Edit tour
Windows
Analysis Report
rAEAT-AvisodeNotificaci__n.exe
Overview
General Information
| Sample Name: | rAEAT-AvisodeNotificaci__n.exe |
| Analysis ID: | 830397 |
| MD5: | 77b1761153f7e6ca4b76ea26c2fa6645 |
| SHA1: | be00353381302d16a62c114efa564acf60473368 |
| SHA256: | dbb02fdfea2855cb95d3a6a2668fd5392b9d997200277d98fb758db781880523 |
| Infos: |  |
 | |
Detection
GuLoader
| Score: | 92 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
May check the online IP address of the machine
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard
Classification
- System is w10x64native
rAEAT-AvisodeNotificaci__n.exe (PID: 7928 cmdline: C:\Users\u ser\Deskto p\rAEAT-Av isodeNotif icaci__n.e xe MD5: 77B1761153F7E6CA4B76EA26C2FA6645) 
CasPol.exe (PID: 5816 cmdline: C:\Users\u ser\Deskto p\rAEAT-Av isodeNotif icaci__n.e xe MD5: 914F728C04D3EDDD5FBA59420E74E56B) 
conhost.exe (PID: 5796 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) 
WerFault.exe (PID: 7128 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 816 -s 255 2 MD5: 40A149513D721F096DDF50C04DA2F01F)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GuLoader_5 | Yara detected GuLoader | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GuLoader_5 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_GuLoader_5 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 192.168.11.20132.226.8.16949797802039190 03/20/23-11:38:26.059783 |
| SID: | 2039190 |
| Source Port: | 49797 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0040596D | |
| Source: | Code function: | 0_2_004065A2 | |
| Source: | Code function: | 0_2_00402862 | |
| Source: | Code function: | 5_2_34876DDF | |
| Source: | Code function: | 5_2_34876933 | |
| Source: | Code function: | 5_2_34876300 | |
| Source: | Code function: | 5_2_34876B14 | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | IP Address: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00405402 | |
| Source: | Static PE information: | ||
| Source: | Process created: | ||
| Source: | Code function: | 0_2_00403350 | |
| Source: | Code function: | 0_2_00404C3F | |
| Source: | Code function: | 0_2_048C069F | |
| Source: | Code function: | 0_2_048C089A | |
| Source: | Code function: | 0_2_048C0091 | |
| Source: | Code function: | 0_2_048C04B3 | |
| Source: | Code function: | 0_2_048C02C0 | |
| Source: | Code function: | 0_2_048C00D0 | |
| Source: | Code function: | 0_2_048C04EB | |
| Source: | Code function: | 0_2_048C06E2 | |
| Source: | Code function: | 0_2_048C02FB | |
| Source: | Code function: | 0_2_048C0209 | |
| Source: | Code function: | 0_2_048C0001 | |
| Source: | Code function: | 0_2_048C0414 | |
| Source: | Code function: | 0_2_048C0011 | |
| Source: | Code function: | 0_2_048C0629 | |
| Source: | Code function: | 0_2_048C0826 | |
| Source: | Code function: | 0_2_048C023F | |
| Source: | Code function: | 0_2_048C0444 | |
| Source: | Code function: | 0_2_048C0053 | |
| Source: | Code function: | 0_2_048C066C | |
| Source: | Code function: | 0_2_048C0866 | |
| Source: | Code function: | 0_2_048C047D | |
| Source: | Code function: | 0_2_048C0279 | |
| Source: | Code function: | 0_2_048C0986 | |
| Source: | Code function: | 0_2_048C0196 | |
| Source: | Code function: | 0_2_048C07DE | |
| Source: | Code function: | 0_2_048C05DF | |
| Source: | Code function: | 0_2_048C03D9 | |
| Source: | Code function: | 0_2_048C01FD | |
| Source: | Code function: | 0_2_048C0517 | |
| Source: | Code function: | 0_2_048C0117 | |
| Source: | Code function: | 0_2_048C0727 | |
| Source: | Code function: | 0_2_048C033F | |
| Source: | Code function: | 0_2_048C0551 | |
| Source: | Code function: | 0_2_048C0769 | |
| Source: | Code function: | 0_2_048C0377 | |
| Source: | Code function: | 5_2_00F302FB | |
| Source: | Code function: | 5_2_00F306E2 | |
| Source: | Code function: | 5_2_00F304EB | |
| Source: | Code function: | 5_2_00F300D0 | |
| Source: | Code function: | 5_2_00F302C0 | |
| Source: | Code function: | 5_2_00F304B3 | |
| Source: | Code function: | 5_2_00F30091 | |
| Source: | Code function: | 5_2_00F3089A | |
| Source: | Code function: | 5_2_00F3069F | |
| Source: | Code function: | 5_2_00F30279 | |
| Source: | Code function: | 5_2_00F3047D | |
| Source: | Code function: | 5_2_00F30866 | |
| Source: | Code function: | 5_2_00F3066C | |
| Source: | Code function: | 5_2_00F30053 | |
| Source: | Code function: | 5_2_00F30444 | |
| Source: | Code function: | 5_2_00F3023F | |
| Source: | Code function: | 5_2_00F30826 | |
| Source: | Code function: | 5_2_00F30629 | |
| Source: | Code function: | 5_2_00F30011 | |
| Source: | Code function: | 5_2_00F30414 | |
| Source: | Code function: | 5_2_00F30001 | |
| Source: | Code function: | 5_2_00F30209 | |
| Source: | Code function: | 5_2_00F301FD | |
| Source: | Code function: | 5_2_00F303D9 | |
| Source: | Code function: | 5_2_00F305DF | |
| Source: | Code function: | 5_2_00F307DE | |
| Source: | Code function: | 5_2_00F30196 | |
| Source: | Code function: | 5_2_00F30986 | |
| Source: | Code function: | 5_2_00F30377 | |
| Source: | Code function: | 5_2_00F30769 | |
| Source: | Code function: | 5_2_00F30551 | |
| Source: | Code function: | 5_2_00F3033F | |
| Source: | Code function: | 5_2_00F30727 | |
| Source: | Code function: | 5_2_00F30517 | |
| Source: | Code function: | 5_2_00F30117 | |
| Source: | Code function: | 5_2_348734F2 | |
| Source: | Code function: | 5_2_34876DDF | |
| Source: | Code function: | 5_2_348720D8 | |
| Source: | Code function: | 5_2_34874858 | |
| Source: | Code function: | 5_2_348762EF | |
| Source: | Code function: | 5_2_34876300 | |
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00403350 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004020FE | |
| Source: | File read: | Jump to behavior | ||
| Source: | Code function: | 0_2_004046C3 | |
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Window detected: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_10002E0E | |
| Source: | Code function: | 0_2_048C50CA | |
| Source: | Code function: | 0_2_048C8292 | |
