Windows
Analysis Report
DHL04AWB01173903102023PDF.scr.exe
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64native
- DHL04AWB01173903102023PDF.scr.exe (PID: 5976 cmdline:
C:\Users\u ser\Deskto p\DHL04AWB 0117390310 2023PDF.sc r.exe MD5: 1BF124CC783FF47A91ADA4E6D4AC9E6B) - DHL04AWB01173903102023PDF.scr.exe (PID: 3372 cmdline:
C:\Users\u ser\Deskto p\DHL04AWB 0117390310 2023PDF.sc r.exe MD5: 1BF124CC783FF47A91ADA4E6D4AC9E6B)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Stealing of Sensitive Information |
---|
Source: | Author: Joe Security: |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking |
---|
Source: | DNS query: |
Source: | JA3 fingerprint: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | Windows user hook set: |
Source: | Code function: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: |
Spam, unwanted Advertisements and Ransom Demands |
---|
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Static PE information: |
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Mutant created: |
Source: | File written: | Jump to behavior |
Source: | Static file information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Code function: |
Source: | Static PE information: |
Persistence and Installation Behavior |
---|
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Thread sleep count: | ||
Source: | Thread sleep time: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | API call chain: | ||
Source: | API call chain: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | 11 Registry Run Keys / Startup Folder | 12 Process Injection | 111 Masquerading | 11 Input Capture | 11 Security Software Discovery | Remote Services | 11 Input Capture | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 11 Registry Run Keys / Startup Folder | 11 Virtualization/Sandbox Evasion | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | 1 DLL Side-Loading | 12 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 1 Clipboard Data | Automated Exfiltration | 1 Ingress Tool Transfer | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Obfuscated Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 2 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Timestomp | LSA Secrets | 3 File and Directory Discovery | SSH | Keylogging | Data Transfer Size Limits | 113 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 DLL Side-Loading | Cached Domain Credentials | 3 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
13% | Virustotal | Browse | ||
8% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
8% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
milliondollar23.duckdns.org | 79.134.225.111 | true | true | unknown | |
cdn.discordapp.com | 162.159.129.233 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
162.159.129.233 | cdn.discordapp.com | United States | 13335 | CLOUDFLARENETUS | false | |
79.134.225.111 | milliondollar23.duckdns.org | Switzerland | 6775 | FINK-TELECOM-SERVICESCH | true |
Joe Sandbox Version: | 37.0.0 Beryl |
Analysis ID: | 828071 |
Start date and time: | 2023-03-16 18:14:07 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 15m 6s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | DHL04AWB01173903102023PDF.scr.exe |
Detection: | MAL |
Classification: | mal96.rans.troj.spyw.evad.winEXE@3/13@10/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, UserOOBEBroker.exe, backgroundTaskHost.exe, svchost.exe
- TCP Packets have been reduced to 100
- Excluded IPs from analysis (whitelisted): 40.126.32.73, 40.126.32.69, 40.126.32.132, 20.190.160.13, 20.190.160.15, 40.126.32.75, 40.126.32.137, 20.190.160.21
- Excluded domains from analysis (whitelisted): prdv6a.aadg.msidentity.com, wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, tile-service.weather.microsoft.com, www.tm.lg.prod.aadmsa.akadns.net, www.tm.v6.a.prd.aadg.akadns.net, login.msa.msidentity.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
18:16:31 | Autostart | |
