00000000021C4756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CB64F2h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CB65E9h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CB64F6h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 00000000021C48F1 second address: 00000000021C4988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CC4242h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CC4242h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CC4242h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CC4246h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CC4246h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 000000000056033D second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CBB559h 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CB64F6h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CB578Ah 0x00000032 jmp 00007F1880CB64F2h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CB64F2h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CB64F2h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 00000000005646F2 second address: 0000000000564756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CC4242h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CC4246h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CC4339h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CC4246h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 00000000005648F1 second address: 0000000000564988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CB64F2h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CB64F2h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CB64F2h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CB64F6h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CB64F6h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_02235232 rdtsc
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe TID: 6804Thread sleep count: 81 > 30
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe TID: 6804Thread sleep time: -40500s >= -30000s
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWXV
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWdwebpl
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: SBG-1100319PurchaseOrder.exe, filename1.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560500 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_02235232 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005638AC LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_0223465F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_02231EEC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_02231ED8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_02232ADD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_02231F14 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_02234FA8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_02231C8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00565810 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056465F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00562AC6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005657DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005657C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00565787 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056578A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00564FA8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 12_2_021C465F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 12_2_021C2ADD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 12_2_021C1ED8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 12_2_021C1EEC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 12_2_021C1F14 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 12_2_021C4FA8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 12_2_021C1C8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00561ED8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00565787 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00565810 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00561C8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056465F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00562ADD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00561EEC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00561F14 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056171F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005657DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005657C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056578A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00564FA8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502461561.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502175655.000000000094A000.00000004.00000020.sdmpBinary or memory string: Program Manager
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502461561.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502461561.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp, logs.dat.2.drBinary or memory string: [ Program Manager ]
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502461561.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmpBinary or memory string: Program Managerk\AppData\Local\Temp\subfolder1\filename1.vbs
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScripting11Registry Run Keys / Startup Folder11Process Injection12Masquerading1Input Capture111Security Software Discovery721Remote ServicesInput Capture111Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder11Virtualization/Sandbox Evasion22LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting11NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Information Discovery32SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 388089 Sample: SBG-1100319PurchaseOrder.exe Startdate: 15/04/2021 Architecture: WINDOWS Score: 100 30 sheilabeltagy4m.hopto.org 2->30 32 micheal3m.hopto.org 2->32 46 Potential malicious icon found 2->46 48 Found malware configuration 2->48 50 Yara detected GuLoader 2->50 52 5 other signatures 2->52 8 SBG-1100319PurchaseOrder.exe 1 1 2->8         started        11 wscript.exe 2->11         started        signatures3 process4 signatures5 58 Creates autostart registry keys with suspicious values (likely registry only malware) 8->58 60 Contains functionality to detect hardware virtualization (CPUID execution measurement) 8->60 62 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 8->62 64 3 other signatures 8->64 13 SBG-1100319PurchaseOrder.exe 2 12 8->13         started        18 filename1.exe 1 11->18         started        process6 dnsIp7 40 micheal3m.hopto.org 79.134.225.124, 2048, 49722, 49725 FINK-TELECOM-SERVICESCH Switzerland 13->40 42 vug8la.am.files.1drv.com 13->42 44 3 other IPs or domains 13->44 24 C:\Users\user\AppData\Local\...\filename1.exe, PE32 13->24 dropped 26 C:\Users\user\AppData\Roaming\...\logs.dat, data 13->26 dropped 28 C:\Users\user\AppData\Local\...\filename1.vbs, ASCII 13->28 dropped 66 Hides threads from debuggers 13->66 68 Installs a global keyboard hook 13->68 70 Contains functionality to detect hardware virtualization (CPUID execution measurement) 18->70 72 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 18->72 74 Tries to detect Any.run 18->74 76 2 other signatures 18->76 20 filename1.exe 7 18->20         started        file8 signatures9 process10 dnsIp11 34 vug8la.am.files.1drv.com 20->34 36 onedrive.live.com 20->36 38 dm-files.fe.1drv.com 20->38 54 Tries to detect Any.run 20->54 56 Hides threads from debuggers 20->56 signatures12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            micheal3m.hopto.org1%VirustotalBrowse

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            sheilabeltagy4m.hopto.org
            79.134.225.124
            truefalse
              unknown
              micheal3m.hopto.org
              79.134.225.124
              truefalseunknown
              onedrive.live.com
              unknown
              unknownfalse
                high
                vug8la.am.files.1drv.com
                unknown
                unknownfalse
                  high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2false
                    high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://onedrive.live.com/bSBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmpfalse
                      high
                      https://vug8la.am.files.1drv.com/y4mT1QYIp_fyTE8Fy0lLLYF_0s99rPZfbzgWA1b5QlZt4eQwn4RVNktZv9qdlLB64AiSBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmpfalse
                        high
                        https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%21505&authkey=ANKqoxxSBG-1100319PurchaseOrder.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmpfalse
                          high
                          https://vug8la.am.files.1drv.com/SBG-1100319PurchaseOrder.exe, 00000002.00000003.345228305.0000000000971000.00000004.00000001.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502175655.000000000094A000.00000004.00000020.sdmpfalse
                            high
                            https://onedrive.live.com/SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmpfalse
                              high

