Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Copy10330520PDF.exe

Overview

General Information

Sample name:Copy10330520PDF.exe
Analysis ID:1526379
MD5:54ce77b9385fd7750d737f5af323ab34
SHA1:01d494636d190d2b42e5edd1660b92519fcfeee4
SHA256:b441b07b39a642c7298e1127c9daf37ef9c1492148997a7f7e83fda9fcb908b1
Tags:exeuser-abuse_ch
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Machine Learning detection for sample
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • Copy10330520PDF.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\Copy10330520PDF.exe" MD5: 54CE77B9385FD7750D737F5AF323AB34)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Copy10330520PDF.exeAvira: detected
Multi AV Scanner detection for domain / URL
Source: http://98.142.254.109Virustotal: Detection: 5%Perma Link
Multi AV Scanner detection for submitted file
Source: Copy10330520PDF.exeVirustotal: Detection: 60%Perma Link
Source: Copy10330520PDF.exeReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: Copy10330520PDF.exeJoe Sandbox ML: detected
Source: Copy10330520PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Copy10330520PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 98.142.254.109 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknownTCP traffic detected without corresponding DNS query: 98.142.254.109
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ii/Kpcwtduh.mp4 HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://98.142.254.109
Source: Copy10330520PDF.exeString found in binary or memory: http://98.142.254.109/ii/Kpcwtduh.mp4
Source: Copy10330520PDF.exe, 00000000.00000002.3844212648.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://98.142.254.109/ii/Kpcwtduh.mp40
Source: Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://98.142.254.109/ii/Kpcwtduh.mp4P
Source: Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://98.142.254.109/ii/Kpcwtduh.mp4t
Source: Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E1A000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://98.142.254.109D
Source: Copy10330520PDF.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Copy10330520PDF.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Copy10330520PDF.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Copy10330520PDF.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Copy10330520PDF.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Copy10330520PDF.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Copy10330520PDF.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Copy10330520PDF.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: Copy10330520PDF.exeString found in binary or memory: http://ocsp.digicert.com0N
Source: Copy10330520PDF.exeString found in binary or memory: http://ocsp.thawte.com0
Source: Copy10330520PDF.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Copy10330520PDF.exeString found in binary or memory: http://s.symcd.com06
Source: Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Copy10330520PDF.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Copy10330520PDF.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Copy10330520PDF.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Copy10330520PDF.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Copy10330520PDF.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Copy10330520PDF.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Copy10330520PDF.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: Copy10330520PDF.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: Copy10330520PDF.exeString found in binary or memory: https://d.symcb.com/rpa0.
Source: Copy10330520PDF.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess Stats: CPU usage > 49%
Source: Copy10330520PDF.exeStatic PE information: invalid certificate
Source: Copy10330520PDF.exe, 00000000.00000000.1380245091.0000000000964000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBjsox.exeD vs Copy10330520PDF.exe
Source: Copy10330520PDF.exe, 00000000.00000002.3844212648.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Copy10330520PDF.exe
Source: Copy10330520PDF.exeBinary or memory string: OriginalFilenameBjsox.exeD vs Copy10330520PDF.exe
Source: Copy10330520PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal76.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\Copy10330520PDF.exeMutant created: NULL
Source: Copy10330520PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Copy10330520PDF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Copy10330520PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Copy10330520PDF.exeVirustotal: Detection: 60%
Source: Copy10330520PDF.exeReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: Copy10330520PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Copy10330520PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: Copy10330520PDF.exe, Program.cs.Net Code: A System.Reflection.Assembly.Load(byte[])
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeMemory allocated: 2C70000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeWindow / User API: threadDelayed 2147Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeWindow / User API: threadDelayed 7709Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep count: 33 > 30Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -30437127721620741s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -100000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7552Thread sleep count: 2147 > 30Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7552Thread sleep count: 7709 > 30Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -99871s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -99765s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -99656s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -99546s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -99437s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -99328s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -99218s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -99109s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -99000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -98883s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -98780s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -98671s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -98562s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -98301s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -98186s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -97989s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -97754s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -97615s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -97489s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -97374s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -97265s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -97156s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -97046s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -96937s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -96828s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -96718s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -96609s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -96499s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -96390s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -96281s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -96171s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -96062s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -95953s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -95843s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -95734s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -95624s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -95515s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -95406s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -95296s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -95187s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -95078s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -94968s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -94859s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -94749s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -94639s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -94492s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exe TID: 7520Thread sleep time: -94361s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 100000Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 99871Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 99765Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 99656Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 99546Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 99437Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 99328Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 99218Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 99109Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 99000Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 98883Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 98780Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 98671Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 98562Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 98301Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 98186Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 97989Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 97754Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 97615Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 97489Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 97374Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 97265Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 97156Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 97046Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 96937Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 96828Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 96718Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 96609Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 96499Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 96390Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 96281Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 96171Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 96062Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 95953Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 95843Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 95734Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 95624Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 95515Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 95406Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 95296Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 95187Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 95078Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 94968Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 94859Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 94749Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 94639Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 94492Jump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeThread delayed: delay time: 94361Jump to behavior
Source: Copy10330520PDF.exe, 00000000.00000002.3844212648.0000000000FCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: C:\Users\user\Desktop\Copy10330520PDF.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeQueries volume information: C:\Users\user\Desktop\Copy10330520PDF.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Copy10330520PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts31
Virtualization/Sandbox Evasion		LSASS Memory31
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Software Packing		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS12
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Copy10330520PDF.exe60%VirustotalBrowse
Copy10330520PDF.exe63%ReversingLabsWin32.Trojan.Jalapeno
Copy10330520PDF.exe100%AviraTR/Dldr.Agent.cgqfz
Copy10330520PDF.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://98.142.254.1095%VirustotalBrowse
http://98.142.254.109/ii/Kpcwtduh.mp41%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://98.142.254.109/ii/Kpcwtduh.mp4falseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://98.142.254.109Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E26000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://crl.thawte.com/ThawteTimestampingCA.crl0Copy10330520PDF.exefalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://98.142.254.109/ii/Kpcwtduh.mp4tCopy10330520PDF.exe, 00000000.00000002.3844939876.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
    		unknown
    http://98.142.254.109DCopy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E1A000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E26000.00000004.00000800.00020000.00000000.sdmpfalse
      		unknown
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCopy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DDA000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://98.142.254.109/ii/Kpcwtduh.mp40Copy10330520PDF.exe, 00000000.00000002.3844212648.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        http://98.142.254.109/ii/Kpcwtduh.mp4PCopy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E26000.00000004.00000800.00020000.00000000.sdmpfalse
          		unknown
          http://ocsp.thawte.com0Copy10330520PDF.exefalse
          • URL Reputation: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          98.142.254.109
          		unknownCanada
          		30407VELCOMCAfalse