18:16:39 | Autostart |
Process: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 234 |
Entropy (8bit): | 3.3531832298967457 |
Encrypted: | false |
SSDEEP: | 6:Kl/lxUlnGljqb5YcIeeDAlS1gWAAe5q1gWAv:Kl/lScRUecTWFe5BW+ |
MD5: | 78A66B0B692F4C1BCEC736DD3C0CFF22 |
SHA1: | EB0F85954BEC9D32CF53F875B8C0BFCB432C8444 |
SHA-256: | B9153E8889C6C361BD2255890E48C7CC31DAD18E1136873A3FDFF67BF50A01AA |
SHA-512: | DF533E6C2696022AC4C318E3A5D970D7716CB485011802E722D56740F9A082C57A79CCE1516264B7307FB789DCE425A6FFEF9E13F279B2397D13CA8236B8D530 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1211760 |
Entropy (8bit): | 7.9924781293877105 |
Encrypted: | true |
SSDEEP: | 24576:7RNsMRW/uL9M7e36FgHRcMSbA22c91uwozF2KDQcvhNfSf7a09Xe+bUe:c4suGm6SxcD2SczF2aQcffSDb99 |
MD5: | 1BF124CC783FF47A91ADA4E6D4AC9E6B |
SHA1: | B78F2FFB785071AB785830CDD4CBC5F010B7480B |
SHA-256: | 494D5735144AF171CC15708B37B491B74BE1522494958E605AC348DD4897DCF9 |
SHA-512: | B5E35FDA41AEDB7C40961098745153EFA13470D065AC2CFB343C542011ED58869494770615DB8A7E4B64B77AC6DD2DE4F1CFD1403EFECEEE8425993BDF66670B |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11264 |
Entropy (8bit): | 5.774411073650885 |
Encrypted: | false |
SSDEEP: | 192:eB2HS+ihg200uWz947Wzvxu6v0MI7JOde+Ij5Z77dslFsE+:3S62Gw947ExuGDI7J8EF7KIE |
MD5: | BE2621A78A13A56CF09E00DD98488360 |
SHA1: | 75F0539DC6AF200A07CDB056CDDDDEC595C6CFD2 |
SHA-256: | 852047023BA0CAE91C7A43365878613CFB4E64E36FF98C460E113D5088D68EF5 |
SHA-512: | B80CF1F678E6885276B9A1BFD9227374B2EB9E38BB20446D52EBE2C3DBA89764AA50CB4D49DF51A974478F3364B5DBCBC5B4A16DC8F1123B40C89C01725BE3D1 |
Malicious: | false |
Antivirus: |
|
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1831716 |
Entropy (8bit): | 7.308492575684153 |
Encrypted: | false |
SSDEEP: | 49152:lf4WAQduqXBweZG32poHRS2tQuWikK9jM3:lJAQlnANE2tQTaM3 |
MD5: | 9B4D8ABA094C64270F7878FAE618AC65 |
SHA1: | FA3D773625A7FE13C127925856A2B015C986E598 |
SHA-256: | CB136F81690F426D253696166DE342FF05A1C1F3C0C780BBE800A06396424751 |
SHA-512: | 87EBE9A0C8BD59D98236943710F7A739AEE413FD8B198F1F92479434819423857252B6D160AB42A0EE8B976AAE3972185E2CC467FB9842AFEB9BF3C3D7577B73 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 202342 |
Entropy (8bit): | 7.5372236610693095 |
Encrypted: | false |
SSDEEP: | 3072:YTz6SobCaMo6ljmx23UrLpvJvOc9CuKjrDee/jKOVox2EcIHuysfzFC64:w6SPaMo6l4XvOZ5rDtKOVoQrF0 |
MD5: | E2901A2B3EFA6BB00F2AD1D4AD963F52 |
SHA1: | 1F2C771CEAE379DF9FA7FA1FA5E4ABC36638A42E |
SHA-256: | FEFA0B1539475BF0ED224A8D9934FD4558DD0B1297FB661DAB776ABC96C333FF |
SHA-512: | DA39BCB8E8C2BD79160B33A7767C58CC7CE204B56005B16AF6825DD6E25612D4C08E2C69A2DF288EC6635A24E740C23C5842E5DA3C08BDCCE9FC677D456C9B5E |
Malicious: | false |
Preview: |
C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\TableTextServiceYi.txt
Download File
Process: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 45170 |
Entropy (8bit): | 3.7626877360483184 |
Encrypted: | false |
SSDEEP: | 384:wBMdoEQYh/Iq7rwSM+jNyql218nyeEJFFCEeFe73c3+AC+mviFuqOtSS0uK3l/:wadoAr7s1+jNyqr6FFweIT0h0/ |
MD5: | AC05652AF93A583226FD118E23D3652F |
SHA1: | DA5BB4AE245369888D1AF981AF6785FAE21C7BC9 |
SHA-256: | 54E26FC4F586B39C4CCB6655735E8AA03AD31498EFD0119AB8406258D5561627 |
SHA-512: | 2C24F1CBD45D5B06DF0A187793E02DA4F085E6E03CF1A697416F3F0B34FE4E96ECFCFD4E25DA3288383B98E1BC112A2418EFF5EA8E69BFBF153F28A20A687BF2 |
Malicious: | false |
Preview: |
C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\Z_Custom2.ini
Download File
Process: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 6221 |
Entropy (8bit): | 4.623864089058378 |
Encrypted: | false |
SSDEEP: | 96:KGz5QTZR5ATsj5sjc9sjnljnDQcaufEjnOAvtDAvVY:BzmTZbAojyjnjljspu8jXvtMvVY |
MD5: | CA003CF1D99CDF717768E88DD64BB84C |
SHA1: | A0326E46EA68C4649DD6645368B43922B6126FF6 |
SHA-256: | 44100D5F41FE4CDDD1D77EF7124FEC4F8071E5A1678339ACE0DA3DD7E826EF2F |
SHA-512: | 94D1EB659C22A3614F250C79D1C957876A617158BE538E35E906F12E68C6E12CCBE9C364D1F1C18D280F72FD7958D753348C056CAF320B6843EC3873B59C9926 |
