Edit tour
Windows
Analysis Report
rFACTURA_FAC_2023_1-1000733.PDF.exe
Overview
General Information
Detection
GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
May check the online IP address of the machine
Uses an obfuscated file name to hide its real file extension (double extension)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard
Classification
- System is w10x64native
- rFACTURA_FAC_2023_1-1000733.PDF.exe (PID: 8312 cmdline:
C:\Users\u ser\Deskto p\rFACTURA _FAC_2023_ 1-1000733. PDF.exe MD5: A6EF5ED777BA7369C2BB28E46B198BA6) - CasPol.exe (PID: 6576 cmdline:
C:\Users\u ser\Deskto p\rFACTURA _FAC_2023_ 1-1000733. PDF.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B) - conhost.exe (PID: 3964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - WerFault.exe (PID: 8568 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 576 -s 250 0 MD5: 40A149513D721F096DDF50C04DA2F01F)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_5 | Yara detected GuLoader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_5 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_5 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 192.168.11.20132.226.8.16949801802039190 03/20/23-11:06:12.385242 |
SID: | 2039190 |
Source Port: | 49801 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Registry value created: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_0040596D | |
Source: | Code function: | 0_2_004065A2 | |
Source: | Code function: | 0_2_00402862 |
Source: | Code function: | 11_2_34196DDF | |
Source: | Code function: | 11_2_34196933 | |
Source: | Code function: | 11_2_34196B14 | |
Source: | Code function: | 11_2_34196300 |
Networking |
---|
Source: | Snort IDS: |
Source: | DNS query: | ||
Source: | DNS query: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 0_2_00405402 |
System Summary |
---|
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: | 0_2_00403350 |
Source: | Code function: | 0_2_00404C3F | |
Source: | Code function: | 11_2_341934F2 | |
Source: | Code function: | 11_2_34196DDF | |
Source: | Code function: | 11_2_34194858 | |
Source: | Code function: | 11_2_341920D8 | |
Source: | Code function: | 11_2_341962EF | |
Source: | Code function: | 11_2_34196300 |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_00403350 |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 0_2_004020FE |
Source: | File read: | Jump to behavior |
Source: | Code function: | 0_2_004046C3 |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Window detected: |
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Registry value created: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_10002E0E | |
Source: | Code function: | 0_2_048B4C0E | |
Source: | Code function: | 0_2_048B4C16 | |
Source: | Code function: | 0_2_048B5A71 | |
Source: | Code function: | 0_2_048B209F | |
Source: | Code function: | 0_2_048B7C74 | |
Source: | Code function: | 0_2_048B4BBA | |
Source: | Code function: | 0_2_048B4BC2 | |
Source: | Code function: | 0_2_048B71FD | |
Source: | Code function: | 0_2_048B7E05 | |
Source: | Code function: | 0_2_048B4B3D | |
Source: | Code function: | 0_2_048B0D43 | |
Source: | Code function: | 11_2_00FC7C74 | |
Source: | Code function: | 11_2_00FC209F | |
Source: | Code function: | 11_2_00FC5A71 | |
Source: | Code function: | 11_2_00FC4C16 | |
Source: | Code function: | 11_2_00FC4C0E | |
Source: | Code function: | 11_2_00FC71FD | |
Source: | Code function: | 11_2_00FC7E05 | |
Source: | Code function: | 11_2_00FC4BC2 | |
Source: | Code function: | 11_2_00FC4BBA | |
Source: | Code function: | 11_2_00FC0D43 | |
Source: | Code function: | 11_2_00FC4B3D |
Source: | Code function: | 0_2_10001B18 |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | 0_2_0040596D | |
Source: | Code function: | 0_2_004065A2 | |
Source: | Code function: | 0_2_00402862 |
Source: | System information queried: | Jump to behavior |
Source: | API call chain: | graph_0-4900 | ||
Source: | API call chain: | graph_0-4895 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_10001B18 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 0_2_00401E43 |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_00403350 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | Key opened: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | 1 Windows Service | 1 Access Token Manipulation | 1 Masquerading | OS Credential Dumping | 211 Security Software Discovery | Remote Services | 1 Email Collection | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 Windows Service | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | 111 Process Injection | 1 Disable or Modify Tools | Security Account Manager | 1 System Network Configuration Discovery | SMB/Windows Admin Shares | 1 Clipboard Data | Automated Exfiltration | 2 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | 1 DLL Side-Loading | 1 Access Token Manipulation | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 13 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 111 Process Injection | LSA Secrets | 16 System Information Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 12 Obfuscated Files or Information | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 Timestomp | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
20% | Virustotal | Browse | ||
5% | ReversingLabs | Win32.Trojan.Generic |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
drive.google.com | 142.250.181.238 | true | false | high | |
googlehosted.l.googleusercontent.com | 142.250.185.193 | true | false | high | |
checkip.dyndns.com | 132.226.8.169 | true | true |
| unknown |
checkip.dyndns.org | unknown | unknown | true |
| unknown |