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1526379
          Start date and time:2024-10-05 14:36:13 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 6m 21s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:8
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:Copy10330520PDF.exe
          Detection:MAL
          Classification:mal76.evad.winEXE@1/0@0/1
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 11
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Override analysis time to 240000 for current running targets taking high CPU consumption

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target Copy10330520PDF.exe, PID 7488 because it is empty
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          08:37:20API Interceptor10383603x Sleep call for process: Copy10330520PDF.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          98.142.254.109IMG_579710265.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 98.142.254.109/rr/Pmhjlkp.dat
          Doc1504210_56507_030.exeGet hashmaliciousUnknownBrowse
          • 98.142.254.109/ii/Wucmqwi.mp3
          Doc1504210_56507_030.exeGet hashmaliciousUnknownBrowse
          • 98.142.254.109/ii/Wucmqwi.mp3
          IMG_011160528.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 98.142.254.109/rr/Zcatewwlf.vdf
          IMG79600253.exeGet hashmaliciousAzorult, PureLog StealerBrowse
          • 98.142.254.109/rr/Xnssdolht.mp3
          SecuriteInfo.com.Program.Unwanted.4610.18191.4524.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 98.142.254.109/rr/Czyhiwuzcb.dat
          Copy#1905208.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 98.142.254.109/ii/Cgpubn.wav
          Copy00106258873.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog StealerBrowse
          • 98.142.254.109/ii/Bmqsvcj.mp3
          Receipt05012PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 98.142.254.109/ii/Ytqsos.dat
          Copy#501326617.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 98.142.254.109/ii/Bnmlsytdwby.mp3

          Domains

          No context

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          VELCOMCAMGJBbT28p7.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
          • 104.234.204.76
          670un9Ls5U.vbsGet hashmaliciousXWormBrowse
          • 104.234.204.76
          LCfvMBneAT.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
          • 104.234.204.76
          NxyRj26Cuc.ps1Get hashmaliciousXWormBrowse
          • 104.234.204.76
          Document-660117765723.wsfGet hashmaliciousXWormBrowse
          • 104.234.204.76
          Document-660107592844.wsfGet hashmaliciousXWormBrowse
          • 104.234.204.76
          hhs.exeGet hashmaliciousUnknownBrowse
          • 104.234.25.56
          sora.arm7.elfGet hashmaliciousMiraiBrowse
          • 104.234.98.121
          93aa308ad98dbf7a242ff3d06c2ba50ece83cbf909a17.exeGet hashmaliciousAsyncRATBrowse
          • 104.234.195.153
          IMG_579710265.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 98.142.254.109