Malicious: | false |
Preview: |
C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb
Download File
Process: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 69632 |
Entropy (8bit): | 4.63717105728589 |
Encrypted: | false |
SSDEEP: | 768:5U0SzA63tPY1AcbERQzuahkbzM7hX2O4HvypROPzMiibjUsqK0M49uo:5OU63tPY114RX3M7MvPy/OPz/CF09F |
MD5: | 299DBB927B6390C6B925757DD5B2B7FF |
SHA1: | FFCE563E42AF7B1086CB5AE92014801B2C66DC0C |
SHA-256: | D9D2BD64DE6176B31A4E704D7E5D08FA9BB75A6A8AC007A61C4DF38F6FA82262 |
SHA-512: | E88F9DA34960BC13C27F2B236A28410AC8B71619D8175103D0BD5E7F03F395F773BCDF399E805D2150BECF2EE107147287D6FE0C00BD41AC591F868E62296347 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 7968 |
Entropy (8bit): | 7.906040167483731 |
Encrypted: | false |
SSDEEP: | 192:oXRXorJ1fquj4/Ms9hHCQyTscIhlMN58ZB5oEx5/U8qn8kyx:KRoqu0ksEIhCOjZU8M8kM |
MD5: | 162F6BB32D6D5AC380A80DA07C13E213 |
SHA1: | 7985EAC367E0B19CC0E30B24399A37663E8436F6 |
SHA-256: | 686310A1A5B8BB4D4EAA316FC0A3970EE878CC39F75E8C68F49ED51A5AD562DF |
SHA-512: | F4DC70FB483303906CA8C4D5AE404653C7B761BEB38B3DC88ABDEBED4B28A85F3A02F6E2E1E5D28A1625F09A8EEA7A66F12959AA12E98733023CE5908B9FF199 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 57606 |
Entropy (8bit): | 2.670628012232385 |
Encrypted: | false |
SSDEEP: | 768:Ip+EachJRWeyBP/QmazA5Bnh+QuGkvrOYKT2Rrt6UptqyBcerao1CEzSkNu8R2QP:uquzgxiGXNyHlqgdeo1CtNQP |
MD5: | 1EE3EA9EB5F7142B93FE99689B2038A6 |
SHA1: | AB0D94BDBDC97EEA61B226010584C12D9AED43EA |
SHA-256: | 67D1985FCBEB4E6FB84785F6304B3CB63A9326B328921E04CCFD50539825FDB7 |
SHA-512: | BBC7EAEA47011BB96FD26ADB3B71F981AE20FDACCF1A72BAFE96EC8E3071AD29AE052B279465FA700B3AD327DC2EA97408B52FD5A0D73B716F21FCD500D30B67 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 251376 |
Entropy (8bit): | 5.684541726348285 |
Encrypted: | false |
SSDEEP: | 3072:njOJemjvYiYtrWTovAYYYlDvNYXzMgv9/PuMKISOe1sWQuCyY+2JHfYavRkRYI1N:n+6v671nuMKRv1sHyaJ/YavRkRYIBYA1 |
MD5: | B44ED270A186763E1DA753AA39553B68 |
SHA1: | 10390F85EA5DB841A8BC70E8ED931A5D34026BE8 |
SHA-256: | E24E9B9C79199B66B9F847F1E07A2769B82CB7FCCA98E5B53F28B481EEBCABD8 |
SHA-512: | 0BF049851CBD5D29221E7C721F15E58286C030023A9BF66E88A5EE6D4D940F89CBBFB8A4E0376382472940450D631E7E3D0162C871443CA12169DFED4E7C91B5 |
Malicious: | false |
Antivirus: |
|
Preview: |
C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll
Download File
Process: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 384128 |
Entropy (8bit): | 5.921054568677329 |
Encrypted: | false |
SSDEEP: | 6144:zJteC/kw/VKk3g6ZK5RoyPAzv2B9NAlYRuKJOllo:zreCsO3g6QRoyPAw6eRh |
MD5: | 7E49C04017D860D5EE299FFB104203DF |
SHA1: | DDF55616BDABC91EB801CE14A45ACDAD2142B78F |
SHA-256: | 1AC6E64459440B6EFB03FC256E24BCCBBC512CF6E7DCD85DD3C45E1CA7584176 |
SHA-512: | EC125C3CD1EDE0F4C24915BC39EA641F58F1D78048E0CCB631F249839440218B02706CC8ACA785DA2B3993EDBABEFB433BF19BA29A9F1EDFB6ACACBDDC0A4F50 |
Malicious: | false |
Antivirus: |
|
Preview: |
C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\Sports-Wallpapers-1.jpg
Download File
Process: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 782753 |
Entropy (8bit): | 7.972739118836816 |
Encrypted: | false |
SSDEEP: | 12288:1xE6g9kiViGNq+W6nQNIDO0tVGb34eaR6fUnMlkTFztQywzV0jyB4Dl9l+qfkwPN:7E6G3VibpHIdebodR6jlKFtQVUv+iP8S |
MD5: | E269DECCAC13CF01A0377872E79BC676 |
SHA1: | 54D196FDE9529310F9E5A3EBA6548DAB4F179542 |
SHA-256: | 255874E0A6A5CA862CBAE5C783D582729B343C70C5697062D7F1E587F15F25EC |
SHA-512: | 08ADAD38BE3472CF8814C40F99D6DCFDA313C2FED765B872AA30C0995B027F2BEDABF75DB625F3C40F003A8EFC3F41169CBA4AF706EC637018DEEF02EC92F6CC |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.9924781293877105 |
TrID: |
|
File name: | DHL04AWB01173903102023PDF.scr.exe |
File size: | 1211760 |
MD5: | 1bf124cc783ff47a91ada4e6d4ac9e6b |
SHA1: | b78f2ffb785071ab785830cdd4cbc5f010b7480b |
SHA256: | 494d5735144af171cc15708b37b491b74be1522494958e605ac348dd4897dcf9 |