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              79.134.225.124
                              sheilabeltagy4m.hopto.orgSwitzerland
                              6775FINK-TELECOM-SERVICESCHfalse

                              General Information

                              Joe Sandbox Version:31.0.0 Emerald
                              Analysis ID:388089
                              Start date:15.04.2021
                              Start time:21:36:31
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 7m 33s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:SBG-1100319PurchaseOrder.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:30
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.rans.troj.spyw.evad.winEXE@8/3@62/1
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 4.8% (good quality ratio 4.8%)
                              • Quality average: 56%
                              • Quality standard deviation: 6.9%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                              • TCP Packets have been reduced to 100
                              • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.209.183, 52.255.188.83, 104.43.193.48, 92.122.145.220, 104.43.139.144, 23.57.80.111, 13.107.42.13, 13.107.42.12, 2.20.142.209, 2.20.142.210, 51.103.5.159, 20.82.210.154, 23.32.238.177, 23.32.238.234, 52.155.217.156, 20.54.26.129
                              • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, au.download.windowsupdate.com.edgesuite.net, odc-dm-files-geo.onedrive.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, l-0004.l-msedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-dm-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, wns.notify.trafficmanager.net, l-0003.l-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, odc-dm-files-brs.onedrive.akadns.net, client.wns.windows.com, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              21:37:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs
                              21:37:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              79.134.225.124RFQ234.exeGet hashmaliciousBrowse
                                SURE.exeGet hashmaliciousBrowse
                                  remps1.ps1Get hashmaliciousBrowse

                                    Domains

                                    No context

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    FINK-TELECOM-SERVICESCHkYXjS6Oc3S.exeGet hashmaliciousBrowse
                                    • 79.134.225.40
                                    eK1KiJlz3l.exeGet hashmaliciousBrowse
                                    • 79.134.225.40
                                    80tzo8FG3d.exeGet hashmaliciousBrowse
                                    • 79.134.225.40
                                    SecuriteInfo.com.Trojan.PackedNET.658.8528.exeGet hashmaliciousBrowse
                                    • 79.134.225.62
                                    perchase order.pdf.exeGet hashmaliciousBrowse
                                    • 79.134.225.102
                                    New Order.exeGet hashmaliciousBrowse
                                    • 79.134.225.125
                                    New Tender04,pdf.exeGet hashmaliciousBrowse
                                    • 79.134.225.70
                                    list3503-purchase-order-12-04-21.pdf.jarGet hashmaliciousBrowse
                                    • 79.134.225.104
                                    list3503-purchase-order-12-04-21.pdf.jarGet hashmaliciousBrowse
                                    • 79.134.225.104
                                    SecuriteInfo.com.Trojan.PackedNET.645.23105.exeGet hashmaliciousBrowse
                                    • 79.134.225.30
                                    PR0078966.xlsxGet hashmaliciousBrowse
                                    • 79.134.225.30
                                    PO NUMBER 3120386 3120393 SIGNED.exeGet hashmaliciousBrowse
                                    • 79.134.225.21
                                    JQEl8bosea.exeGet hashmaliciousBrowse
                                    • 79.134.225.30
                                    YfceI5MZX4.exeGet hashmaliciousBrowse
                                    • 79.134.225.30
                                    SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsxGet hashmaliciousBrowse
                                    • 79.134.225.30
                                    OjAJYVQ7iK.exeGet hashmaliciousBrowse
                                    • 79.134.225.112
                                    TSskTqG9V9.exeGet hashmaliciousBrowse
                                    • 79.134.225.30
                                    Files Specification.xlsxGet hashmaliciousBrowse
                                    • 79.134.225.30
                                    J62DQ7fO0b.exeGet hashmaliciousBrowse
                                    • 79.134.225.30
                                    oE6O5K1emC.exeGet hashmaliciousBrowse
                                    • 79.134.225.30

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
                                    Process:C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):204800
                                    Entropy (8bit):5.671059123248846
                                    Encrypted:false
                                    SSDEEP:3072:hPLl4Y52bzb2z50FdSfZaa0e5+YghusL5PEqJ:hPLl4Y5s6ziKfx0eERV
                                    MD5:2DD62D78B9F7E9C5529502E085B55756
                                    SHA1:151D4CD68958DF35AE706CC232627A05E923307F
                                    SHA-256:C63A3F86BE406A11E8F7760403E407A97441753205F8CEF432FD634856CA2992
                                    SHA-512:9B7D8EE135DCA77460B5E2D566C2B42F68D5B97918F6D9C2F4BDF6F89D6C46B8001482123880D46137A59EF04BEC89498F728D018D4CC8FC57F56FBDFB705349
                                    Malicious:true
                                    Reputation:low
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....#J.....................0....................@..........................0..............................................t...(.... ......................................................................(... .......d............................text............................... ..`.data...............................@....rsrc........ ......................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs
                                    Process:C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):120
                                    Entropy (8bit):4.938880835346308
                                    Encrypted:false
                                    SSDEEP:3:jfF+m8nhvF3mRD0nacwRE2J5xAIjuHdIRQM:jFqhv9IcNwi23faGqM
                                    MD5:8E21029138080630E1FCF8A6B4DA0159
                                    SHA1:B0B4C5CB0A53268829CB4FF33FBD906568FCD54B
                                    SHA-256:E692E45BD1482FA4C1932955B196BE0AA212EB792AFB65CDB85EA457EE5258B5
                                    SHA-512:1DCA2EE27776CEA53BADB8431D32613E65C62AD9E2C9A36552BD6F7D56AE6039E745C39136360A8509290650B3AFAE7D17C278F033750FEC186C853E41774C7A
                                    Malicious:true
                                    Reputation:low
                                    Preview: Set W = CreateObject("WScript.Shell")..Set C = W.Exec ("C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe")
                                    C:\Users\user\AppData\Roaming\remcos\logs.dat
                                    Process:C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):402
                                    Entropy (8bit):3.608276114189592
                                    Encrypted:false
                                    SSDEEP:6:IlKkRmfxl55YcIeeDAlgRfebW/33flO1CfSMlW8g1UEZ+lX1FKDDcNebW/G:bZDecXbWnlOQqkXg1Q1FAccbWe
                                    MD5:0549758588F8B85AAC20868F10523E34
                                    SHA1:AE76F042B448277EF3CBACC63D7F00A8F6F1948F
                                    SHA-256:AC69EE30064EB845886176352A94214F1E278B7890BE119FDEE7F05AA234F467
                                    SHA-512:BC0E797B52EDB9692007933A1FA9761D6E44DF40D38F40B7420F9176F4020C32E2906141E2E2879029EA722D9C35ECCF22961A365A43C68FCA805799F942F327
                                    Malicious:true
                                    Reputation:low
                                    Preview: ....[.2.0.2.1./.0.4./.1.5. .2.1.:.3.7.:.5.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .R.u.n. .].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].........[. .B.R.I.N.T.O.V.E.R.I.L.T.E.T.S. .].........[. .C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.s.u.b.f.o.l.d.e.r.1.\.f.i.l.e.n.a.m.e.1...v.b.s. .].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):5.671059123248846
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.15%
                                    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:SBG-1100319PurchaseOrder.exe
                                    File size:204800
                                    MD5:2dd62d78b9f7e9c5529502e085b55756
                                    SHA1:151d4cd68958df35ae706cc232627a05e923307f
                                    SHA256:c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992
                                    SHA512:9b7d8ee135dca77460b5e2d566c2b42f68d5b97918f6d9c2f4bdf6f89d6c46b8001482123880d46137a59ef04bec89498f728d018d4cc8fc57f56fbdfb705349
                                    SSDEEP:3072:hPLl4Y52bzb2z50FdSfZaa0e5+YghusL5PEqJ:hPLl4Y5s6ziKfx0eERV
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....#J.....................0....................@................

                                    File Icon

                                    Icon Hash:20047c7c70f0e004

                                    Static PE Info

                                    General

                                    Entrypoint:0x401780
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                    DLL Characteristics:
                                    Time Stamp:0x4A23B8BA [Mon Jun 1 11:17:14 2009 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:e917dfcbe7bbc83f756c722d2ba3704e

                                    Entrypoint Preview

                                    Instruction
                                    push 00402FE0h
                                    call 00007F18808E3625h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    xor byte ptr [eax], al
                                    add byte ptr [eax], al
                                    inc eax
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add ah, al
                                    jmp 00007F189111903Ch
                                    jbe 00007F18808E3676h
                                    mov bh, 51h

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2f3740x28.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x98c.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x164.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x2e8fc0x2f000False0.304521276596data5.8539621073IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .data0x300000x11d40x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                    .rsrc0x320000x98c0x1000False0.17919921875data2.09138345915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_ICON0x3285c0x130data
                                    RT_ICON0x325740x2e8data
                                    RT_ICON0x3244c0x128GLS_BINARY_LSB_FIRST
                                    RT_GROUP_ICON0x3241c0x30data
                                    RT_VERSION0x321500x2ccdataEnglishUnited States

                                    Imports

                                    DLLImport
                                    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaLineInputStr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVarInt, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, __vbaFpI4, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                    Version Infos