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):6.389714080267563
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          • Win32 Executable (generic) a (10002005/4) 49.97%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:Copy10330520PDF.exe
          File size:210'808 bytes
          MD5:54ce77b9385fd7750d737f5af323ab34
          SHA1:01d494636d190d2b42e5edd1660b92519fcfeee4
          SHA256:b441b07b39a642c7298e1127c9daf37ef9c1492148997a7f7e83fda9fcb908b1
          SHA512:583b269187a1f37ad78bf249cbab660936f1fdb49ebb3a5f2a97a9cbcb9acbe7dfc62f6125452056028385ffc4e3d3a5e2ece8acca6c3b2cfd491ffcc2a8486c
          SSDEEP:3072:8SNnCDDRvLGprOAOkGt6+duWA/t/SHUebbxCbGgKk12qk/FPYm21KLbDoUssNXNf:lstvLGcxLbMUMK2aH
          TLSH:E32495823145DCDAE44329F258AFD57060787D9E8164CA0E3743BF2BA5E734234AB79E
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.Af............................v-... ...@....@.. .......................`............`................................

          File Icon

          Icon Hash:929296929e9e8e73

          Static PE Info

          General

          Entrypoint:0x402d76
          Entrypoint Section:.text
          Digitally signed:true
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Time Stamp:0x6641EC44 [Mon May 13 10:32:36 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Authenticode Signature

          Signature Valid:false
          Signature Issuer:CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
          Signature Validation Error:The digital signature of the object did not verify
          Error Number:-2146869232
          Not Before, Not After
          • 07/06/2019 20:00:00 11/06/2021 08:00:00
          Subject Chain
          • CN=PDFescape, O=PDFescape, L=Encinitas, S=California, C=US
          Version:3
          Thumbprint MD5:36083DDD2C0C94D360522774BEDA31E2
          Thumbprint SHA-1:B140BCEDA70D6A6C48C4258CC83F4ECCC96845C8
          Thumbprint SHA-256:B12E1F90FEB1A204409F736836E7BA7F078E40B3A809A73BAC08AEB658627610
          Serial:06E2870844B5FE917E3498FD2526FBCD