| Source: | Code function: | 0_2_048C64CC | |
| Source: | Code function: | 0_2_048C5ABA | |
| Source: | Code function: | 0_2_048C7AC8 | |
| Source: | Code function: | 0_2_048C50CA | |
| Source: | Code function: | 0_2_048C68EE | |
| Source: | Code function: | 0_2_048C50CA | |
| Source: | Code function: | 0_2_048C6485 | |
| Source: | Code function: | 0_2_048C81E2 | |
| Source: | Code function: | 0_2_048C81F9 | |
| Source: | Code function: | 0_2_048C5733 | |
| Source: | Code function: | 0_2_048C834A | |
| Source: | Code function: | 5_2_00F350CA | |
| Source: | Code function: | 5_2_00F368EE | |
| Source: | Code function: | 5_2_00F350CA | |
| Source: | Code function: | 5_2_00F37AC8 | |
| Source: | Code function: | 5_2_00F35ABA | |
| Source: | Code function: | 5_2_00F364CC | |
| Source: | Code function: | 5_2_00F38292 | |
| Source: | Code function: | 5_2_00F350CA | |
| Source: | Code function: | 5_2_00F36485 | |
| Source: | Code function: | 5_2_00F381F9 | |
| Source: | Code function: | 5_2_00F381E2 | |
| Source: | Code function: | 5_2_00F3834A | |
| Source: | Code function: | 5_2_00F35733 | |
| Source: | Code function: | 0_2_10001B18 | |
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Last function: | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Code function: | 0_2_0040596D | |
| Source: | Code function: | 0_2_004065A2 | |
| Source: | Code function: | 0_2_00402862 | |
| Source: | System information queried: | Jump to behavior | ||
| Source: | API call chain: | graph_0-6918 | ||
| Source: | API call chain: | graph_0-6923 | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_10001B18 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00403D1B | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00403350 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | Key opened: | Jump to behavior | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 11 Virtualization/Sandbox Evasion | OS Credential Dumping | 221 Security Software Discovery | Remote Services | 1 Email Collection | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 111 Process Injection | 1 Disable or Modify Tools | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | 1 DLL Side-Loading | 1 Access Token Manipulation | Security Account Manager | 1 System Network Configuration Discovery | SMB/Windows Admin Shares | 1 Clipboard Data | Automated Exfiltration | 2 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 111 Process Injection | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 13 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 16 System Information Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Timestomp | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 26% | Virustotal | Browse | ||
| 25% | ReversingLabs | Win32.Trojan.Generic |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse | ||
| 0% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 142.250.185.110 | true | false | high | |
| googlehosted.l.googleusercontent.com | 142.250.184.193 | true | false | high | |
| checkip.dyndns.com | 132.226.8.169 | true | true |
| unknown |
| doc-08-as-docs.googleusercontent.com | unknown | unknown | false | high | |
| checkip.dyndns.org | unknown | unknown | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 132.226.8.169 | checkip.dyndns.com | United States | 16989 | UTMEMUS | true | |
| 142.250.184.193 | googlehosted.l.googleusercontent.com | United States | 15169 | GOOGLEUS | false | |
| 142.250.185.110 | drive.google.com | United States | 15169 | GOOGLEUS | false |
| Joe Sandbox Version: | 37.0.0 Beryl |
| Analysis ID: | 830397 |
| Start date and time: | 2023-03-20 11:35:27 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 15m 31s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
| Number of analysed new started processes analysed: | 17 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | rAEAT-AvisodeNotificaci__n.exe |
| Detection: | MAL |
| Classification: | mal92.troj.spyw.evad.winEXE@5/21@3/3 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, WerFault.exe, UserOOBEBroker.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.189.173.21
- Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, umwatson.events.data.microsoft.com, wdcp.microsoft.com
- Execution Graph export aborted for target CasPol.exe, PID 5816 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 132.226.8.169 | Get hash | malicious | GuLoader | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| checkip.dyndns.com | Get hash | malicious | GuLoader | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| UTMEMUS | Get hash | malicious | GuLoader | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Stealc, Vidar | Browse |
| |
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, Babuk, Djvu, Fabookie, Raccoon Stealer v2, RedLine, SmokeLoader | Browse |
| ||
| Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | Amadey, Djvu, RHADAMANTHYS, RedLine, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
| Get hash | malicious | Amadey, Babuk, Djvu, RedLine, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Djvu | Browse |
| ||
| Get hash | malicious | Amadey, Babuk, Djvu, Fabookie, RedLine, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | Babuk, Djvu | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Djvu | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
| Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, HTMLPhisher, Vidar | Browse |
| ||
| Get hash | malicious | Amadey, Djvu, Fabookie, RHADAMANTHYS, SmokeLoader, Vidar | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Switchboards\Barnls\System.Reflection.TypeExtensions.dll | Get hash | malicious | AgentTesla, GuLoader | Browse | ||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | AgentTesla, GuLoader | Browse | |||
| Get hash | malicious | AgentTesla, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | AgentTesla, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | AgentTesla, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Switchboards\Barnls\System.Reflection.Primitives.dll | Get hash | malicious | AgentTesla, GuLoader | Browse | ||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_caspol.exe_8e75fe8585f03f6e7a5776aa659ed6798ddaaf9_ea830a9b_b9de75dd-ca8c-4b40-893f-36ddd515dbdd\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 1.2402537125969615 |
| Encrypted: | false |
| SSDEEP: | 192:VMqd9vIxWmBUWSaX+AMWVM+Du76vfAIO8h:vnI5BUWSaOaq+Du76vfAIO8h |
| MD5: | ED680D8D31F3FD082DCB77CF6EAE07E1 |
| SHA1: | 878F217646AB6F4649CE1CA8931C2A3EB35F5393 |
| SHA-256: | 5F789CCB151E1D25AFB76A85FCADDBBFA6EF7CE61044F25C05687DB400312523 |
| SHA-512: | FC3A12027BAF17535ABDD7D4842B05196257AF77465EF3868247B677D7D87CB599CDA8647B57EA4658183E3B8198C552C345948EE8D317389DEF6A2E9F93F20A |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 295522 |
| Entropy (8bit): | 3.596920993962001 |
| Encrypted: | false |
| SSDEEP: | 3072:cgHI52q0a/2Ljp/oy7ppf4uEqVsLTgtUBLnF:cgo52qn/Miy7pV41TgtU |
| MD5: | 1307F65F3C6CBD8BC7DF63E7CEF9714A |
| SHA1: | E6F931110CB86AE00F0461CE761970EB50695AE9 |
| SHA-256: | 6F1B13539C7BFD4C7EFE04C03DA6767AD5963B868F80CB1B1C709ABAE0044CFF |
| SHA-512: | D3430BE583A87BF2E3C2AEBA0B075762DAD1C7C174DDB21BBA4AD87DC30FCA50487CEB63B6DA1F47C9FD10B9FFA87417161836A142EBE4F7EC7E2B4E96700A70 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8464 |
| Entropy (8bit): | 3.702193266151724 |
| Encrypted: | false |
| SSDEEP: | 192:R9l7lZNipzj6I62a6Y156/6gmfZCCCLFpr789b5gsfYTm:R9lnNitj6I6b6Y76CgmfhL5zfx |
| MD5: | 60563EF0E3B4B1A13813CB462B103B4A |
| SHA1: | 1F93939309371B7989DC47528DFC3FB6EF704C12 |
| SHA-256: | 21A67973FA6ABDC6260575BECB028BAF5B6C77C467188F86F897A1134EEC6A14 |
| SHA-512: | EDEED8E06EE5CA70683A3F77880522CA6F03D1C40FA52E72C184B8D677C0AD331D9BE1B03CB7BB42C83EB28D7FE35BF2E68A3BB092C3731F2966A24F5910AFE4 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4926 |
| Entropy (8bit): | 4.518247674827522 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwwtl8zsqe702I7VFJ5WS2CfjkBns3rm8M4JdyFA+q8vrsOvkVd:uILfP7GySPf9JBKvvkVd |
| MD5: | C8D911DB5AA6437AD975FB5BA0A1FD08 |
| SHA1: | 9B23854B43096642E7851310D38AB5A38D5A5B7D |
| SHA-256: | A652CFDD2AEA561BC70ADFA093D4E4D4307FC04DD3D3E5D9EE81CFE8DC7BC7F0 |
| SHA-512: | E454D111FCBA42B7635940A1280A60D6B70EDB74405DBFC14AD3125F9CE2F586DCA5D01770437991A6A98E6B86637720ED4FDF43331D2C3FCC0DE4C7A472D9CD |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Abtegnene\Fabriksnyt\Mdepligts\Sprnghoved\colorimeter-colorhug-symbolic.symbolic.png
Download File
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 227 |
| Entropy (8bit): | 6.604776901672149 |
| Encrypted: | false |
| SSDEEP: | 6:6v/lhPysE9Xj1F/bkqdXujFErL4MImATQZu22F+p:6v/7kR7/bjd8Kgm2Q/2y |
| MD5: | 7843C38CC42C6786B3373F166AF10172 |
| SHA1: | BA0163109D9B641B1312230B3F62E1E10A61AA5E |
| SHA-256: | E3AF1293F8E8AB5C81300196AF55A7C15D5608291D46A2B86D4255910A7D0E59 |
| SHA-512: | B1D3DF6A0A8CACD729CD9A2FD5AB0F74ED611270FA172CDBEB13D46FA71DD5CC5540A2FBFDB6C3004E652D317C8FAD4EC3AE437DF1C082B629870A33CC6BD34F |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 219901 |
| Entropy (8bit): | 7.346720674827732 |
| Encrypted: | false |
| SSDEEP: | 3072:Pcm5+sib8rmT/zvMEV7N+9Cxn1UAPWY+X2g6g6yc3b6Gr07B1i:Pcm5+KrCbUEpNmC11UAPo9Eb6Gr0VA |
| MD5: | 513144AEAF00A1862C312A14C5845328 |
| SHA1: | 4EE06E09FF90E24E6D8A61B98D86744E4A450913 |
| SHA-256: | 32483AC943D45F79D021312D39A11BB03B39103D475327A8C52B7F622EA837C4 |
| SHA-512: | 3935E898FCC0880164CD7A72495EE7BFF53BCC28E8A955AFB2123CA6C0B0298BF68CE25BC66B53A434D474ABC8130FD702D0BEB5614857BA0A89DFEF8D344B84 |
| Malicious: | true |
| Yara Hits: |
|
| Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Diuresis\Slockingstone\Rattlebrains\battery-level-90-charging-symbolic.svg
Download File
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6689 |
| Entropy (8bit): | 5.135211840989561 |
| Encrypted: | false |
| SSDEEP: | 192:VkjcMIy2+X2I2F2C2G2fH7y8cQaVB2nnuy1FQOcQaVv2q22L2k2s:mjcM7u8xaV8nnL1FQOxaVu6 |
| MD5: | C96D0DD361AFC6B812BDDD390B765A26 |
| SHA1: | 71081F096719CAA70B9BAEF86FE642635D8E2765 |
| SHA-256: | 6690799E5FA3FB0DD6CCE4BAC5AA1607C8A6BB16507854A87520C7DE53052E1B |
| SHA-512: | 7C73BC880A9401C64AB0571957B414180C1B94137C7BC870BA602979E7A990640A37991CB87A40BC7E5942A37FDA25EFC58C759C00F4344BA3D88B9AA64182DA |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Handlingssted\Skovsnegles\Herb\preferences-desktop-font-symbolic.symbolic.png
Download File
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 225 |
| Entropy (8bit): | 6.596645802250635 |
| Encrypted: | false |
| SSDEEP: | 6:6v/lhPysi5NuhsPwRngRfPq/3+phjSfVsup:6v/7thstJACSNsc |
| MD5: | F894266AB6A933B2FDA751E6490C319A |
| SHA1: | 2D2D3635198FEEFCB64D1D6B3CDCCDC4EA3DF4B0 |
| SHA-256: | 95F533585B4C61936C369557B3B7E397E56545A4C9DB9A5BDDD0E9ABB7A7F7E7 |
| SHA-512: | 977ED04753C3CB2B883D03A2A55001F6FCC8617DC3060B6C25AB7E5C691C3F76049E7DEADC7F6567AB7E8DC8492DE2874E8E632CF3EAD7B39ABC8CC98D331442 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Handlingssted\Skovsnegles\Herb\task-due-symbolic.symbolic.png
Download File
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 263 |
| Entropy (8bit): | 6.731374842054556 |
| Encrypted: | false |
| SSDEEP: | 6:6v/lhPysw9TXm0RZC/8xhbPgfdSwj4vw29OjuAO4+ZvYNVp:6v/7QVXm0a/8xhbPgfdSBvNYn2ZvYd |
| MD5: | 003B524806C1CA654CAC6ED2EB883E1B |
| SHA1: | F6F6ACA125DC4DB3B33378404017B5EE7D21D334 |
| SHA-256: | 2899E53769FA741E2C0675A2C69D2C246A8F34601BEE58DD66B16261005962A9 |
| SHA-512: | AA905997F9CE39F039E33C4CCA167C0137775D91B4929D918528BA00B92737C448EC46D91A4221644CCC00D1FCAA403AFF83F07276BAB6FD80D4B9E88E652F87 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Handlingssted\Skovsnegles\Herb\window-close.png
Download File
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 337 |
| Entropy (8bit): | 7.143668471552015 |
| Encrypted: | false |
| SSDEEP: | 6:6v/lhPWFmX9Ckymx8BZhCjO5QO6MsHqd+K/eBDQeU2oG9xqgjp:6v/7K0omx8yOqVtHH1U2oGR |
| MD5: | 7FBFE5B0A7AD2A67AACFD8481F8DCA01 |
| SHA1: | 21BABB6B7EC4746835DB43DC6A69A4AF0EFECA2D |
| SHA-256: | 0B4CD789E087F712F131FACCD754DC461774498DF3CA19B346D461D18A0AE622 |
| SHA-512: | 3A8F0D9653301F789A0588E848C40FFC92394461BF70A3421ABC85647F2C115948134FE9E161D055A11D200536356A15677D9C0E645346D27E122001F67FE22B |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Switchboards\Barnls\Minnesanger25.Sug
Download File
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 42980 |
| Entropy (8bit): | 2.6491437374043274 |
| Encrypted: | false |
| SSDEEP: | 768:KKarEEEJuib+7F22Ecarbbywoo4JaAgYqPfNsYEYp8ZTrVW8cZdUofY/xHXDABh2:psbRuyPjmtEQdsBEBhMX |
| MD5: | 6A34939EF0C3ABACF5534BBDB1BB40F0 |
| SHA1: | 3752964E0E0A0552427FE4F9269286CC77A8582C |
| SHA-256: | 8689CF2163F824CDEE10C5FE950A2119050D389348D8FC80E424CCE57EC1CE33 |
| SHA-512: | 49510854911026B1BBA9A038FF2D06CE5CB9860662ED6D597AF9664A1F48A5D39602E26240639CA1EBA6003B03E5C6ECAB06BFB4B67C1CA437A57BCAB1ECBE62 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Switchboards\Barnls\System.Reflection.Primitives.dll 
Download File
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 14952 |
| Entropy (8bit): | 6.599053939997928 |
| Encrypted: | false |
| SSDEEP: | 192:mrlnC6xxk2R5Ws+Wql73WOL8/pCuPHnhWgN7aoWTF6lI+XqnajlkEv:6nbW2R5Ws+Wql7//uPHRN7SIImlqW |
| MD5: | EDA04E04EBC0EBF7F8BBF30C4DAE6DE3 |
| SHA1: | 7BC4D50E6EEC7F04A9272BFEE4E4DB6F278DBE63 |
| SHA-256: | F3E55CB3ADFA93F563B09114D93062E680AB0864C220491458FBE151798B862F |
| SHA-512: | 7027DA3404675596B71394B660E600DA12C0750895F624776362167869760555EE9990699FFC9E4407301FC9437B2F638E2734B8BDEF3C7054990FD5A9C86550 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Switchboards\Barnls\System.Reflection.TypeExtensions.dll
Download File
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 32368 |
| Entropy (8bit): | 6.393948275188786 |
| Encrypted: | false |
| SSDEEP: | 384:yWweWqlXnYcLpSfX0lawccfNXLWrdzy+A2jc2EPLNtAf/uPHRN7AJ/AlGseC62c:EqlXYcgEAwcc17Wc+bj+PLHuMU/xjx2c |
| MD5: | F2A123183E106BB1CF19376A8079D171 |
| SHA1: | 2B96296BE92D5F2EF7C59A70858AF4CAABC99A9D |
| SHA-256: | 896D4ED138C35ECF19AE432380096562872EAB103F7E352C15D214FD875B337A |
| SHA-512: | FCA6A89EFB16780A06CD25A55638882970F03E1535180A0E463AF9794184B04EB345CF29B12D4F261094E04A584E9225A7AD36A62631227451059F64A77B3C67 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\media-playlist-consecutive-symbolic.svg
Download File
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1329 |
| Entropy (8bit): | 4.950241534342892 |
| Encrypted: | false |
| SSDEEP: | 24:t4Cp/YHyKbRAecFxVrGDT/Gfd8hTdyKbRAecFxVrGDT/bNxNxZrGQ:9YHNtAecFmDT/s8hdNtAecFmDT/j3YQ |
| MD5: | 021A9F00A28C9D496E490AE951E8EF12 |
| SHA1: | F8A6392065D07BAC72E138B0E47A24FFDCCEE74B |
| SHA-256: | B420561770B77FCB47F69B6198B34B11155535F8A2E907BC4A0998CE74AFD340 |
| SHA-512: | 7F4F2D904EA968BF68E35E0D7F1EAE9718234757D1989879996BFB49D9C447F67544CB0E1C441FD6539D58B5F2C6ACA7E9E0208738C235D9AF0C093511760212 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\network-offline-symbolic.svg
Download File
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1155 |
| Entropy (8bit): | 5.154592341044034 |
| Encrypted: | false |
| SSDEEP: | 24:t4CpQyhEXQDWu4AeWrGMyRQJaPahrGDfJcghSvOqlIQX6e4AeWrGMyp:vhjDWu4Ae3M5wSgDDontqe4Ae3MO |
| MD5: | EFB3C780BC44B346B50B1F0DC6CF6D0F |
| SHA1: | 472B0EDD1C4C3092BC7C4DF934ABE126885B1780 |
| SHA-256: | 990859D3B2C830E23EC276BF1D38A38EE1BA3D89BF04CB138107E4CDE31167B5 |
| SHA-512: | 5B9C96F146C6A065C89172D02BDE8020876DC9C78859AD2B8B9529C615215F88BA85C2789544F5C5A247C148BB52FE4B5FCA325E7EAC4826D31A0365A0B8BCBE |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 891 |
| Entropy (8bit): | 7.745720384539504 |
| Encrypted: | false |
| SSDEEP: | 24:d4qWCHdkXfUZEcO5MkIi416cOQSkye9V+:d4qnHd8MkIi4Dpb6 |
| MD5: | 5AF147D26AD399F83825377F04FD56A1 |
| SHA1: | B378A498B0DB8114C794E21D533E80CEBE5DDE04 |
| SHA-256: | 6147A091847FCC9D9EDB22E655C4FC9DE6632C76D4252350400FA286F9791109 |
| SHA-512: | EEC16DE49A4698FE4F03F841FBCF045FBBDC9D634EB73ED35DB544B6DB4BC0135CD8E1DF102FD1E8BDE9FC75380948B4C0459685EE2C21858D645B7973759EA6 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6144 |
| Entropy (8bit): | 4.496995234059773 |
| Encrypted: | false |
| SSDEEP: | 96:1IUNaXnnXyEIPtXvZhr5RwiULuxDtJ1+wolpE:1Ix3XyEwXvZh1RwnLUDtf+I |
| MD5: | E8B67A37FB41D54A7EDA453309D45D97 |
| SHA1: | 96BE9BF7A988D9CEA06150D57CD1DE19F1FEC19E |
| SHA-256: | 2AD232BCCF4CA06CF13475AF87B510C5788AA790785FD50509BE483AFC0E0BCF |
| SHA-512: | 20EFFAE18EEBB2DF90D3186A281FA9233A97998F226F7ADEAD0784FBC787FEEE419973962F8369D8822C1BBCDFB6E7948D9CA6086C9CF90190C8AB3EC97F4C38 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\rAEAT-AvisodeNotificaci__n.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11776 |
| Entropy (8bit): | 5.659384359264642 |
| Encrypted: | false |
| SSDEEP: | 192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz |
| MD5: | 8B3830B9DBF87F84DDD3B26645FED3A0 |
| SHA1: | 223BEF1F19E644A610A0877D01EADC9E28299509 |
| SHA-256: | F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37 |
| SHA-512: | D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2097152 |
| Entropy (8bit): | 4.512546218889307 |
| Encrypted: | false |
| SSDEEP: | 12288:dgcUY6/eee9WwB84iTd+vXlnFbSwv+JnxQ7SLj732JlCGzz4OragmcnYJe:dX9WwB84iTd+vXlnFGMB4OragmcnYJe |
| MD5: | 5BF4985CB57212B68B3FA93CA480E32F |
| SHA1: | 8CA2702D7B46279BFB6121103417834EE80EDC49 |
| SHA-256: | 8CB558ADE731A28AD742FDA983024154BF8C1306834281080F7A6D2C6DDDA870 |
| SHA-512: | 095C6429C8DB088FAE11A782D4684A2C7427268628A79EEC5A7B97DC7E7A835243D5B66576F03DB1BAB683D57F9D64AA144EFA4E906E2FA93685CBAED01B910C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 376832 |
| Entropy (8bit): | 2.6699994316731033 |
| Encrypted: | false |
| SSDEEP: | 3072:US3DFIecejetbNqlWjai5sTBG29DgebeOeF8DgebeOeDe3TKeme:UYSJexP9c6ns8c6nie3TKz |
| MD5: | 5945EC104B18442693FC321D2FA8C8F5 |
| SHA1: | EE860927007D959734CF2BC6D8D767B621A0617B |
| SHA-256: | FAE5071F7F6B1012397D1BA745DE7F3523CCC8A978F5AB7804B138E4385AA7DC |
| SHA-512: | C7E46E8BB1E5902FF36F9E504C82CF71944E9A346A522E9D0EC59B543DB77B49D55141F564926A23068FC36BD627BE8E2FD7DCFEE7E37C8D9E672C58230F8F27 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 211 |
| Entropy (8bit): | 4.572499124765754 |
| Encrypted: | false |
| SSDEEP: | 6:WsTbRh07NkMswksKML4IOBWEyIFrvaawp0N5aNlc:DYsDh06ep650c |
| MD5: | CBFCB802B320CCF52613522DFB771EB4 |
| SHA1: | FEFC7681A1EF0B39C3AFF1BFDFB703D3C27689D3 |
| SHA-256: | AC2C2635F85C4D84C7EB1D72E0C6B347D82CFA78EE9506FEE8D17E0E6AA071C4 |
| SHA-512: | 540854E486C2F9C3AAF97F5FD230CF9A76570D92B556CFD241728484103D9E24037CF2535F9AA0D2B799D994C97B8137776DBFC096CE39D5A68FF4CED414688A |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.030340339436893 |
| TrID: |
|
| File name: | rAEAT-AvisodeNotificaci__n.exe |
| File size: | 433208 |
| MD5: | 77b1761153f7e6ca4b76ea26c2fa6645 |
| SHA1: | be00353381302d16a62c114efa564acf60473368 |
| SHA256: | dbb02fdfea2855cb95d3a6a2668fd5392b9d997200277d98fb758db781880523 |
| SHA512: | 7ecfd1739db4ae8323896fa7c3e7231ef8124de59e7113eaffaf9ced0d93c07e3d5c48f50fa5cf1aed4588d4b5f35a35b5ea4221fd63b1c61a9f5e2207e03fe3 |
| SSDEEP: | 6144:D6bAcJvkzKmPPzS58G93IuZUU/rR83tWgn2BRH81SH5ioFrI70U5p72l:87ubCHIC5rRKsg2BRc1cZs5p7u |
| TLSH: | C194F1127FDBE867D0526D786186DE186EB0EF049219E747E3B03ABDE5BA3025C1B103 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....uY.................d....:.... |
 | |
| Icon Hash: | 20c4f8f8e8f0f24c |
| Entrypoint: | 0x403350 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x59759518 [Mon Jul 24 06:35:04 2017 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | b34f154ec913d2d2c435cbd644e91687 |
| Signature Valid: | false |
| Signature Issuer: | E=Aktivsiden@Krselstider.Th, OU="Positival Kontaktpersonernes Frothi ", O=Overbegavet, L=Charmont-sous-Barbuise, S=Grand Est, C=FR |
| Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
| Error Number: | -2146762487 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 2456D98150D883C67DE9DFE914FCE355 |
| Thumbprint SHA-1: | 679C31D66A1EC517454AC9E145276BFB7CD9E1E1 |
| Thumbprint SHA-256: | 841BEC78FA2D17EC15423A3044CCEC68C10A9C902E0F41BF269F4538B2CB4380 |
| Serial: | 537EA62409F213AF08512C7B9AF6C6FDFE1BAEFB |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push esi |
| push edi |
| push 00000020h |
| pop edi |
| xor ebx, ebx |
| push 00008001h |
| mov dword ptr [esp+14h], ebx |
| mov dword ptr [esp+10h], 0040A2E0h |
| mov dword ptr [esp+1Ch], ebx |
| call dword ptr [004080A8h] |
| call dword ptr [004080A4h] |
| and eax, BFFFFFFFh |
| cmp ax, 00000006h |
| mov dword ptr [007A8A2Ch], eax |
| je 00007F3380434753h |
| push ebx |
| call 00007F33804379E9h |
| cmp eax, ebx |
| je 00007F3380434749h |
| push 00000C00h |
| call eax |
| mov esi, 004082B0h |
| push esi |
| call 00007F3380437963h |
| push esi |
| call dword ptr [00408150h] |
| lea esi, dword ptr [esi+eax+01h] |
| cmp byte ptr [esi], 00000000h |
| jne 00007F338043472Ch |
| push 0000000Ah |
| call 00007F33804379BCh |
| push 00000008h |
| call 00007F33804379B5h |
| push 00000006h |
| mov dword ptr [007A8A24h], eax |
| call 00007F33804379A9h |
| cmp eax, ebx |
| je 00007F3380434751h |
| push 0000001Eh |
| call eax |
| test eax, eax |
| je 00007F3380434749h |
| or byte ptr [007A8A2Fh], 00000040h |
| push ebp |
| call dword ptr [00408044h] |
| push ebx |
| call dword ptr [004082A0h] |
| mov dword ptr [007A8AF8h], eax |
| push ebx |
| lea eax, dword ptr [esp+34h] |
| push 000002B4h |
| push eax |
| push ebx |
| push 0079FEE0h |
| call dword ptr [00408188h] |
| push 0040A2C8h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x84fc | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3d0000 | 0x28268 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x679d0 | 0x2268 | .data |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x63c8 | 0x6400 | False | 0.6766015625 | data | 6.504099201068482 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x138e | 0x1400 | False | 0.4509765625 | data | 5.146454805063938 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x39eb38 | 0x600 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x3a9000 | 0x27000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x3d0000 | 0x28268 | 0x28400 | False | 0.3355129076086957 | data | 4.767250735975199 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x3d0310 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536 | English | United States |
| RT_ICON | 0x3e0b38 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 36864 | English | United States |
| RT_ICON | 0x3e9fe0 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 20736 | English | United States |
| RT_ICON | 0x3ef468 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384 | English | United States |
| RT_ICON | 0x3f3690 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | English | United States |
| RT_ICON | 0x3f5c38 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | English | United States |
| RT_ICON | 0x3f6ce0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | English | United States |
| RT_ICON | 0x3f7668 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | English | United States |
| RT_DIALOG | 0x3f7ad0 | 0x100 | data | English | United States |
| RT_DIALOG | 0x3f7bd0 | 0xf8 | data | English | United States |
| RT_DIALOG | 0x3f7cc8 | 0xa0 | data | English | United States |
| RT_DIALOG | 0x3f7d68 | 0x60 | data | English | United States |
| RT_GROUP_ICON | 0x3f7dc8 | 0x76 | data | English | United States |
| RT_MANIFEST | 0x3f7e40 | 0x423 | XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators | English | United States |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
| USER32.dll | GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW |
| ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.11.20132.226.8.16949797802039190 03/20/23-11:38:26.059783 | TCP | 2039190 | ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check | 49797 | 80 | 192.168.11.20 | 132.226.8.169 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 20, 2023 11:38:23.851558924 CET | 49795 | 443 | 192.168.11.20 | 142.250.185.110 |
| Mar 20, 2023 11:38:23.851653099 CET | 443 | 49795 | 142.250.185.110 | 192.168.11.20 |
| Mar 20, 2023 11:38:23.851912022 CET | 49795 | 443 | 192.168.11.20 | 142.250.185.110 |
| Mar 20, 2023 11:38:23.875530005 CET | 49795 | 443 | 192.168.11.20 | 142.250.185.110 |
| Mar 20, 2023 11:38:23.875575066 CET | 443 | 49795 | 142.250.185.110 | 192.168.11.20 |
| Mar 20, 2023 11:38:23.916757107 CET | 443 | 49795 | 142.250.185.110 | 192.168.11.20 |
| Mar 20, 2023 11:38:23.916984081 CET | 49795 | 443 | 192.168.11.20 | 142.250.185.110 |
| Mar 20, 2023 11:38:23.917043924 CET | 49795 | 443 | 192.168.11.20 | 142.250.185.110 |
| Mar 20, 2023 11:38:23.917649031 CET | 443 | 49795 | 142.250.185.110 | 192.168.11.20 |
| Mar 20, 2023 11:38:23.917861938 CET | 49795 | 443 | 192.168.11.20 | 142.250.185.110 |
| Mar 20, 2023 11:38:23.981728077 CET | 49795 | 443 | 192.168.11.20 | 142.250.185.110 |
| Mar 20, 2023 11:38:23.981839895 CET | 443 | 49795 | 142.250.185.110 | 192.168.11.20 |
| Mar 20, 2023 11:38:23.982880116 CET | 443 | 49795 | 142.250.185.110 | 192.168.11.20 |
| Mar 20, 2023 11:38:23.983022928 CET | 49795 | 443 | 192.168.11.20 | 142.250.185.110 |
| Mar 20, 2023 11:38:23.986423969 CET | 49795 | 443 | 192.168.11.20 | 142.250.185.110 |
| Mar 20, 2023 11:38:24.028503895 CET | 443 | 49795 | 142.250.185.110 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.329618931 CET | 443 | 49795 | 142.250.185.110 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.329839945 CET | 49795 | 443 | 192.168.11.20 | 142.250.185.110 |
| Mar 20, 2023 11:38:24.329926968 CET | 443 | 49795 | 142.250.185.110 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.329969883 CET | 443 | 49795 | 142.250.185.110 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.330066919 CET | 49795 | 443 | 192.168.11.20 | 142.250.185.110 |
| Mar 20, 2023 11:38:24.330154896 CET | 49795 | 443 | 192.168.11.20 | 142.250.185.110 |
| Mar 20, 2023 11:38:24.331521988 CET | 49795 | 443 | 192.168.11.20 | 142.250.185.110 |
| Mar 20, 2023 11:38:24.331600904 CET | 443 | 49795 | 142.250.185.110 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.442899942 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.443048000 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.443356991 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.443624020 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.443665981 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.509440899 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.509727001 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.511383057 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.511639118 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.514813900 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.514857054 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.515402079 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.515535116 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.515832901 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.556492090 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.762135029 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.762311935 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.762363911 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.762372017 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.762471914 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.763184071 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.763345957 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.763345957 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.764550924 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.764738083 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.764857054 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.765422106 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.765543938 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.765659094 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.765669107 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.765856981 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.767509937 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.767702103 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.767710924 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.767844915 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.770335913 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.770509958 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.770545959 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.770695925 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.770709038 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.770914078 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.771270990 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.771672010 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.771682024 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.771964073 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.771974087 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.772173882 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.772182941 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.772447109 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.772749901 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.773035049 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.773046970 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.773206949 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.773458958 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.773623943 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.773633003 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.773828030 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.774261951 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.774410009 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.774425030 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.774560928 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.774924994 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.775063038 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.775074959 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.775348902 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.775548935 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.775716066 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.775724888 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.775963068 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.776206017 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.776273966 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.776592016 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.776599884 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.777005911 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.777059078 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.777121067 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.777563095 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.777574062 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.777864933 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.778000116 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.778074026 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.778279066 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.778287888 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.778527021 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.778887987 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.778999090 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.779048920 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.779055119 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.779227018 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.779848099 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.780004978 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.780150890 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.780158997 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.780174017 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.780417919 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.780822992 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.780936003 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.780992031 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.781064987 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.781073093 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.781219006 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.781414986 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.781656027 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.781755924 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.781830072 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.781840086 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.781847000 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.782031059 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.782613039 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.782680035 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.782797098 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.782830000 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.782836914 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.783027887 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.783548117 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.783724070 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.783730984 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.783808947 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.783885002 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.783907890 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.784018993 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.784080029 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.784145117 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.784246922 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.784308910 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.784343004 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.784356117 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.784415007 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.784576893 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.784585953 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.784720898 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.785075903 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.785211086 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.785259008 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.785269976 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.785278082 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.785415888 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.785547972 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.785923958 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.786046982 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.786093950 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.786261082 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.786267996 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.786453009 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.786700010 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.786798954 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.786942959 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.786952019 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.787029028 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.787054062 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.787090063 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.787095070 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.787223101 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.787276983 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.787738085 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.787878036 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.787897110 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.787915945 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.788013935 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.788013935 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.788029909 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.788220882 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.788227081 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.788366079 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.788670063 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.788878918 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.788886070 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.788892984 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.789041996 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.789045095 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.789053917 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.789258957 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.789437056 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.789582968 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.789608002 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.789618969 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.789664030 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.789768934 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.789779902 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.789865971 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.789975882 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.790246964 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.790406942 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.790446997 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.790452957 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.790458918 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.790509939 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.790575027 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.790688038 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.790735006 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.790882111 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.790980101 CET | 49796 | 443 | 192.168.11.20 | 142.250.184.193 |
| Mar 20, 2023 11:38:24.790987968 CET | 443 | 49796 | 142.250.184.193 | 192.168.11.20 |
| Mar 20, 2023 11:38:25.763247013 CET | 49797 | 80 | 192.168.11.20 | 132.226.8.169 |
| Mar 20, 2023 11:38:26.058407068 CET | 80 | 49797 | 132.226.8.169 | 192.168.11.20 |
| Mar 20, 2023 11:38:26.058630943 CET | 49797 | 80 | 192.168.11.20 | 132.226.8.169 |
| Mar 20, 2023 11:38:26.059782982 CET | 49797 | 80 | 192.168.11.20 | 132.226.8.169 |
| Mar 20, 2023 11:38:26.357271910 CET | 80 | 49797 | 132.226.8.169 | 192.168.11.20 |
| Mar 20, 2023 11:38:26.413085938 CET | 49797 | 80 | 192.168.11.20 | 132.226.8.169 |
| Mar 20, 2023 11:39:14.127078056 CET | 49797 | 80 | 192.168.11.20 | 132.226.8.169 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 20, 2023 11:38:23.833991051 CET | 56064 | 53 | 192.168.11.20 | 1.1.1.1 |
| Mar 20, 2023 11:38:23.843310118 CET | 53 | 56064 | 1.1.1.1 | 192.168.11.20 |
| Mar 20, 2023 11:38:24.408962011 CET | 62882 | 53 | 192.168.11.20 | 1.1.1.1 |
| Mar 20, 2023 11:38:24.441703081 CET | 53 | 62882 | 1.1.1.1 | 192.168.11.20 |
| Mar 20, 2023 11:38:25.747843027 CET | 57056 | 53 | 192.168.11.20 | 1.1.1.1 |
| Mar 20, 2023 11:38:25.758192062 CET | 53 | 57056 | 1.1.1.1 | 192.168.11.20 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 20, 2023 11:38:23.833991051 CET | 192.168.11.20 | 1.1.1.1 | 0xeecd | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 20, 2023 11:38:24.408962011 CET | 192.168.11.20 | 1.1.1.1 | 0x7425 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 20, 2023 11:38:25.747843027 CET | 192.168.11.20 | 1.1.1.1 | 0xb072 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 20, 2023 11:38:23.843310118 CET | 1.1.1.1 | 192.168.11.20 | 0xeecd | No error (0) | 142.250.185.110 | A (IP address) | IN (0x0001) | false | ||
| Mar 20, 2023 11:38:24.441703081 CET | 1.1.1.1 | 192.168.11.20 | 0x7425 | No error (0) | googlehosted.l.googleusercontent.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Mar 20, 2023 11:38:24.441703081 CET | 1.1.1.1 | 192.168.11.20 | 0x7425 | No error (0) | 142.250.184.193 | A (IP address) | IN (0x0001) | false | ||
| Mar 20, 2023 11:38:25.758192062 CET | 1.1.1.1 | 192.168.11.20 | 0xb072 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Mar 20, 2023 11:38:25.758192062 CET | 1.1.1.1 | 192.168.11.20 | 0xb072 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Mar 20, 2023 11:38:25.758192062 CET | 1.1.1.1 | 192.168.11.20 | 0xb072 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Mar 20, 2023 11:38:25.758192062 CET | 1.1.1.1 | 192.168.11.20 | 0xb072 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Mar 20, 2023 11:38:25.758192062 CET | 1.1.1.1 | 192.168.11.20 | 0xb072 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Mar 20, 2023 11:38:25.758192062 CET | 1.1.1.1 | 192.168.11.20 | 0xb072 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.11.20 | 49795 | 142.250.185.110 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 192.168.11.20 | 49796 | 142.250.184.193 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 2 | 192.168.11.20 | 49797 | 132.226.8.169 | 80 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Mar 20, 2023 11:38:26.059782982 CET | 270 | OUT | |
| Mar 20, 2023 11:38:26.357271910 CET | 270 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.11.20 | 49795 | 142.250.185.110 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| 2023-03-20 10:38:23 UTC | 0 | OUT | |
| 2023-03-20 10:38:24 UTC | 0 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 192.168.11.20 | 49796 | 142.250.184.193 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| 2023-03-20 10:38:24 UTC | 1 | OUT | |
| 2023-03-20 10:38:24 UTC | 1 | IN |