                                    DescriptionData
                                    Translation0x0409 0x04b0
                                    LegalCopyrightHighness
                                    InternalNamehippoglossus
                                    FileVersion4.00
                                    CompanyNameHighness
                                    LegalTrademarksHighness
                                    CommentsHighness
                                    ProductNameINFILTRERER
                                    ProductVersion4.00
                                    OriginalFilenamehippoglossus.exe

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 15, 2021 21:37:50.658086061 CEST497222048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:50.745105982 CEST20484972279.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:51.344219923 CEST497222048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:51.431309938 CEST20484972279.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:51.937181950 CEST497222048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:52.023936033 CEST20484972279.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:52.091919899 CEST497252048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:52.176884890 CEST20484972579.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:52.687280893 CEST497252048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:52.771493912 CEST20484972579.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:53.296722889 CEST497252048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:53.381534100 CEST20484972579.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:54.446427107 CEST497262048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:54.530323982 CEST20484972679.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:55.187752008 CEST497262048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:55.271759033 CEST20484972679.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:55.796799898 CEST497262048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:55.880161047 CEST20484972679.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:55.946604967 CEST497272048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:56.032840014 CEST20484972779.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:56.640830040 CEST497272048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:56.725261927 CEST20484972779.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:57.304725885 CEST497272048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:57.387958050 CEST20484972779.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:58.510648966 CEST497292048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:58.594577074 CEST20484972979.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:59.188102007 CEST497292048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:59.271946907 CEST20484972979.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:59.797215939 CEST497292048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:37:59.881184101 CEST20484972979.134.225.124192.168.2.7
                                    Apr 15, 2021 21:37:59.946696043 CEST497302048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:00.032313108 CEST20484973079.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:00.687903881 CEST497302048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:00.772231102 CEST20484973079.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:01.297344923 CEST497302048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:01.381195068 CEST20484973079.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:02.643265009 CEST497312048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:02.730581999 CEST20484973179.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:03.344342947 CEST497312048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:03.431385040 CEST20484973179.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:04.032040119 CEST497312048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:04.119266987 CEST20484973179.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:05.151153088 CEST497322048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:05.234556913 CEST20484973279.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:05.797668934 CEST497322048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:05.881674051 CEST20484973279.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:06.500875950 CEST497322048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:06.586385965 CEST20484973279.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:07.661844969 CEST497332048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:07.745783091 CEST20484973379.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:08.344841957 CEST497332048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:08.428081989 CEST20484973379.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:09.032380104 CEST497332048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:09.116520882 CEST20484973379.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:09.183631897 CEST497342048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:09.269610882 CEST20484973479.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:09.776696920 CEST497342048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:09.859898090 CEST20484973479.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:10.438726902 CEST497342048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:10.522753000 CEST20484973479.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:11.600717068 CEST497352048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:11.683999062 CEST20484973579.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:12.188847065 CEST497352048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:12.274252892 CEST20484973579.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:12.798233032 CEST497352048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:12.884767056 CEST20484973579.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:12.954102039 CEST497362048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:13.038309097 CEST20484973679.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:13.642090082 CEST497362048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:13.725850105 CEST20484973679.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:14.309469938 CEST497362048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:14.395292044 CEST20484973679.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:15.495146036 CEST497372048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:15.581310987 CEST20484973779.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:16.189173937 CEST497372048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:16.272660971 CEST20484973779.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:16.798619032 CEST497372048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:16.881822109 CEST20484973779.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:16.946445942 CEST497392048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:17.029719114 CEST20484973979.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:17.533021927 CEST497392048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:17.616312027 CEST20484973979.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:18.142458916 CEST497392048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:18.226792097 CEST20484973979.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:19.298131943 CEST497472048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:19.382178068 CEST20484974779.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:20.001991034 CEST497472048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:20.086201906 CEST20484974779.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:20.697515011 CEST497472048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:20.781402111 CEST20484974779.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:21.023291111 CEST497482048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:21.107357025 CEST20484974879.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:21.642724991 CEST497482048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:21.726025105 CEST20484974879.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:22.345961094 CEST497482048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:22.431240082 CEST20484974879.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:23.527326107 CEST497492048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:23.613301992 CEST20484974979.134.225.124192.168.2.7
                                    Apr 15, 2021 21:38:24.189809084 CEST497492048192.168.2.779.134.225.124
                                    Apr 15, 2021 21:38:24.276510954 CEST20484974979.134.225.124192.168.2.7

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 15, 2021 21:37:21.116890907 CEST5659053192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:21.139518023 CEST6050153192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:21.177566051 CEST53565908.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:21.212950945 CEST53605018.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:21.342756987 CEST5377553192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:21.393239021 CEST53537758.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:22.445159912 CEST5183753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:22.496710062 CEST53518378.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:23.436460018 CEST5541153192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:23.485205889 CEST53554118.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:24.375103951 CEST6366853192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:24.423715115 CEST53636688.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:25.134414911 CEST5464053192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:25.184573889 CEST53546408.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:26.352135897 CEST5873953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:26.402460098 CEST53587398.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:27.737003088 CEST6033853192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:27.799365997 CEST53603388.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:28.697981119 CEST5871753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:28.751064062 CEST53587178.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:28.955796003 CEST5976253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:29.004618883 CEST53597628.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:30.043492079 CEST5432953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:30.092012882 CEST53543298.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:32.206346989 CEST5805253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:32.268373013 CEST53580528.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:33.275363922 CEST5400853192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:33.324043989 CEST53540088.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:34.326977968 CEST5945153192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:34.375830889 CEST53594518.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:35.509403944 CEST5291453192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:35.562067032 CEST53529148.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:37.801271915 CEST6456953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:37.852930069 CEST53645698.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:38.638372898 CEST5281653192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:38.688057899 CEST53528168.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:39.744858027 CEST5078153192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:39.793553114 CEST53507818.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:41.156838894 CEST5423053192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:41.205507040 CEST53542308.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:42.519402981 CEST5491153192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:42.578747988 CEST53549118.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:45.196619987 CEST4995853192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:45.253675938 CEST53499588.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:48.802593946 CEST5086053192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:48.893234015 CEST53508608.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:49.218544960 CEST5045253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:49.267182112 CEST53504528.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:49.960247040 CEST5973053192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:50.058324099 CEST53597308.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:50.591296911 CEST5931053192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:50.657018900 CEST53593108.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:50.752192974 CEST5191953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:50.803999901 CEST53519198.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:51.613775015 CEST6429653192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:51.662403107 CEST53642968.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:52.027503014 CEST5668053192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:52.090646982 CEST53566808.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:54.396652937 CEST5882053192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:54.445342064 CEST53588208.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:55.883899927 CEST6098353192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:55.945579052 CEST53609838.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:58.407825947 CEST4924753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:58.464782953 CEST53492478.8.8.8192.168.2.7
                                    Apr 15, 2021 21:37:59.886395931 CEST5228653192.168.2.78.8.8.8
                                    Apr 15, 2021 21:37:59.943789959 CEST53522868.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:02.496493101 CEST5606453192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:02.556653976 CEST53560648.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:05.063811064 CEST6374453192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:05.121182919 CEST53637448.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:07.598874092 CEST6145753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:07.660828114 CEST53614578.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:09.121296883 CEST5836753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:09.182832956 CEST53583678.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:11.537194014 CEST6059953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:11.599572897 CEST53605998.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:12.891961098 CEST5957153192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:12.952260017 CEST53595718.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:15.411658049 CEST5268953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:15.475481033 CEST53526898.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:16.332539082 CEST5029053192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:16.392249107 CEST53502908.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:16.885463953 CEST6042753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:16.945600033 CEST53604278.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:17.518254995 CEST5620953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:17.575056076 CEST53562098.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:17.929274082 CEST5958253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:17.994009972 CEST53595828.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:18.128596067 CEST6094953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:18.180253983 CEST53609498.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:18.573218107 CEST5854253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:18.703882933 CEST53585428.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:19.239909887 CEST5917953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:19.297369003 CEST53591798.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:20.951914072 CEST6092753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:21.009164095 CEST53609278.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:23.464535952 CEST5785453192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:23.526545048 CEST53578548.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:24.889895916 CEST6202653192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:24.946687937 CEST53620268.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:27.407407999 CEST5945353192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:27.467569113 CEST53594538.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:27.503534079 CEST6246853192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:27.560568094 CEST53624688.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:28.856319904 CEST5256353192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:28.916944027 CEST53525638.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:31.242928028 CEST5472153192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:31.302731037 CEST53547218.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:32.736114979 CEST6282653192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:32.755860090 CEST6204653192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:32.793426991 CEST53628268.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:32.818896055 CEST53620468.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:35.085406065 CEST5122353192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:35.144741058 CEST53512238.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:36.452704906 CEST6390853192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:36.509987116 CEST53639088.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:38.883800030 CEST4922653192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:38.942790985 CEST53492268.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:40.288779974 CEST6021253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:40.337698936 CEST53602128.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:42.617156982 CEST5886753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:42.667422056 CEST53588678.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:43.935611963 CEST5086453192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:43.993396044 CEST53508648.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:46.276639938 CEST6150453192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:46.328351974 CEST53615048.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:47.609361887 CEST6023153192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:47.660983086 CEST53602318.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:49.947123051 CEST5009553192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:50.006330013 CEST53500958.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:51.309214115 CEST5965453192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:51.367562056 CEST53596548.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:53.654618025 CEST5823353192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:53.713327885 CEST53582338.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:55.002692938 CEST5682253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:55.060154915 CEST53568228.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:57.364814997 CEST6257253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:57.420237064 CEST53625728.8.8.8192.168.2.7
                                    Apr 15, 2021 21:38:58.721203089 CEST5717953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:59.710292101 CEST5717953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:38:59.772655010 CEST53571798.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:02.055828094 CEST5612453192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:02.116065025 CEST53561248.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:03.420850039 CEST6228753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:03.469728947 CEST53622878.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:04.451302052 CEST5464453192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:04.500186920 CEST53546448.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:05.760915995 CEST5915953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:05.818090916 CEST53591598.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:07.113179922 CEST5792453192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:07.170516968 CEST53579248.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:08.245248079 CEST5171253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:08.305916071 CEST53517128.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:09.463030100 CEST5886553192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:09.512432098 CEST53588658.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:10.786021948 CEST6433753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:10.844202042 CEST53643378.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:13.140233040 CEST5040753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:13.189012051 CEST53504078.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:14.469330072 CEST6107553192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:14.526352882 CEST53610758.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:16.916650057 CEST5495253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:16.980429888 CEST53549528.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:18.251857042 CEST5918653192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:18.312412977 CEST53591868.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:20.590785980 CEST5228053192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:20.650733948 CEST53522808.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:21.949884892 CEST5179453192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:22.009567022 CEST53517948.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:24.292645931 CEST5081553192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:24.358584881 CEST53508158.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:24.644330978 CEST5849853192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:24.696161032 CEST53584988.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:25.542690992 CEST5686253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:25.602709055 CEST53568628.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:25.656965971 CEST6180753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:25.716300964 CEST53618078.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:26.318164110 CEST5200953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:26.375566959 CEST53520098.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:26.387872934 CEST5864853192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:26.455368042 CEST53586488.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:26.870881081 CEST5933753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:26.988657951 CEST53593378.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:27.811736107 CEST5926953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:27.871707916 CEST53592698.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:28.170053959 CEST4980253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:28.230061054 CEST53498028.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:28.934828043 CEST5070653192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:29.039972067 CEST53507068.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:29.503515005 CEST5515353192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:29.565331936 CEST53551538.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:29.623873949 CEST5974453192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:29.681648970 CEST53597448.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:30.935522079 CEST5998753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:30.984512091 CEST53599878.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:31.859147072 CEST6127253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:31.922386885 CEST53612728.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:31.924108028 CEST5435253192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:31.984180927 CEST53543528.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:32.517014980 CEST6069653192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:32.625258923 CEST53606968.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:33.209800005 CEST5913953192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:33.271392107 CEST53591398.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:35.556883097 CEST5956553192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:35.614804029 CEST53595658.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:36.892472029 CEST5639753192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:36.951955080 CEST53563978.8.8.8192.168.2.7
                                    Apr 15, 2021 21:39:39.229773998 CEST5281853192.168.2.78.8.8.8
                                    Apr 15, 2021 21:39:39.291035891 CEST53528188.8.8.8192.168.2.7

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Apr 15, 2021 21:37:48.802593946 CEST192.168.2.78.8.8.80x46d8Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:37:49.960247040 CEST192.168.2.78.8.8.80x775dStandard query (0)vug8la.am.files.1drv.comA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:37:50.591296911 CEST192.168.2.78.8.8.80x531eStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:37:52.027503014 CEST192.168.2.78.8.8.80x6687Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:37:54.396652937 CEST192.168.2.78.8.8.80x77b7Standard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:37:55.883899927 CEST192.168.2.78.8.8.80xefcdStandard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:37:58.407825947 CEST192.168.2.78.8.8.80xcd0eStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:37:59.886395931 CEST192.168.2.78.8.8.80xebc3Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:02.496493101 CEST192.168.2.78.8.8.80x71afStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:05.063811064 CEST192.168.2.78.8.8.80x1ad9Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:07.598874092 CEST192.168.2.78.8.8.80x6e9fStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:09.121296883 CEST192.168.2.78.8.8.80xf87fStandard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:11.537194014 CEST192.168.2.78.8.8.80x1eaaStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:12.891961098 CEST192.168.2.78.8.8.80xa7cfStandard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:15.411658049 CEST192.168.2.78.8.8.80x4e0dStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:16.885463953 CEST192.168.2.78.8.8.80x3a5aStandard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:17.518254995 CEST192.168.2.78.8.8.80x263aStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:18.573218107 CEST192.168.2.78.8.8.80x7d41Standard query (0)vug8la.am.files.1drv.comA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:19.239909887 CEST192.168.2.78.8.8.80x635cStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:20.951914072 CEST192.168.2.78.8.8.80x2da5Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:23.464535952 CEST192.168.2.78.8.8.80xd9a0Standard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:24.889895916 CEST192.168.2.78.8.8.80xe9a0Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:27.407407999 CEST192.168.2.78.8.8.80x21ecStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:28.856319904 CEST192.168.2.78.8.8.80xac6bStandard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:31.242928028 CEST192.168.2.78.8.8.80xbbdeStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:32.736114979 CEST192.168.2.78.8.8.80x1485Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:35.085406065 CEST192.168.2.78.8.8.80x8533Standard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:36.452704906 CEST192.168.2.78.8.8.80x62a9Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:38.883800030 CEST192.168.2.78.8.8.80xac9dStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:40.288779974 CEST192.168.2.78.8.8.80x2a00Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:42.617156982 CEST192.168.2.78.8.8.80xf1fStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:43.935611963 CEST192.168.2.78.8.8.80x8ff1Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:46.276639938 CEST192.168.2.78.8.8.80x8ebaStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:47.609361887 CEST192.168.2.78.8.8.80x63b2Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:49.947123051 CEST192.168.2.78.8.8.80xefafStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:51.309214115 CEST192.168.2.78.8.8.80xc01cStandard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:53.654618025 CEST192.168.2.78.8.8.80x54a5Standard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:55.002692938 CEST192.168.2.78.8.8.80xe904Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:57.364814997 CEST192.168.2.78.8.8.80x7315Standard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:58.721203089 CEST192.168.2.78.8.8.80x24abStandard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:59.710292101 CEST192.168.2.78.8.8.80x24abStandard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:02.055828094 CEST192.168.2.78.8.8.80x7441Standard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:03.420850039 CEST192.168.2.78.8.8.80x5bfStandard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:05.760915995 CEST192.168.2.78.8.8.80x4f8fStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:07.113179922 CEST192.168.2.78.8.8.80x2030Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:09.463030100 CEST192.168.2.78.8.8.80x7ec7Standard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:10.786021948 CEST192.168.2.78.8.8.80x3a2cStandard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:13.140233040 CEST192.168.2.78.8.8.80xfb12Standard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:14.469330072 CEST192.168.2.78.8.8.80x1bf5Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:16.916650057 CEST192.168.2.78.8.8.80x95d4Standard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:18.251857042 CEST192.168.2.78.8.8.80xe70bStandard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:20.590785980 CEST192.168.2.78.8.8.80x480bStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:21.949884892 CEST192.168.2.78.8.8.80xf35fStandard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:24.292645931 CEST192.168.2.78.8.8.80x10c4Standard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:25.656965971 CEST192.168.2.78.8.8.80x1111Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:28.170053959 CEST192.168.2.78.8.8.80xa942Standard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:29.503515005 CEST192.168.2.78.8.8.80x96b3Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:31.859147072 CEST192.168.2.78.8.8.80xe0c1Standard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:33.209800005 CEST192.168.2.78.8.8.80x3d8eStandard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:35.556883097 CEST192.168.2.78.8.8.80x91caStandard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:36.892472029 CEST192.168.2.78.8.8.80xc874Standard query (0)micheal3m.hopto.orgA (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:39.229773998 CEST192.168.2.78.8.8.80xdf46Standard query (0)sheilabeltagy4m.hopto.orgA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Apr 15, 2021 21:37:48.893234015 CEST8.8.8.8192.168.2.70x46d8No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                    Apr 15, 2021 21:37:50.058324099 CEST8.8.8.8192.168.2.70x775dNo error (0)vug8la.am.files.1drv.comdm-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                    Apr 15, 2021 21:37:50.058324099 CEST8.8.8.8192.168.2.70x775dNo error (0)dm-files.fe.1drv.comodc-dm-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                    Apr 15, 2021 21:37:50.657018900 CEST8.8.8.8192.168.2.70x531eNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:37:52.090646982 CEST8.8.8.8192.168.2.70x6687No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:37:54.445342064 CEST8.8.8.8192.168.2.70x77b7No error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:37:55.945579052 CEST8.8.8.8192.168.2.70xefcdNo error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:37:58.464782953 CEST8.8.8.8192.168.2.70xcd0eNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:37:59.943789959 CEST8.8.8.8192.168.2.70xebc3No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:02.556653976 CEST8.8.8.8192.168.2.70x71afNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:05.121182919 CEST8.8.8.8192.168.2.70x1ad9No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:07.660828114 CEST8.8.8.8192.168.2.70x6e9fNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:09.182832956 CEST8.8.8.8192.168.2.70xf87fNo error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:11.599572897 CEST8.8.8.8192.168.2.70x1eaaNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:12.952260017 CEST8.8.8.8192.168.2.70xa7cfNo error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:15.475481033 CEST8.8.8.8192.168.2.70x4e0dNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:16.945600033 CEST8.8.8.8192.168.2.70x3a5aNo error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:17.575056076 CEST8.8.8.8192.168.2.70x263aNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                    Apr 15, 2021 21:38:18.703882933 CEST8.8.8.8192.168.2.70x7d41No error (0)vug8la.am.files.1drv.comdm-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                    Apr 15, 2021 21:38:18.703882933 CEST8.8.8.8192.168.2.70x7d41No error (0)dm-files.fe.1drv.comodc-dm-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                    Apr 15, 2021 21:38:19.297369003 CEST8.8.8.8192.168.2.70x635cNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:21.009164095 CEST8.8.8.8192.168.2.70x2da5No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:23.526545048 CEST8.8.8.8192.168.2.70xd9a0No error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:24.946687937 CEST8.8.8.8192.168.2.70xe9a0No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:27.467569113 CEST8.8.8.8192.168.2.70x21ecNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:28.916944027 CEST8.8.8.8192.168.2.70xac6bNo error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:31.302731037 CEST8.8.8.8192.168.2.70xbbdeNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:32.793426991 CEST8.8.8.8192.168.2.70x1485No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:35.144741058 CEST8.8.8.8192.168.2.70x8533No error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:36.509987116 CEST8.8.8.8192.168.2.70x62a9No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:38.942790985 CEST8.8.8.8192.168.2.70xac9dNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:40.337698936 CEST8.8.8.8192.168.2.70x2a00No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:42.667422056 CEST8.8.8.8192.168.2.70xf1fNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:43.993396044 CEST8.8.8.8192.168.2.70x8ff1No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:46.328351974 CEST8.8.8.8192.168.2.70x8ebaNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:47.660983086 CEST8.8.8.8192.168.2.70x63b2No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:50.006330013 CEST8.8.8.8192.168.2.70xefafNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:51.367562056 CEST8.8.8.8192.168.2.70xc01cNo error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:53.713327885 CEST8.8.8.8192.168.2.70x54a5No error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:55.060154915 CEST8.8.8.8192.168.2.70xe904No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:57.420237064 CEST8.8.8.8192.168.2.70x7315No error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:38:59.772655010 CEST8.8.8.8192.168.2.70x24abNo error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:02.116065025 CEST8.8.8.8192.168.2.70x7441No error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:03.469728947 CEST8.8.8.8192.168.2.70x5bfNo error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:05.818090916 CEST8.8.8.8192.168.2.70x4f8fNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:07.170516968 CEST8.8.8.8192.168.2.70x2030No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:09.512432098 CEST8.8.8.8192.168.2.70x7ec7No error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:10.844202042 CEST8.8.8.8192.168.2.70x3a2cNo error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:13.189012051 CEST8.8.8.8192.168.2.70xfb12No error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:14.526352882 CEST8.8.8.8192.168.2.70x1bf5No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:16.980429888 CEST8.8.8.8192.168.2.70x95d4No error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:18.312412977 CEST8.8.8.8192.168.2.70xe70bNo error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:20.650733948 CEST8.8.8.8192.168.2.70x480bNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:22.009567022 CEST8.8.8.8192.168.2.70xf35fNo error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:24.358584881 CEST8.8.8.8192.168.2.70x10c4No error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:25.716300964 CEST8.8.8.8192.168.2.70x1111No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:28.230061054 CEST8.8.8.8192.168.2.70xa942No error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:29.565331936 CEST8.8.8.8192.168.2.70x96b3No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:31.922386885 CEST8.8.8.8192.168.2.70xe0c1No error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:33.271392107 CEST8.8.8.8192.168.2.70x3d8eNo error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:35.614804029 CEST8.8.8.8192.168.2.70x91caNo error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:36.951955080 CEST8.8.8.8192.168.2.70xc874No error (0)micheal3m.hopto.org79.134.225.124A (IP address)IN (0x0001)
                                    Apr 15, 2021 21:39:39.291035891 CEST8.8.8.8192.168.2.70xdf46No error (0)sheilabeltagy4m.hopto.org79.134.225.124A (IP address)IN (0x0001)

                                    Code Manipulations

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Start time:21:37:29
                                    Start date:15/04/2021
                                    Path:C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
                                    Imagebase:0x400000
                                    File size:204800 bytes
                                    MD5 hash:2DD62D78B9F7E9C5529502E085B55756
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Visual Basic
                                    Reputation:low

                                    General

                                    Start time:21:37:37
                                    Start date:15/04/2021
                                    Path:C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
                                    Imagebase:0x400000
                                    File size:204800 bytes
                                    MD5 hash:2DD62D78B9F7E9C5529502E085B55756
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Author: Joe Security
                                    Reputation:low

                                    General

                                    Start time:21:37:56
                                    Start date:15/04/2021
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs'
                                    Imagebase:0x7ff667170000
                                    File size:163840 bytes
                                    MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Start time:21:37:57
                                    Start date:15/04/2021
                                    Path:C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
                                    Imagebase:0x400000
                                    File size:204800 bytes
                                    MD5 hash:2DD62D78B9F7E9C5529502E085B55756
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Visual Basic
                                    Reputation:low

                                    General

                                    Start time:21:38:09
                                    Start date:15/04/2021
                                    Path:C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
                                    Imagebase:0x400000
                                    File size:204800 bytes
                                    MD5 hash:2DD62D78B9F7E9C5529502E085B55756
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                                    Reputation:low

                                    Disassembly

                                    Code Analysis

                                    Reset < >