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402D84h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          pop eax
          sub eax, 00000000h
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x2d280x4c.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x2f138.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x304000x3378
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x340000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x2d840x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000xd8c0xe00e4738721ae1698fdf39276befc1b257cFalse0.572265625data5.358886655144447IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rsrc0x40000x2f1380x2f200e6489a3a552faa571cdce7b009f75f58False0.36277354111405835data6.232437818854463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x340000xc0x200c9496af86561940884ad7aad5bf0870dFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0x42000x709ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9976066597294485
          RT_ICON0xb2ae0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.17033893292322252
          RT_ICON0x1bae60x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.271415808282531
          RT_ICON0x24f9e0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.3012014787430684
          RT_ICON0x2a4360x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.28259329239489844
          RT_ICON0x2e66e0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.38558091286307056
          RT_ICON0x30c260x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.4598968105065666
          RT_ICON0x31cde0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.5704918032786885
          RT_ICON0x326760x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.6631205673758865
          RT_GROUP_ICON0x32aee0x84data0.7272727272727273
          RT_VERSION0x32b820x3bcdata0.41527196652719667
          RT_MANIFEST0x32f4e0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Oct 5, 2024 14:37:21.576886892 CEST4975280192.168.2.1198.142.254.109
          Oct 5, 2024 14:37:21.582194090 CEST804975298.142.254.109192.168.2.11
          Oct 5, 2024 14:37:21.582278013 CEST4975280192.168.2.1198.142.254.109
          Oct 5, 2024 14:37:21.582897902 CEST4975280192.168.2.1198.142.254.109
          Oct 5, 2024 14:37:21.589250088 CEST804975298.142.254.109192.168.2.11
          Oct 5, 2024 14:37:42.952194929 CEST804975298.142.254.109192.168.2.11
          Oct 5, 2024 14:37:42.952306986 CEST4975280192.168.2.1198.142.254.109
          Oct 5, 2024 14:37:43.053154945 CEST4975280192.168.2.1198.142.254.109
          Oct 5, 2024 14:37:43.054918051 CEST4987880192.168.2.1198.142.254.109
          Oct 5, 2024 14:37:43.057945967 CEST804975298.142.254.109192.168.2.11
          Oct 5, 2024 14:37:43.059745073 CEST804987898.142.254.109192.168.2.11
          Oct 5, 2024 14:37:43.059812069 CEST4987880192.168.2.1198.142.254.109
          Oct 5, 2024 14:37:43.062901020 CEST4987880192.168.2.1198.142.254.109
          Oct 5, 2024 14:37:43.067727089 CEST804987898.142.254.109192.168.2.11
          Oct 5, 2024 14:38:04.421758890 CEST804987898.142.254.109192.168.2.11
          Oct 5, 2024 14:38:04.421823025 CEST4987880192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:04.435343027 CEST4987880192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:04.440263033 CEST804987898.142.254.109192.168.2.11
          Oct 5, 2024 14:38:04.478550911 CEST4998280192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:04.483460903 CEST804998298.142.254.109192.168.2.11
          Oct 5, 2024 14:38:04.483540058 CEST4998280192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:04.486705065 CEST4998280192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:04.491580009 CEST804998298.142.254.109192.168.2.11
          Oct 5, 2024 14:38:25.842906952 CEST804998298.142.254.109192.168.2.11
          Oct 5, 2024 14:38:25.842993975 CEST4998280192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:25.843646049 CEST4998280192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:25.844901085 CEST4998480192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:25.848515034 CEST804998298.142.254.109192.168.2.11
          Oct 5, 2024 14:38:25.849718094 CEST804998498.142.254.109192.168.2.11
          Oct 5, 2024 14:38:25.849812984 CEST4998480192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:25.850115061 CEST4998480192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:25.855034113 CEST804998498.142.254.109192.168.2.11
          Oct 5, 2024 14:38:47.221303940 CEST804998498.142.254.109192.168.2.11
          Oct 5, 2024 14:38:47.221398115 CEST4998480192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:47.231929064 CEST4998480192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:47.236809969 CEST804998498.142.254.109192.168.2.11
          Oct 5, 2024 14:38:47.251907110 CEST4998580192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:47.256880045 CEST804998598.142.254.109192.168.2.11
          Oct 5, 2024 14:38:47.256953001 CEST4998580192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:47.257153034 CEST4998580192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:47.261945963 CEST804998598.142.254.109192.168.2.11
          Oct 5, 2024 14:38:55.764424086 CEST4998580192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:55.768353939 CEST4998680192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:55.774260044 CEST804998698.142.254.109192.168.2.11
          Oct 5, 2024 14:38:55.774372101 CEST4998680192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:55.774677992 CEST4998680192.168.2.1198.142.254.109
          Oct 5, 2024 14:38:55.780431986 CEST804998698.142.254.109192.168.2.11
          Oct 5, 2024 14:38:55.810106039 CEST804998598.142.254.109192.168.2.11
          Oct 5, 2024 14:39:05.514101982 CEST4998680192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:05.514930010 CEST4998780192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:05.519712925 CEST804998798.142.254.109192.168.2.11
          Oct 5, 2024 14:39:05.519798040 CEST4998780192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:05.519922018 CEST4998780192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:05.524688959 CEST804998798.142.254.109192.168.2.11
          Oct 5, 2024 14:39:05.562215090 CEST804998698.142.254.109192.168.2.11
          Oct 5, 2024 14:39:08.640451908 CEST804998598.142.254.109192.168.2.11
          Oct 5, 2024 14:39:08.640628099 CEST4998580192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:15.326976061 CEST4998780192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:15.327951908 CEST4998880192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:15.332782030 CEST804998898.142.254.109192.168.2.11
          Oct 5, 2024 14:39:15.332851887 CEST4998880192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:15.333118916 CEST4998880192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:15.338009119 CEST804998898.142.254.109192.168.2.11
          Oct 5, 2024 14:39:15.374119043 CEST804998798.142.254.109192.168.2.11
          Oct 5, 2024 14:39:17.140208006 CEST804998698.142.254.109192.168.2.11
          Oct 5, 2024 14:39:17.140834093 CEST4998680192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:22.639221907 CEST4998880192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:22.641252041 CEST4998980192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:22.890944958 CEST804998998.142.254.109192.168.2.11
          Oct 5, 2024 14:39:22.891027927 CEST4998980192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:22.891273975 CEST4998980192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:22.896210909 CEST804998998.142.254.109192.168.2.11
          Oct 5, 2024 14:39:22.930171013 CEST804998898.142.254.109192.168.2.11
          Oct 5, 2024 14:39:26.874641895 CEST804998798.142.254.109192.168.2.11
          Oct 5, 2024 14:39:26.874764919 CEST4998780192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:29.139116049 CEST4998980192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:29.141885042 CEST4999080192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:29.146708965 CEST804999098.142.254.109192.168.2.11
          Oct 5, 2024 14:39:29.146816969 CEST4999080192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:29.147018909 CEST4999080192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:29.151765108 CEST804999098.142.254.109192.168.2.11
          Oct 5, 2024 14:39:29.186218023 CEST804998998.142.254.109192.168.2.11
          Oct 5, 2024 14:39:34.904860973 CEST4999080192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:34.907984018 CEST4999180192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:34.913659096 CEST804999198.142.254.109192.168.2.11
          Oct 5, 2024 14:39:34.913741112 CEST4999180192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:34.913932085 CEST4999180192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:34.919375896 CEST804999198.142.254.109192.168.2.11
          Oct 5, 2024 14:39:34.950242043 CEST804999098.142.254.109192.168.2.11
          Oct 5, 2024 14:39:36.703116894 CEST804998898.142.254.109192.168.2.11
          Oct 5, 2024 14:39:36.703191042 CEST4998880192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:37.920434952 CEST4999180192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:37.921637058 CEST4999280192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:38.055052042 CEST804999298.142.254.109192.168.2.11
          Oct 5, 2024 14:39:38.059231043 CEST4999280192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:38.059231043 CEST4999280192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:38.064227104 CEST804999298.142.254.109192.168.2.11
          Oct 5, 2024 14:39:38.101234913 CEST804999198.142.254.109192.168.2.11
          Oct 5, 2024 14:39:44.300571918 CEST804998998.142.254.109192.168.2.11
          Oct 5, 2024 14:39:44.300988913 CEST4998980192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:50.547095060 CEST804999098.142.254.109192.168.2.11
          Oct 5, 2024 14:39:50.547147036 CEST4999080192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:52.795438051 CEST4999280192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:52.796379089 CEST4999380192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:52.801305056 CEST804999398.142.254.109192.168.2.11
          Oct 5, 2024 14:39:52.801366091 CEST4999380192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:52.801551104 CEST4999380192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:52.806473017 CEST804999398.142.254.109192.168.2.11
          Oct 5, 2024 14:39:52.842242956 CEST804999298.142.254.109192.168.2.11
          Oct 5, 2024 14:39:54.654896975 CEST4999380192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:54.657160044 CEST4999480192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:54.661962986 CEST804999498.142.254.109192.168.2.11
          Oct 5, 2024 14:39:54.662030935 CEST4999480192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:54.662162066 CEST4999480192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:54.667186975 CEST804999498.142.254.109192.168.2.11
          Oct 5, 2024 14:39:54.702169895 CEST804999398.142.254.109192.168.2.11
          Oct 5, 2024 14:39:54.920449018 CEST4999480192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:54.921310902 CEST4999580192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:54.926170111 CEST804999598.142.254.109192.168.2.11
          Oct 5, 2024 14:39:54.926276922 CEST4999580192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:54.926387072 CEST4999580192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:54.931215048 CEST804999598.142.254.109192.168.2.11
          Oct 5, 2024 14:39:54.970211029 CEST804999498.142.254.109192.168.2.11
          Oct 5, 2024 14:39:56.511415005 CEST804999198.142.254.109192.168.2.11
          Oct 5, 2024 14:39:56.511468887 CEST4999180192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:56.511537075 CEST804999198.142.254.109192.168.2.11
          Oct 5, 2024 14:39:56.511593103 CEST4999180192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:56.516416073 CEST804999198.142.254.109192.168.2.11
          Oct 5, 2024 14:39:59.422636986 CEST804999298.142.254.109192.168.2.11
          Oct 5, 2024 14:39:59.422940969 CEST4999280192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:59.843067884 CEST4999580192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:59.843544960 CEST4999680192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:59.848432064 CEST804999698.142.254.109192.168.2.11
          Oct 5, 2024 14:39:59.849690914 CEST4999680192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:59.850128889 CEST4999680192.168.2.1198.142.254.109
          Oct 5, 2024 14:39:59.854938984 CEST804999698.142.254.109192.168.2.11
          Oct 5, 2024 14:39:59.890137911 CEST804999598.142.254.109192.168.2.11
          Oct 5, 2024 14:40:08.970993996 CEST4999680192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:08.972342968 CEST4999780192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:08.977247000 CEST804999798.142.254.109192.168.2.11
          Oct 5, 2024 14:40:08.977328062 CEST4999780192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:08.977565050 CEST4999780192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:08.982417107 CEST804999798.142.254.109192.168.2.11
          Oct 5, 2024 14:40:09.022221088 CEST804999698.142.254.109192.168.2.11
          Oct 5, 2024 14:40:14.176429987 CEST804999398.142.254.109192.168.2.11
          Oct 5, 2024 14:40:14.177485943 CEST4999380192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:16.016321898 CEST804999498.142.254.109192.168.2.11
          Oct 5, 2024 14:40:16.016494036 CEST4999480192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:16.281877995 CEST804999598.142.254.109192.168.2.11
          Oct 5, 2024 14:40:16.285509109 CEST4999580192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:21.159792900 CEST4999780192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:21.193264961 CEST4999880192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:21.198225021 CEST804999898.142.254.109192.168.2.11
          Oct 5, 2024 14:40:21.198292017 CEST4999880192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:21.200304031 CEST4999880192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:21.205101967 CEST804999898.142.254.109192.168.2.11
          Oct 5, 2024 14:40:21.206090927 CEST804999798.142.254.109192.168.2.11
          Oct 5, 2024 14:40:21.223403931 CEST804999698.142.254.109192.168.2.11
          Oct 5, 2024 14:40:21.223507881 CEST4999680192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:30.362123013 CEST804999798.142.254.109192.168.2.11
          Oct 5, 2024 14:40:30.362560034 CEST4999780192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:38.233330965 CEST4999880192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:38.234739065 CEST4999980192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:38.239615917 CEST804999998.142.254.109192.168.2.11
          Oct 5, 2024 14:40:38.240601063 CEST4999980192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:38.240885973 CEST4999980192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:38.245843887 CEST804999998.142.254.109192.168.2.11
          Oct 5, 2024 14:40:38.282155037 CEST804999898.142.254.109192.168.2.11
          Oct 5, 2024 14:40:38.701922894 CEST4999980192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:38.702915907 CEST5000080192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:38.707809925 CEST805000098.142.254.109192.168.2.11
          Oct 5, 2024 14:40:38.707880974 CEST5000080192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:38.708040953 CEST5000080192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:38.712948084 CEST805000098.142.254.109192.168.2.11
          Oct 5, 2024 14:40:38.750129938 CEST804999998.142.254.109192.168.2.11
          Oct 5, 2024 14:40:42.603317976 CEST804999898.142.254.109192.168.2.11
          Oct 5, 2024 14:40:42.603401899 CEST4999880192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:43.389355898 CEST5000080192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:43.390672922 CEST5000180192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:43.396200895 CEST805000198.142.254.109192.168.2.11
          Oct 5, 2024 14:40:43.396289110 CEST5000180192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:43.396414995 CEST5000180192.168.2.1198.142.254.109
          Oct 5, 2024 14:40:43.401690960 CEST805000198.142.254.109192.168.2.11
          Oct 5, 2024 14:40:43.438093901 CEST805000098.142.254.109192.168.2.11
          Oct 5, 2024 14:40:59.626359940 CEST804999998.142.254.109192.168.2.11
          Oct 5, 2024 14:40:59.626425028 CEST4999980192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:00.098341942 CEST805000098.142.254.109192.168.2.11
          Oct 5, 2024 14:41:00.098412991 CEST5000080192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:04.751894951 CEST805000198.142.254.109192.168.2.11
          Oct 5, 2024 14:41:04.751964092 CEST5000180192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:04.752672911 CEST5000180192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:04.753423929 CEST5000280192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:04.757483006 CEST805000198.142.254.109192.168.2.11
          Oct 5, 2024 14:41:04.758208990 CEST805000298.142.254.109192.168.2.11
          Oct 5, 2024 14:41:04.758327961 CEST5000280192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:04.758666039 CEST5000280192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:04.763458014 CEST805000298.142.254.109192.168.2.11
          Oct 5, 2024 14:41:06.928186893 CEST5000280192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:06.929164886 CEST5000380192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:06.934429884 CEST805000398.142.254.109192.168.2.11
          Oct 5, 2024 14:41:06.935194969 CEST5000380192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:06.935477972 CEST5000380192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:06.940254927 CEST805000398.142.254.109192.168.2.11
          Oct 5, 2024 14:41:06.974165916 CEST805000298.142.254.109192.168.2.11
          Oct 5, 2024 14:41:26.113846064 CEST805000298.142.254.109192.168.2.11
          Oct 5, 2024 14:41:26.113965034 CEST5000280192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:27.945461988 CEST5000380192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:27.946372032 CEST5000480192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:27.951280117 CEST805000498.142.254.109192.168.2.11
          Oct 5, 2024 14:41:27.951359034 CEST5000480192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:27.951510906 CEST5000480192.168.2.1198.142.254.109
          Oct 5, 2024 14:41:27.956347942 CEST805000498.142.254.109192.168.2.11
          Oct 5, 2024 14:41:27.994199991 CEST805000398.142.254.109192.168.2.11
          Oct 5, 2024 14:41:28.320708990 CEST805000398.142.254.109192.168.2.11
          Oct 5, 2024 14:41:28.320780993 CEST5000380192.168.2.1198.142.254.109

          HTTP Request Dependency Graph

          • 98.142.254.109

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.114975298.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:37:21.582897902 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          1192.168.2.114987898.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:37:43.062901020 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          2192.168.2.114998298.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:38:04.486705065 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          3192.168.2.114998498.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:38:25.850115061 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          4192.168.2.114998598.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:38:47.257153034 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          5192.168.2.114998698.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:38:55.774677992 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          6192.168.2.114998798.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:39:05.519922018 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          7192.168.2.114998898.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:39:15.333118916 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          8192.168.2.114998998.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:39:22.891273975 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          9192.168.2.114999098.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:39:29.147018909 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          10192.168.2.114999198.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:39:34.913932085 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          11192.168.2.114999298.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:39:38.059231043 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          12192.168.2.114999398.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:39:52.801551104 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          13192.168.2.114999498.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:39:54.662162066 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          14192.168.2.114999598.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:39:54.926387072 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          15192.168.2.114999698.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:39:59.850128889 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          16192.168.2.114999798.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:40:08.977565050 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          17192.168.2.114999898.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:40:21.200304031 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          18192.168.2.114999998.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:40:38.240885973 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          19192.168.2.115000098.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:40:38.708040953 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          20192.168.2.115000198.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:40:43.396414995 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          21192.168.2.115000298.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:41:04.758666039 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          22192.168.2.115000398.142.254.109807488C:\Users\user\Desktop\Copy10330520PDF.exe
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:41:06.935477972 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Session IDSource IPSource PortDestination IPDestination Port
          23192.168.2.115000498.142.254.10980
          TimestampBytes transferredDirectionData
          Oct 5, 2024 14:41:27.951510906 CEST79OUTGET /ii/Kpcwtduh.mp4 HTTP/1.1
          Host: 98.142.254.109
          Connection: Keep-Alive


          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          System Behavior

          General

          Target ID:0
          Start time:08:37:20
          Start date:05/10/2024
          Path:C:\Users\user\Desktop\Copy10330520PDF.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\Copy10330520PDF.exe"
          Imagebase:0x960000
          File size:210'808 bytes
          MD5 hash:54CE77B9385FD7750D737F5AF323AB34
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:false