SHA512: | b5e35fda41aedb7c40961098745153efa13470d065ac2cfb343c542011ed58869494770615db8a7e4b64b77ac6dd2de4f1cfd1403efeceee8425993bdf66670b |
SSDEEP: | 24576:7RNsMRW/uL9M7e36FgHRcMSbA22c91uwozF2KDQcvhNfSf7a09Xe+bUe:c4suGm6SxcD2SczF2aQcffSDb99 |
TLSH: | 214533D212E2B0B3D690D93B5D5D6E7EE173D60014B2274B7340A8AE6F38165AB1F374 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....e.Q.................`...*.......3.......p....@ |
Icon Hash: | 74f0d0c0ccd4f0c4 |
Entrypoint: | 0x40331c |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x519965DC [Sun May 19 23:53:00 2013 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 17b7d61bda0f7478e36d9ce3d4170680 |
Signature Valid: | false |
Signature Issuer: | E=inertnesses@Forbetoning20.En, OU="Falskspillere Unrelinquishable ", O=Inalterableness, L=Montague, S=Texas, C=US |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | B6296BD55FD696653A6ECFD645239E12 |
Thumbprint SHA-1: | 7B9D3A3205DB42A6F338C423028B131EDDD4F064 |
Thumbprint SHA-256: | F7E0D7AFE23FD9E15D7B7C6CB47B4662581AE209B91E9046AE6A7AAFDC37720B |
Serial: | 04D25D90CEF83AEC304DC1F83B1B5CCF54893695 |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push ebp |
push esi |
push edi |
push 00000020h |
xor ebp, ebp |
pop esi |
mov dword ptr [esp+18h], ebp |
mov dword ptr [esp+10h], 00409230h |
mov dword ptr [esp+14h], ebp |
call dword ptr [00407034h] |
push 00008001h |
call dword ptr [004070BCh] |
push ebp |
call dword ptr [004072ACh] |
push 00000008h |
mov dword ptr [00429298h], eax |
call 00007F3C8C223C0Dh |
mov dword ptr [004291E4h], eax |
push ebp |
lea eax, dword ptr [esp+34h] |
push 000002B4h |
push eax |
push ebp |
push 00420690h |
call dword ptr [0040717Ch] |
push 0040937Ch |
push 004281E0h |
call 00007F3C8C223878h |
call dword ptr [00407134h] |
mov ebx, 00434000h |
push eax |
push ebx |
call 00007F3C8C223866h |
push ebp |
call dword ptr [0040710Ch] |
cmp word ptr [00434000h], 0022h |
mov dword ptr [004291E0h], eax |
mov eax, ebx |
jne 00007F3C8C220D6Ah |
push 00000022h |
mov eax, 00434002h |
pop esi |
push esi |
push eax |
call 00007F3C8C2232D4h |
push eax |
call dword ptr [00407240h] |
mov dword ptr [esp+1Ch], eax |
jmp 00007F3C8C220E29h |
push 00000020h |
pop edx |
cmp cx, dx |
jne 00007F3C8C220D69h |
inc eax |
inc eax |
cmp word ptr [eax], dx |
je 00007F3C8C220D5Bh |
add word ptr [eax], 0000h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7494 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4e000 | 0x7fc0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x127368 | 0xa08 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x2b8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5e1c | 0x6000 | False | 0.6542561848958334 | data | 6.407290112650426 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0x1354 | 0x1400 | False | 0.43046875 | data | 5.037834422880877 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x202d8 | 0x600 | False | 0.47265625 | data | 3.7587363087821926 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x2a000 | 0x24000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x4e000 | 0x7fc0 | 0x8000 | False | 0.949371337890625 | data | 7.7369782578420665 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x4e1d8 | 0x7562 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
RT_DIALOG | 0x55740 | 0x100 | data | English | United States |
RT_DIALOG | 0x55840 | 0xf8 | data | English | United States |
RT_DIALOG | 0x55938 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x55998 | 0x14 | data | English | United States |
RT_VERSION | 0x559b0 | 0x25c | data | English | United States |
RT_MANIFEST | 0x55c10 | 0x3b0 | XML 1.0 document, ASCII text, with very long lines (944), with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, MultiByteToWideChar, FindClose, MulDiv, ReadFile, WriteFile, lstrlenA, WideCharToMultiByte |
USER32.dll | EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW |
ADVAPI32.dll | RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize |
VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 16, 2023 18:16:32.855799913 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:32.855892897 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:32.856173992 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:32.892891884 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:32.892925024 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:32.923475981 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:32.923746109 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:32.998830080 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:32.999624014 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:32.999752045 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.002515078 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.044373989 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.149128914 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.149300098 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.149307966 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.149344921 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.149530888 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.149555922 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.149621964 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.149730921 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.149741888 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.149755955 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.149817944 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.149876118 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.149877071 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.149928093 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.149954081 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.150018930 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.150023937 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.150115013 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.150151014 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.150216103 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.150234938 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.150258064 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.150312901 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.150312901 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.150335073 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.150351048 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.150408983 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.150420904 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.150563002 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.150618076 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.150651932 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.150770903 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.150845051 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.150863886 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.150959969 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.151051044 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.151061058 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.151249886 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.158143044 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.158267975 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.158310890 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.158346891 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.158502102 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.158526897 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.158559084 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.158675909 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.158715963 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.158751011 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.158859968 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.158864021 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.158893108 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.158914089 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.159070969 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.159224987 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.159241915 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.159450054 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.159468889 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.159490108 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.159651995 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.159673929 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.159687996 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.159722090 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.159722090 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.159960032 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.160126925 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.160279036 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.160310030 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.160330057 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.160459995 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.160495043 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.160514116 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.160682917 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.161186934 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.161312103 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.161365032 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.161365032 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.161395073 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.161439896 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.161452055 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.161452055 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.161679029 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.161689043 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.161859989 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.167423964 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.167570114 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.167570114 CET | 49828 | 443 | 192.168.11.20 | 162.159.129.233 |
Mar 16, 2023 18:16:33.167584896 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Mar 16, 2023 18:16:33.167656898 CET | 443 | 49828 | 162.159.129.233 | 192.168.11.20 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 16, 2023 18:16:32.845144033 CET | 51269 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 16, 2023 18:16:32.848450899 CET | 53 | 51269 | 9.9.9.9 | 192.168.11.20 |
Mar 16, 2023 18:16:33.308228970 CET | 63295 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 16, 2023 18:16:33.572099924 CET | 53 | 63295 | 9.9.9.9 | 192.168.11.20 |
Mar 16, 2023 18:17:35.652198076 CET | 51788 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 16, 2023 18:17:35.834234953 CET | 53 | 51788 | 9.9.9.9 | 192.168.11.20 |
Mar 16, 2023 18:18:36.607264996 CET | 55925 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 16, 2023 18:18:36.712701082 CET | 53 | 55925 | 9.9.9.9 | 192.168.11.20 |
Mar 16, 2023 18:19:37.093964100 CET | 64270 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 16, 2023 18:19:37.198772907 CET | 53 | 64270 | 9.9.9.9 | 192.168.11.20 |
Mar 16, 2023 18:20:37.471440077 CET | 62628 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 16, 2023 18:20:38.486324072 CET | 62628 | 53 | 192.168.11.20 | 1.1.1.1 |
Mar 16, 2023 18:20:38.593599081 CET | 53 | 62628 | 1.1.1.1 | 192.168.11.20 |
Mar 16, 2023 18:21:47.112127066 CET | 58853 | 53 | 192.168.11.20 | 1.1.1.1 |
Mar 16, 2023 18:21:47.225806952 CET | 53 | 58853 | 1.1.1.1 | 192.168.11.20 |