doc-0s-a8-docs.googleusercontent.com | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
132.226.8.169 | checkip.dyndns.com | United States | 16989 | UTMEMUS | true | |
142.250.181.238 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
142.250.185.193 | googlehosted.l.googleusercontent.com | United States | 15169 | GOOGLEUS | false |
Joe Sandbox Version: | 37.0.0 Beryl |
Analysis ID: | 830399 |
Start date and time: | 2023-03-20 11:00:46 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 17m 39s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Number of analysed new started processes analysed: | 19 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | rFACTURA_FAC_2023_1-1000733.PDF.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@5/21@3/3 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.189.173.20
- Excluded domains from analysis (whitelisted): client.wns.windows.com, wdcpalt.microsoft.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, umwatson.events.data.microsoft.com, wdcp.microsoft.com
- Execution Graph export aborted for target CasPol.exe, PID 6576 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
⊘No simulations
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
132.226.8.169 | Get hash | malicious | Snake Keylogger | Browse |
| |
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
checkip.dyndns.com | Get hash | malicious | Snake Keylogger | Browse |
| |
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
UTMEMUS | Get hash | malicious | Snake Keylogger | Browse |
| |
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Remcos, DBatLoader | Browse |
| |
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Amadey, Babuk, Djvu, Fabookie, Raccoon Stealer v2, RedLine, SmokeLoader | Browse |
| ||
Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar | Browse |
| ||
Get hash | malicious | Amadey, Djvu, RHADAMANTHYS, RedLine, SmokeLoader, Vidar | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
Get hash | malicious | Amadey, Babuk, Djvu, RedLine, SmokeLoader, Vidar | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Djvu | Browse |
| ||
Get hash | malicious | Amadey, Babuk, Djvu, Fabookie, RedLine, SmokeLoader, Vidar | Browse |
| ||
Get hash | malicious | Babuk, Djvu | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Djvu | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, HTMLPhisher, Vidar | Browse |
| ||
Get hash | malicious | Amadey, Djvu, Fabookie, RHADAMANTHYS, SmokeLoader, Vidar | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
Get hash | malicious | Djvu | Browse |
| ||
Get hash | malicious | Amadey, Djvu, RHADAMANTHYS, SmokeLoader, Vidar | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\System.Reflection.TypeExtensions.dll | Get hash | malicious | GuLoader | Browse | ||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | AgentTesla, GuLoader | Browse | |||
Get hash | malicious | AgentTesla, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | AgentTesla, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | AgentTesla, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | Unknown | Browse |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_caspol.exe_c9831a337d3627d9a81a22112d1a4918180c9e2_ea830a9b_d3bd527c-2f90-4458-9cd4-e1517201fb0e\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.2413907368074433 |
Encrypted: | false |
SSDEEP: | 192:9fE059v6x3mBUWSaX+AMWVM+Du76zfAIO8h:S0j6wBUWSaOaq+Du76zfAIO8h |
MD5: | 35DD3D5B04B74FA528100F3D0EFD2762 |
SHA1: | 7152E07DBB8C0F5FBF780254D2E2E8C46B7B9F1F |
SHA-256: | 90E8785A4995B03B26F73D1A63BD0AADF591CAD0E8CBC0A35DA78088B3364F7B |
SHA-512: | FC42405BD29FE2913BDB0A7D8C8F32CDBC6794F8B6E310A704A53AD96E95C4449F327EFF9146328001B51D4FB5DD97ED1CF0580545CAE3C43D8D3140007AC9BD |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 298062 |
Entropy (8bit): | 3.5731501507227876 |
Encrypted: | false |
SSDEEP: | 3072:5YgOQBtas+vqyCftZYyC4uEq5mS2VLTgKQh85:5JHaseqyCDFC4Of2BTgh |
MD5: | EBEB9263C8F7B88F1C962D0F6D174ED7 |
SHA1: | 49718D4D2B825BFC51D546C3360190787F9CC0DF |
SHA-256: | 5A6B0099475067373495611C80EE30CD8FFF8CBCC41570CA6E3203FE371399D4 |
SHA-512: | F61A6D1019C9BE483002858790ABC909C8AC52821310B07ACA70F4790E8905F0DD8AD7AE08B13413D1353F3517D2E76532BBFA455F047C209CD2EE6759EF6EFC |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8478 |
Entropy (8bit): | 3.7135390864151505 |
Encrypted: | false |
SSDEEP: | 192:R9l7lZNipu6ISD1/6Y786zgmfZkCL9pr189b2Ssf0EkSm:R9lnNig6ISp6YA6zgmfWN2RfXQ |
MD5: | FF404A19C5664B74EF66C62FD6BC2652 |
SHA1: | D287A995597C29843696562F0B0778734BBBB778 |
SHA-256: | 90016E84D9557D7D3D5C53E9CFCAF383A41AE3D38640E8504B31FFA71B6AA4CD |
SHA-512: | D7C9874B81D30F8C75CE136FF25F53443276F831FBB29DFA65914EDD8550B2D22E22D98182FE976F9CF2FB99EEBF4210BCA17B5F9284C9B3CE2D53989D8D0ABE |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4928 |
Entropy (8bit): | 4.552958834584104 |
Encrypted: | false |
SSDEEP: | 48:cvIwwtl8zs+e702I7VFJ5WS2CfjkLs3rm8M4JdpPFOo/+q8vrpGvktd:uILfz7GySPfnJF/KIvktd |
MD5: | 78A0C11C168CDC2D5F74C2BEEA25637A |
SHA1: | 850126AB6E4157230C5FFC3A93CC94C3EDA0975A |
SHA-256: | 87920F454E599C8EE65E0F3F86BA5AB57473822CB516A507753D55CEA79412B9 |
SHA-512: | FD57DD4E26B1E020CD67AD7834870539DA41B2723377F846504D15ED2D326F14564513D23A596E0BFDD7848F6FDB61AAECF7F0345BF4AC56F4BE1A21556F9EA8 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 22842 |
Entropy (8bit): | 2.691165226704503 |
Encrypted: | false |
SSDEEP: | 384:WHfXmxNkvIy6aQ+y57fZOKip2EuiP7Ecw8b:WHfWxNkvIy6axy57fAK82EuiP7Ecw8b |
MD5: | 27DC252D9E7B26BA6BF2C6D437997658 |
SHA1: | F81398F1F6FC24692BA8DF740CA2BF2AB73B27D6 |
SHA-256: | 530F4F75B62CB7E1B585671E4F184AC9C667FC4335CDA4120D27136E6F4F0100 |
SHA-512: | 473F5FED1BA3F62088A6ABE0D383EE9220DAABCB8524EFE8AC502B7503F4ACBA3DDAC69BBF1E046B5235C51129F2BF55F54C1D75285D7C5EE824C6DCA88D323D |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\System.Reflection.TypeExtensions.dll
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32368 |
Entropy (8bit): | 6.393948275188786 |
Encrypted: | false |
SSDEEP: | 384:yWweWqlXnYcLpSfX0lawccfNXLWrdzy+A2jc2EPLNtAf/uPHRN7AJ/AlGseC62c:EqlXYcgEAwcc17Wc+bj+PLHuMU/xjx2c |
MD5: | F2A123183E106BB1CF19376A8079D171 |
SHA1: | 2B96296BE92D5F2EF7C59A70858AF4CAABC99A9D |
SHA-256: | 896D4ED138C35ECF19AE432380096562872EAB103F7E352C15D214FD875B337A |
SHA-512: | FCA6A89EFB16780A06CD25A55638882970F03E1535180A0E463AF9794184B04EB345CF29B12D4F261094E04A584E9225A7AD36A62631227451059F64A77B3C67 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\System.Reflection.Primitives.dll
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 14952 |
Entropy (8bit): | 6.599053939997928 |
Encrypted: | false |
SSDEEP: | 192:mrlnC6xxk2R5Ws+Wql73WOL8/pCuPHnhWgN7aoWTF6lI+XqnajlkEv:6nbW2R5Ws+Wql7//uPHRN7SIImlqW |
MD5: | EDA04E04EBC0EBF7F8BBF30C4DAE6DE3 |
SHA1: | 7BC4D50E6EEC7F04A9272BFEE4E4DB6F278DBE63 |
SHA-256: | F3E55CB3ADFA93F563B09114D93062E680AB0864C220491458FBE151798B862F |
SHA-512: | 7027DA3404675596B71394B660E600DA12C0750895F624776362167869760555EE9990699FFC9E4407301FC9437B2F638E2734B8BDEF3C7054990FD5A9C86550 |
Malicious: | false |
Antivirus: |
|
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\Talestrmmene.Unr
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 224632 |
Entropy (8bit): | 7.3469254146259635 |
Encrypted: | false |
SSDEEP: | 3072:WQyWMNv4aM4IqtUHXAxcNxBrQeb8hlosuRUVGiyKrFyPlWUUVkUiXPQW/NhrsPPR:IWEbtUAixGhlo2I+hyEUJXVFm0XQ |
MD5: | D2BE5DE19D44424CCB3F89510938FB53 |
SHA1: | B98E5FD30E1DE7437187787AFE48AD516223E01F |
SHA-256: | 0796783FC019D2AD4F01FF7AF14C24A9D3CFBAAB2BB9B44945231A46B6774D2B |
SHA-512: | 6E54E8C97F5A10921DAD011AAD9FBBA1D4D622CF78F4C977A366EF6C7C49B35552A6100BFAFCC4464B34B351CC200AD9EE12406DDE37FC96C2614BD24A5D0553 |
Malicious: | true |
Yara Hits: |
|
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\battery-level-90-charging-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 6689 |
Entropy (8bit): | 5.135211840989561 |
Encrypted: | false |
SSDEEP: | 192:VkjcMIy2+X2I2F2C2G2fH7y8cQaVB2nnuy1FQOcQaVv2q22L2k2s:mjcM7u8xaV8nnL1FQOxaVu6 |
MD5: | C96D0DD361AFC6B812BDDD390B765A26 |
SHA1: | 71081F096719CAA70B9BAEF86FE642635D8E2765 |
SHA-256: | 6690799E5FA3FB0DD6CCE4BAC5AA1607C8A6BB16507854A87520C7DE53052E1B |
SHA-512: | 7C73BC880A9401C64AB0571957B414180C1B94137C7BC870BA602979E7A990640A37991CB87A40BC7E5942A37FDA25EFC58C759C00F4344BA3D88B9AA64182DA |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\colorimeter-colorhug-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 227 |
Entropy (8bit): | 6.604776901672149 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPysE9Xj1F/bkqdXujFErL4MImATQZu22F+p:6v/7kR7/bjd8Kgm2Q/2y |
MD5: | 7843C38CC42C6786B3373F166AF10172 |
SHA1: | BA0163109D9B641B1312230B3F62E1E10A61AA5E |
SHA-256: | E3AF1293F8E8AB5C81300196AF55A7C15D5608291D46A2B86D4255910A7D0E59 |
SHA-512: | B1D3DF6A0A8CACD729CD9A2FD5AB0F74ED611270FA172CDBEB13D46FA71DD5CC5540A2FBFDB6C3004E652D317C8FAD4EC3AE437DF1C082B629870A33CC6BD34F |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\media-playlist-consecutive-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1329 |
Entropy (8bit): | 4.950241534342892 |
Encrypted: | false |
SSDEEP: | 24:t4Cp/YHyKbRAecFxVrGDT/Gfd8hTdyKbRAecFxVrGDT/bNxNxZrGQ:9YHNtAecFmDT/s8hdNtAecFmDT/j3YQ |
MD5: | 021A9F00A28C9D496E490AE951E8EF12 |
SHA1: | F8A6392065D07BAC72E138B0E47A24FFDCCEE74B |
SHA-256: | B420561770B77FCB47F69B6198B34B11155535F8A2E907BC4A0998CE74AFD340 |
SHA-512: | 7F4F2D904EA968BF68E35E0D7F1EAE9718234757D1989879996BFB49D9C447F67544CB0E1C441FD6539D58B5F2C6ACA7E9E0208738C235D9AF0C093511760212 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\network-offline-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1155 |
Entropy (8bit): | 5.154592341044034 |
Encrypted: | false |
SSDEEP: | 24:t4CpQyhEXQDWu4AeWrGMyRQJaPahrGDfJcghSvOqlIQX6e4AeWrGMyp:vhjDWu4Ae3M5wSgDDontqe4Ae3MO |
MD5: | EFB3C780BC44B346B50B1F0DC6CF6D0F |
SHA1: | 472B0EDD1C4C3092BC7C4DF934ABE126885B1780 |
SHA-256: | 990859D3B2C830E23EC276BF1D38A38EE1BA3D89BF04CB138107E4CDE31167B5 |
SHA-512: | 5B9C96F146C6A065C89172D02BDE8020876DC9C78859AD2B8B9529C615215F88BA85C2789544F5C5A247C148BB52FE4B5FCA325E7EAC4826D31A0365A0B8BCBE |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 891 |
Entropy (8bit): | 7.745720384539504 |
Encrypted: | false |
SSDEEP: | 24:d4qWCHdkXfUZEcO5MkIi416cOQSkye9V+:d4qnHd8MkIi4Dpb6 |
MD5: | 5AF147D26AD399F83825377F04FD56A1 |
SHA1: | B378A498B0DB8114C794E21D533E80CEBE5DDE04 |
SHA-256: | 6147A091847FCC9D9EDB22E655C4FC9DE6632C76D4252350400FA286F9791109 |
SHA-512: | EEC16DE49A4698FE4F03F841FBCF045FBBDC9D634EB73ED35DB544B6DB4BC0135CD8E1DF102FD1E8BDE9FC75380948B4C0459685EE2C21858D645B7973759EA6 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\preferences-desktop-font-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 225 |
Entropy (8bit): | 6.596645802250635 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPysi5NuhsPwRngRfPq/3+phjSfVsup:6v/7thstJACSNsc |
MD5: | F894266AB6A933B2FDA751E6490C319A |
SHA1: | 2D2D3635198FEEFCB64D1D6B3CDCCDC4EA3DF4B0 |
SHA-256: | 95F533585B4C61936C369557B3B7E397E56545A4C9DB9A5BDDD0E9ABB7A7F7E7 |
SHA-512: | 977ED04753C3CB2B883D03A2A55001F6FCC8617DC3060B6C25AB7E5C691C3F76049E7DEADC7F6567AB7E8DC8492DE2874E8E632CF3EAD7B39ABC8CC98D331442 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\task-due-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 263 |
Entropy (8bit): | 6.731374842054556 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPysw9TXm0RZC/8xhbPgfdSwj4vw29OjuAO4+ZvYNVp:6v/7QVXm0a/8xhbPgfdSBvNYn2ZvYd |
MD5: | 003B524806C1CA654CAC6ED2EB883E1B |
SHA1: | F6F6ACA125DC4DB3B33378404017B5EE7D21D334 |
SHA-256: | 2899E53769FA741E2C0675A2C69D2C246A8F34601BEE58DD66B16261005962A9 |
SHA-512: | AA905997F9CE39F039E33C4CCA167C0137775D91B4929D918528BA00B92737C448EC46D91A4221644CCC00D1FCAA403AFF83F07276BAB6FD80D4B9E88E652F87 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 337 |
Entropy (8bit): | 7.143668471552015 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPWFmX9Ckymx8BZhCjO5QO6MsHqd+K/eBDQeU2oG9xqgjp:6v/7K0omx8yOqVtHH1U2oGR |
MD5: | 7FBFE5B0A7AD2A67AACFD8481F8DCA01 |
SHA1: | 21BABB6B7EC4746835DB43DC6A69A4AF0EFECA2D |
SHA-256: | 0B4CD789E087F712F131FACCD754DC461774498DF3CA19B346D461D18A0AE622 |
SHA-512: | 3A8F0D9653301F789A0588E848C40FFC92394461BF70A3421ABC85647F2C115948134FE9E161D055A11D200536356A15677D9C0E645346D27E122001F67FE22B |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 6144 |
Entropy (8bit): | 4.496995234059773 |
Encrypted: | false |
SSDEEP: | 96:1IUNaXnnXyEIPtXvZhr5RwiULuxDtJ1+wolpE:1Ix3XyEwXvZh1RwnLUDtf+I |
MD5: | E8B67A37FB41D54A7EDA453309D45D97 |
SHA1: | 96BE9BF7A988D9CEA06150D57CD1DE19F1FEC19E |
SHA-256: | 2AD232BCCF4CA06CF13475AF87B510C5788AA790785FD50509BE483AFC0E0BCF |
SHA-512: | 20EFFAE18EEBB2DF90D3186A281FA9233A97998F226F7ADEAD0784FBC787FEEE419973962F8369D8822C1BBCDFB6E7948D9CA6086C9CF90190C8AB3EC97F4C38 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.659384359264642 |
Encrypted: | false |
SSDEEP: | 192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz |
MD5: | 8B3830B9DBF87F84DDD3B26645FED3A0 |
SHA1: | 223BEF1F19E644A610A0877D01EADC9E28299509 |
SHA-256: | F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37 |
SHA-512: | D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2097152 |
Entropy (8bit): | 4.51255552598015 |
Encrypted: | false |
SSDEEP: | 12288:fgvUY6/eee9WwB84iTd+vXlnFbSwv+JnxQ7SLj732JlCGzz4OragmcnYJe:fa9WwB84iTd+vXlnFGMB4OragmcnYJe |
MD5: | 20E6A7C010975532E296EAFC1D773515 |
SHA1: | 8812E42B1E2D5A5F1F50B10199474541DC543E2F |
SHA-256: | A246C551735C3E61750F03DD6002D232027BB37C1358EF70C539A7B7238586AE |
SHA-512: | BA5C5C6C87421158407A0BBCE253F89E861A439BB6A7AE244CAB077CAEB1C67BFA90C2B2714D6161B0CADF1BB5DFAB9C455015759B390F2894F33AD9B8064B02 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 376832 |
Entropy (8bit): | 2.6699792372502262 |
Encrypted: | false |
SSDEEP: | 3072:MS3DFIecejetVNqlWjai5sTBG2qDgebeOeF8DgebeOeDe3TKeme:MYSJevPqc6ns8c6nie3TKz |
MD5: | 0DB3DF965CE165E0BDB01BD97F87AB60 |
SHA1: | F551D0441A56D23A34BF1D0F854DB1AFFA2E0B7A |
SHA-256: | EF041A829B69554F81F0EADAD45AB37647D3BD4D7FF365C485A37863B084DFB8 |
SHA-512: | 7A3682900253113666604F1F95B96AA421E06A7319B617106450BB5E2791FA0A9E78F3E5D23FC923A922BB0B6F75620A54A4230ACAAC199728FAF9E3EEE9511E |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 164 |
Entropy (8bit): | 4.5750027080925975 |
Encrypted: | false |
SSDEEP: | 3:WNEDkFrA7fw3eqIusdHSdX7/fWmEdIOAlwV6EwqQLWFBaaafFa/Rv/naaaaqBcn:WsTbtyxkKO+dZWF7afFoRHRaaqBc |
MD5: | 8D14AB4128F9BFE3E4F5F9B160BBFFE7 |
SHA1: | 7EA846DF04D4120A819DB47723C716BF2610E5CD |
SHA-256: | 91D7EA682DB129FD33DA04168DB3BFCA08EA8B6CB0533C559E0ADC0DA5BD56E8 |
SHA-512: | BF72FC0F59202B09E92961CE6C6CF21D3BBBB22AAA6B0A6B3FFBA2392362BF30A6B874A6CBBF6D11F06975CDDDBDB247053222D34D4F24055E50C0AFC9802E65 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.02530526585537 |
TrID: |
|
File name: | rFACTURA_FAC_2023_1-1000733.PDF.exe |
File size: | 431872 |
MD5: | a6ef5ed777ba7369c2bb28e46b198ba6 |
SHA1: | f707bc0343f41d95f57e776a9f85f6a2c5791aa7 |
SHA256: | 878d710875b07ec61bef0b198ba67bf81ad0730a3a483d5762cd18e13fb4b525 |
SHA512: | 3b0bbbf4199dfc669a75a8fb62cfa55423e2331358f43057219ee2a4099cc9c2b007d85b2cb1b6cd9c64d8d8421575690bed95556ca788cf13d6a53c96b3a2eb |
SSDEEP: | 6144:B6bAcJvkzKmPPzS58G93IuZCBabjYBNwmlJ8kUEe/oqBaH0NxsvLg/nkrIak7r8m:a7ubCHICiwkBySs/vBGwxs0vh7rXN |
TLSH: | B194F161BFDBE857D02278B4A09ADE1E5E74EF14A249E307F3B139ACE5752513C1B202 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....uY.................d....:.... |
Icon Hash: | 20c4f8f8e8f0f24c |
Entrypoint: | 0x403350 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x59759518 [Mon Jul 24 06:35:04 2017 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | b34f154ec913d2d2c435cbd644e91687 |
Signature Valid: | false |
Signature Issuer: | E=Giordano@Agencies.ano, OU="Desidiose Haarvkstens ", O=Percussion, L=Mccomb, S=Mississippi, C=US |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | B7600E9E947B9005922C17012BBF815F |
Thumbprint SHA-1: | F61732487D62043541218B18386BFA3513D9C7CF |
Thumbprint SHA-256: | C6510EBAF8763805CB5E0AAB32A94AEEFD9E39180B9A6D5F85E0272807031574 |
Serial: | 1B9B07C3A599FD0DBF3CF80F5B8149857D2F3BA7 |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+14h], ebx |
mov dword ptr [esp+10h], 0040A2E0h |
mov dword ptr [esp+1Ch], ebx |
call dword ptr [004080A8h] |
call dword ptr [004080A4h] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [007A8A2Ch], eax |
je 00007F7B10C23313h |
push ebx |
call 00007F7B10C265A9h |
cmp eax, ebx |
je 00007F7B10C23309h |
push 00000C00h |
call eax |
mov esi, 004082B0h |
push esi |
call 00007F7B10C26523h |
push esi |
call dword ptr [00408150h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], 00000000h |
jne 00007F7B10C232ECh |
push 0000000Ah |
call 00007F7B10C2657Ch |
push 00000008h |
call 00007F7B10C26575h |
push 00000006h |
mov dword ptr [007A8A24h], eax |
call 00007F7B10C26569h |
cmp eax, ebx |
je 00007F7B10C23311h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007F7B10C23309h |
or byte ptr [007A8A2Fh], 00000040h |
push ebp |
call dword ptr [00408044h] |
push ebx |
call dword ptr [004082A0h] |
mov dword ptr [007A8AF8h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 000002B4h |
push eax |
push ebx |
push 0079FEE0h |
call dword ptr [00408188h] |
push 0040A2C8h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x84fc | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3d0000 | 0x28268 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x67500 | 0x2200 | .data |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x63c8 | 0x6400 | False | 0.6766015625 | data | 6.504099201068482 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x138e | 0x1400 | False | 0.4509765625 | data | 5.146454805063938 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x39eb38 | 0x600 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x3a9000 | 0x27000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x3d0000 | 0x28268 | 0x28400 | False | 0.3355129076086957 | data | 4.767250735975199 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x3d0310 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536 | English | United States |
RT_ICON | 0x3e0b38 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 36864 | English | United States |
RT_ICON | 0x3e9fe0 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 20736 | English | United States |
RT_ICON | 0x3ef468 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384 | English | United States |
RT_ICON | 0x3f3690 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | English | United States |
RT_ICON | 0x3f5c38 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | English | United States |
RT_ICON | 0x3f6ce0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | English | United States |
RT_ICON | 0x3f7668 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | English | United States |
RT_DIALOG | 0x3f7ad0 | 0x100 | data | English | United States |
RT_DIALOG | 0x3f7bd0 | 0xf8 | data | English | United States |
RT_DIALOG | 0x3f7cc8 | 0xa0 | data | English | United States |
RT_DIALOG | 0x3f7d68 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x3f7dc8 | 0x76 | data | English | United States |
RT_MANIFEST | 0x3f7e40 | 0x423 | XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
USER32.dll | GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
192.168.11.20132.226.8.16949801802039190 03/20/23-11:06:12.385242 | TCP | 2039190 | ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check | 49801 | 80 | 192.168.11.20 | 132.226.8.169 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 20, 2023 11:06:09.958184958 CET | 49799 | 443 | 192.168.11.20 | 142.250.181.238 |
Mar 20, 2023 11:06:09.958285093 CET | 443 | 49799 | 142.250.181.238 | 192.168.11.20 |
Mar 20, 2023 11:06:09.958506107 CET | 49799 | 443 | 192.168.11.20 | 142.250.181.238 |
Mar 20, 2023 11:06:09.984272957 CET | 49799 | 443 | 192.168.11.20 | 142.250.181.238 |
Mar 20, 2023 11:06:09.984397888 CET | 443 | 49799 | 142.250.181.238 | 192.168.11.20 |
Mar 20, 2023 11:06:10.045090914 CET | 443 | 49799 | 142.250.181.238 | 192.168.11.20 |
Mar 20, 2023 11:06:10.045358896 CET | 49799 | 443 | 192.168.11.20 | 142.250.181.238 |
Mar 20, 2023 11:06:10.047038078 CET | 443 | 49799 | 142.250.181.238 | 192.168.11.20 |
Mar 20, 2023 11:06:10.047301054 CET | 49799 | 443 | 192.168.11.20 | 142.250.181.238 |
Mar 20, 2023 11:06:10.179662943 CET | 49799 | 443 | 192.168.11.20 | 142.250.181.238 |
Mar 20, 2023 11:06:10.179781914 CET | 443 | 49799 | 142.250.181.238 | 192.168.11.20 |
Mar 20, 2023 11:06:10.181099892 CET | 443 | 49799 | 142.250.181.238 | 192.168.11.20 |
Mar 20, 2023 11:06:10.181324959 CET | 49799 | 443 | 192.168.11.20 | 142.250.181.238 |
Mar 20, 2023 11:06:10.186059952 CET | 49799 | 443 | 192.168.11.20 | 142.250.181.238 |
Mar 20, 2023 11:06:10.228410006 CET | 443 | 49799 | 142.250.181.238 | 192.168.11.20 |
Mar 20, 2023 11:06:10.607240915 CET | 443 | 49799 | 142.250.181.238 | 192.168.11.20 |
Mar 20, 2023 11:06:10.607516050 CET | 49799 | 443 | 192.168.11.20 | 142.250.181.238 |
Mar 20, 2023 11:06:10.607625961 CET | 443 | 49799 | 142.250.181.238 | 192.168.11.20 |
Mar 20, 2023 11:06:10.607702971 CET | 443 | 49799 | 142.250.181.238 | 192.168.11.20 |
Mar 20, 2023 11:06:10.607809067 CET | 49799 | 443 | 192.168.11.20 | 142.250.181.238 |
Mar 20, 2023 11:06:10.607871056 CET | 49799 | 443 | 192.168.11.20 | 142.250.181.238 |
Mar 20, 2023 11:06:10.608670950 CET | 49799 | 443 | 192.168.11.20 | 142.250.181.238 |
Mar 20, 2023 11:06:10.608751059 CET | 443 | 49799 | 142.250.181.238 | 192.168.11.20 |
Mar 20, 2023 11:06:10.719572067 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.719638109 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.719877005 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.721764088 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.721791029 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.784081936 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.784686089 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.786132097 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.786376953 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.789782047 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.789808035 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.790358067 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.790604115 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.790844917 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.832494974 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.990123034 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.990459919 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.990459919 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.990549088 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.990758896 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.990837097 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.990875006 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.991152048 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.991658926 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.991830111 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.991830111 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.991880894 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.992635965 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.992887974 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.992938995 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.993135929 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.994764090 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.994924068 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.994976044 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.995349884 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.997493029 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.997740030 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.998691082 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.998888016 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.998948097 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.999191999 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.999248028 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.999530077 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.999576092 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.999773979 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:10.999778986 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:10.999816895 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.000003099 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.000003099 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.000072956 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.000294924 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.000356913 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.000560999 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.000607014 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.000802040 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.000852108 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.001095057 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.001132965 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.001480103 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.001739979 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.001935959 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.001996994 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.002201080 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.002250910 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.002553940 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.002605915 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.002842903 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.002895117 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.002944946 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.003164053 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.003164053 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.003472090 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.003706932 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.003756046 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.003926992 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.003973961 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.004225969 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.004287958 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.004504919 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.004558086 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.004844904 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.004889965 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.005086899 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.005131960 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.005325079 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.005346060 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.005374908 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.005662918 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.005707026 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.005911112 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.006064892 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.006263018 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.006319046 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.006515026 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.006548882 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.006783962 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.007283926 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.007477045 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.007622957 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.007813931 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.007875919 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.008069992 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.008122921 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.008375883 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.008418083 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.008717060 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.008717060 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.008760929 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.008966923 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.008966923 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.009032011 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.009248972 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.009293079 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.009495020 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.009530067 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.009718895 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.009747028 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.009774923 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.010253906 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.010339022 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.010365009 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.010704994 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.010751009 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.010998964 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.011044979 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.011240005 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.011281013 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.011472940 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.011516094 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.011707067 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.011749029 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.011842966 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.011940956 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.012042046 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.012132883 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.012378931 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.012430906 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.012626886 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.012676001 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.012883902 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.012928963 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.013228893 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.013277054 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.013524055 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.013561964 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.013585091 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.013691902 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.013866901 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.013951063 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.014199972 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.014246941 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.014517069 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.014544964 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.014569044 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.014859915 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.014909983 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.015132904 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.015185118 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.015444994 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.015496016 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.015521049 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.015786886 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.015888929 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.016124010 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.016177893 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.016382933 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.016438961 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.016720057 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.016772032 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.016971111 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.017024040 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.017077923 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.017189980 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.017318010 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.017360926 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.017416954 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.017550945 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.017680883 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.017692089 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.017734051 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.017898083 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.017986059 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.018024921 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.018220901 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.018240929 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.018290997 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.018436909 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.018604994 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.018654108 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.018819094 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.018861055 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.019040108 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.019073963 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.019124031 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.019321918 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.019366026 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.019397020 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.019431114 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.019659996 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.019710064 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.019920111 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.019932032 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.019980907 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.020198107 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.020242929 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.020272970 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.020441055 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.020483971 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.020680904 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.020755053 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.020803928 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.020924091 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.021091938 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.021136045 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.021337986 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.021384954 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.021435976 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.021657944 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.021657944 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.021733999 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.021912098 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.021913052 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:11.021965027 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.021989107 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.228352070 CET | 443 | 49800 | 142.250.185.193 | 192.168.11.20 |
Mar 20, 2023 11:06:11.228471994 CET | 49800 | 443 | 192.168.11.20 | 142.250.185.193 |
Mar 20, 2023 11:06:12.093276024 CET | 49801 | 80 | 192.168.11.20 | 132.226.8.169 |
Mar 20, 2023 11:06:12.384478092 CET | 80 | 49801 | 132.226.8.169 | 192.168.11.20 |
Mar 20, 2023 11:06:12.384699106 CET | 49801 | 80 | 192.168.11.20 | 132.226.8.169 |
Mar 20, 2023 11:06:12.385241985 CET | 49801 | 80 | 192.168.11.20 | 132.226.8.169 |
Mar 20, 2023 11:06:12.676125050 CET | 80 | 49801 | 132.226.8.169 | 192.168.11.20 |
Mar 20, 2023 11:06:12.676901102 CET | 80 | 49801 | 132.226.8.169 | 192.168.11.20 |
Mar 20, 2023 11:06:12.728343964 CET | 49801 | 80 | 192.168.11.20 | 132.226.8.169 |
Mar 20, 2023 11:07:00.280949116 CET | 49801 | 80 | 192.168.11.20 | 132.226.8.169 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 20, 2023 11:06:09.935673952 CET | 55851 | 53 | 192.168.11.20 | 1.1.1.1 |
Mar 20, 2023 11:06:09.945154905 CET | 53 | 55851 | 1.1.1.1 | 192.168.11.20 |
Mar 20, 2023 11:06:10.684120893 CET | 52547 | 53 | 192.168.11.20 | 1.1.1.1 |
Mar 20, 2023 11:06:10.718591928 CET | 53 | 52547 | 1.1.1.1 | 192.168.11.20 |
Mar 20, 2023 11:06:12.076256037 CET | 63331 | 53 | 192.168.11.20 | 1.1.1.1 |
Mar 20, 2023 11:06:12.085616112 CET | 53 | 63331 | 1.1.1.1 | 192.168.11.20 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 20, 2023 11:06:09.935673952 CET | 192.168.11.20 | 1.1.1.1 | 0x6c07 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 20, 2023 11:06:10.684120893 CET | 192.168.11.20 | 1.1.1.1 | 0x372d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 20, 2023 11:06:12.076256037 CET | 192.168.11.20 | 1.1.1.1 | 0x58b7 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 20, 2023 11:06:09.945154905 CET | 1.1.1.1 | 192.168.11.20 | 0x6c07 | No error (0) | 142.250.181.238 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2023 11:06:10.718591928 CET | 1.1.1.1 | 192.168.11.20 | 0x372d | No error (0) | googlehosted.l.googleusercontent.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 20, 2023 11:06:10.718591928 CET | 1.1.1.1 | 192.168.11.20 | 0x372d | No error (0) | 142.250.185.193 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2023 11:06:12.085616112 CET | 1.1.1.1 | 192.168.11.20 | 0x58b7 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 20, 2023 11:06:12.085616112 CET | 1.1.1.1 | 192.168.11.20 | 0x58b7 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2023 11:06:12.085616112 CET | 1.1.1.1 | 192.168.11.20 | 0x58b7 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2023 11:06:12.085616112 CET | 1.1.1.1 | 192.168.11.20 | 0x58b7 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2023 11:06:12.085616112 CET | 1.1.1.1 | 192.168.11.20 | 0x58b7 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2023 11:06:12.085616112 CET | 1.1.1.1 | 192.168.11.20 | 0x58b7 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.11.20 | 49799 | 142.250.181.238 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.11.20 | 49800 | 142.250.185.193 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.11.20 | 49801 | 132.226.8.169 | 80 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Mar 20, 2023 11:06:12.385241985 CET | 368 | OUT | |
Mar 20, 2023 11:06:12.676901102 CET | 368 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.11.20 | 49799 | 142.250.181.238 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2023-03-20 10:06:10 UTC | 0 | OUT | |
2023-03-20 10:06:10 UTC | 0 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.11.20 | 49800 | 142.250.185.193 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2023-03-20 10:06:10 UTC | 1 | OUT | |
2023-03-20 10:06:10 UTC | 2 | IN |