          Disassembly

          Reset < >

            Executed Functions

            Function 012E0AA1 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3844745615.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_12e0000_Copy10330520PDF.jbxd
            Similarity
            • API ID:
            • String ID: Te_q
            • API String ID: 0-823545363
            • Opcode ID: 05609d682ec88d67d8c7146d5e08b195a9b3dbf1758f2c5d89d2dc79d0732aa4
            • Instruction ID: 9e5429dc3c19c09500162abbfa984cdca4ec46fdd279f4fa1bd595a4c9936a21
            • Opcode Fuzzy Hash: 05609d682ec88d67d8c7146d5e08b195a9b3dbf1758f2c5d89d2dc79d0732aa4
            • Instruction Fuzzy Hash: A2414A30B102099FDB14DFA8D4587ADBBF2BF88714F644469E006EB3A0DBB49D46CB55
            Function 012E0857 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3844745615.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_12e0000_Copy10330520PDF.jbxd
            Similarity
            • API ID:
            • String ID: <dvq
            • API String ID: 0-2315281443
            • Opcode ID: 1242c72cfb40e1d4b895e24309a0a6e773346102acb59728d5175b689e6fa9b9
            • Instruction ID: 66761ae1d68b43582f87f8ae83f07aed02196632dfed3e1c02ac5247f9a180bd
            • Opcode Fuzzy Hash: 1242c72cfb40e1d4b895e24309a0a6e773346102acb59728d5175b689e6fa9b9
            • Instruction Fuzzy Hash: ED31B130F1020A9FDB09DF79D4546AEBBF6BFC9704F144569E805AB390DF7098428B91
            Function 012E0868 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3844745615.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_12e0000_Copy10330520PDF.jbxd
            Similarity
            • API ID:
            • String ID: <dvq
            • API String ID: 0-2315281443
            • Opcode ID: 63098cc61ce40e374be1406932b5c3564f2f028c343d9de847839fb8cd048cf0
            • Instruction ID: 42f5afb80fb025759b32cfda9aa5b17fd3a723de4bb59789eab121a7d3beaefa
            • Opcode Fuzzy Hash: 63098cc61ce40e374be1406932b5c3564f2f028c343d9de847839fb8cd048cf0
            • Instruction Fuzzy Hash: E3219F31F1020A9FDB08DFB9D4546AEB7F6BFC9700F508569E905AB390EFB098418B90
            Function 012E0971 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3844745615.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_12e0000_Copy10330520PDF.jbxd
            Similarity
            • API ID:
            • String ID: Te_q
            • API String ID: 0-823545363
            • Opcode ID: 0d095d38926dda4c6ae00cbc21364d8467180fb65bfc9bf8bf04314571a05e58
            • Instruction ID: c79395b8ca2b7378557c10d218a18b77d2ed747179dd4322cca2bbc98639fe5a
            • Opcode Fuzzy Hash: 0d095d38926dda4c6ae00cbc21364d8467180fb65bfc9bf8bf04314571a05e58
            • Instruction Fuzzy Hash: 5D218E30B112099FDB05EFB9C4586ADBBF2AF89700F644429E406EB3A0DF755C46CB85
            Function 012E1394 Relevance: .1, Instructions: 87COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.3844745615.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_12e0000_Copy10330520PDF.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b4bdee54ab7205e8ad4d08c5ae6530c5b8426c153790264b09f6865f5f5aad16
            • Instruction ID: 06f5f1fed7fdeb1102901fea2b4eb1bc541e32e4652c9c205bfd1693cd774bf5
            • Opcode Fuzzy Hash: b4bdee54ab7205e8ad4d08c5ae6530c5b8426c153790264b09f6865f5f5aad16
            • Instruction Fuzzy Hash: A33167B0D002499FDB14DFA9D585AEEBFF5EF48310F248029E909AB350DB759946CFA0
            Function 012E13A0 Relevance: .1, Instructions: 83COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.3844745615.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_12e0000_Copy10330520PDF.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 07cefb74b5e006a06521210fddeeb979d99033f3974cdf0cb41502d64f04bcb3
            • Instruction ID: d26c856a311c0ffb29c763e97357edfdc375ec5625de0866b2d5d17b55fe62f7
            • Opcode Fuzzy Hash: 07cefb74b5e006a06521210fddeeb979d99033f3974cdf0cb41502d64f04bcb3
            • Instruction Fuzzy Hash: 093136B0D002499FDB14DFAAD585AEEBFF5EF48310F248029E909AB350DB759945CFA0
            Function 0128D4A0 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.3844594255.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_128d000_Copy10330520PDF.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ea900e07858377ece67b990fedf5bd5ff2288bae089dee6e1019f9fc2c63c3f0
            • Instruction ID: f34d817ef7e92c55ff503810a3b124965377584c4a26cb9dcf640fc137ebc3a7
            • Opcode Fuzzy Hash: ea900e07858377ece67b990fedf5bd5ff2288bae089dee6e1019f9fc2c63c3f0
            • Instruction Fuzzy Hash: 702148B1554209DFDB05EF88E9C0B26BF65FB88314F20C169E9090B2D6C37AE409C7B1
            Function 0128D49B Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.3844594255.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_128d000_Copy10330520PDF.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
            • Instruction ID: 2f9d0a5d250d81c96eb0212d8ca356b0f86fa1183a01b8b29d009ef97f021cd2
            • Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
            • Instruction Fuzzy Hash: 0311E172404244CFDB12DF48D5C4B16BF72FB84324F24C1AADA090B297C33AD45ACBA2
            Function 0128D76D Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.3844594255.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_128d000_Copy10330520PDF.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 55afa9232692f93224b3506826dee812ec54fa5229be6ee86301d26cedfd9009
            • Instruction ID: 38c3607f37c67c98f164751267583c70bcd6906af943ae812cef38e3b0f7a592
            • Opcode Fuzzy Hash: 55afa9232692f93224b3506826dee812ec54fa5229be6ee86301d26cedfd9009
            • Instruction Fuzzy Hash: A9012B71016388AAE714BB59DD84B77FFD8EF45320F08C42AEE094A1CAC2789848C671
            Function 0128D76C Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.3844594255.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_128d000_Copy10330520PDF.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5fc3ca93249673f8951d824b12e660352236596655d678563268d38aecbf2a5b
            • Instruction ID: da2fbef0ba906ce7ab8332ea739646006964678f85cc8f5d1432a56f17f3ff67
            • Opcode Fuzzy Hash: 5fc3ca93249673f8951d824b12e660352236596655d678563268d38aecbf2a5b
            • Instruction Fuzzy Hash: 7BF0FC71005348AEE7149B09DCC4B62FF98EF45734F18C45AEE485B2C6C2799844CA70
            Function 012E0818 Relevance: .0, Instructions: 25COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.3844745615.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_12e0000_Copy10330520PDF.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 08b55ef2756ba29f212d778696ce09c8e5f141be6203321a277d112bf1ac7da2
            • Instruction ID: f19c374b802b23222c7d8f67ef420656558dc810b01a9ec3b25b636230e98889
            • Opcode Fuzzy Hash: 08b55ef2756ba29f212d778696ce09c8e5f141be6203321a277d112bf1ac7da2
            • Instruction Fuzzy Hash: BFE07E2404E3E54FCB23AB399A744893F705D5322470A04E7C4D48F0ABD518269DD7AA