Mar 16, 2023 18:22:52.644807100 CET | 53532 | 53 | 192.168.11.20 | 1.1.1.1 |
Mar 16, 2023 18:22:52.755912066 CET | 53 | 53532 | 1.1.1.1 | 192.168.11.20 |
Mar 16, 2023 18:23:53.178380013 CET | 52315 | 53 | 192.168.11.20 | 1.1.1.1 |
Mar 16, 2023 18:23:53.289233923 CET | 53 | 52315 | 1.1.1.1 | 192.168.11.20 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 16, 2023 18:16:32.845144033 CET | 192.168.11.20 | 9.9.9.9 | 0x6e97 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 16, 2023 18:16:33.308228970 CET | 192.168.11.20 | 9.9.9.9 | 0x43c7 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 16, 2023 18:17:35.652198076 CET | 192.168.11.20 | 9.9.9.9 | 0x8ddd | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 16, 2023 18:18:36.607264996 CET | 192.168.11.20 | 9.9.9.9 | 0x750b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 16, 2023 18:19:37.093964100 CET | 192.168.11.20 | 9.9.9.9 | 0x2197 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 16, 2023 18:20:37.471440077 CET | 192.168.11.20 | 9.9.9.9 | 0xccb6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 16, 2023 18:20:38.486324072 CET | 192.168.11.20 | 1.1.1.1 | 0xccb6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 16, 2023 18:21:47.112127066 CET | 192.168.11.20 | 1.1.1.1 | 0xcb7e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 16, 2023 18:22:52.644807100 CET | 192.168.11.20 | 1.1.1.1 | 0xb589 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 16, 2023 18:23:53.178380013 CET | 192.168.11.20 | 1.1.1.1 | 0x286 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 16, 2023 18:16:32.848450899 CET | 9.9.9.9 | 192.168.11.20 | 0x6e97 | No error (0) | 162.159.129.233 | A (IP address) | IN (0x0001) | false | ||
Mar 16, 2023 18:16:32.848450899 CET | 9.9.9.9 | 192.168.11.20 | 0x6e97 | No error (0) | 162.159.133.233 | A (IP address) | IN (0x0001) | false | ||
Mar 16, 2023 18:16:32.848450899 CET | 9.9.9.9 | 192.168.11.20 | 0x6e97 | No error (0) | 162.159.135.233 | A (IP address) | IN (0x0001) | false | ||
Mar 16, 2023 18:16:32.848450899 CET | 9.9.9.9 | 192.168.11.20 | 0x6e97 | No error (0) | 162.159.134.233 | A (IP address) | IN (0x0001) | false | ||
Mar 16, 2023 18:16:32.848450899 CET | 9.9.9.9 | 192.168.11.20 | 0x6e97 | No error (0) | 162.159.130.233 | A (IP address) | IN (0x0001) | false | ||
Mar 16, 2023 18:16:33.572099924 CET | 9.9.9.9 | 192.168.11.20 | 0x43c7 | No error (0) | 79.134.225.111 | A (IP address) | IN (0x0001) | false | ||
Mar 16, 2023 18:17:35.834234953 CET | 9.9.9.9 | 192.168.11.20 | 0x8ddd | No error (0) | 79.134.225.111 | A (IP address) | IN (0x0001) | false | ||
Mar 16, 2023 18:18:36.712701082 CET | 9.9.9.9 | 192.168.11.20 | 0x750b | No error (0) | 79.134.225.111 | A (IP address) | IN (0x0001) | false | ||
Mar 16, 2023 18:19:37.198772907 CET | 9.9.9.9 | 192.168.11.20 | 0x2197 | No error (0) | 79.134.225.111 | A (IP address) | IN (0x0001) | false | ||
Mar 16, 2023 18:20:38.593599081 CET | 1.1.1.1 | 192.168.11.20 | 0xccb6 | No error (0) | 79.134.225.111 | A (IP address) | IN (0x0001) | false | ||
Mar 16, 2023 18:21:47.225806952 CET | 1.1.1.1 | 192.168.11.20 | 0xcb7e | No error (0) | 79.134.225.111 | A (IP address) | IN (0x0001) | false | ||
Mar 16, 2023 18:22:52.755912066 CET | 1.1.1.1 | 192.168.11.20 | 0xb589 | No error (0) | 79.134.225.111 | A (IP address) | IN (0x0001) | false | ||
Mar 16, 2023 18:23:53.289233923 CET | 1.1.1.1 | 192.168.11.20 | 0x286 | No error (0) | 79.134.225.111 | A (IP address) | IN (0x0001) | false |
|
Click to jump to process
Target ID: | 1 |
Start time: | 18:16:00 |
Start date: | 16/03/2023 |
Path: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1211760 bytes |
MD5 hash: | 1BF124CC783FF47A91ADA4E6D4AC9E6B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 4 |
Start time: | 18:16:21 |
Start date: | 16/03/2023 |
Path: | C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1211760 bytes |
MD5 hash: | 1BF124CC783FF47A91ADA4E6D4AC9E6B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |