Analysis Report v1Us5AICBm
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | Code function: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Process Stats: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: |
Source: | Section loaded: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | Code function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Contains functionality to inject code into remote processes | Show sources |
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Key value queried: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Native API1 | DLL Side-Loading1 | Access Token Manipulation1 | Masquerading1 | OS Credential Dumping | Security Software Discovery111 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Process Injection112 | Access Token Manipulation1 | LSASS Memory | Process Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | DLL Side-Loading1 | Process Injection112 | Security Account Manager | Remote System Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information3 | NTDS | File and Directory Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing3 | LSA Secrets | System Information Discovery13 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | DLL Side-Loading1 | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
47% | Virustotal | Browse | ||
28% | ReversingLabs | Win32.Trojan.Generic | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
28% | ReversingLabs | Win32.Trojan.Generic |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.ZPACK.Gen2 | Download File | ||
100% | Avira | TR/Crypt.ZPACK.Gen2 | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | Virustotal | Browse | ||
2% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
1% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
squire.ae | 70.32.23.56 | true | false |
| unknown |
lamun.pk | 67.23.227.19 | true | false |
| unknown |
rcclabbd.com | 192.254.225.195 | true | false |
| unknown |
businessinsurancelaw.com | 70.32.23.56 | true | false |
| unknown |
thecype.com | 192.3.183.226 | true | false | unknown | |
www.businessinsurancelaw.com | unknown | unknown | false | unknown | |
theterteboltallbrow.tk | unknown | unknown | false | unknown | |
www.rcclabbd.com | unknown | unknown | false | unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | unknown | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
192.254.225.195 | unknown | United States | 46606 | UNIFIEDLAYER-AS-1US | false | |
192.3.183.226 | unknown | United States | 36352 | AS-COLOCROSSINGUS | false | |
70.32.23.56 | unknown | United States | 55293 | A2HOSTINGUS | false | |
67.23.227.19 | unknown | United States | 33182 | DIMENOCUS | false |
Private |
---|
IP |
---|
192.168.2.1 |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 329945 |
Start date: | 13.12.2020 |
Start time: | 17:59:10 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 47s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | v1Us5AICBm (renamed file extension from none to dll) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 28 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal68.evad.winDLL@3/1@11/5 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
192.254.225.195 | Get hash | malicious | Browse | ||
192.3.183.226 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
70.32.23.56 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
67.23.227.19 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
thecype.com | Get hash | malicious | Browse |
| |
lamun.pk | Get hash | malicious | Browse |
| |
squire.ae | Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
UNIFIEDLAYER-AS-1US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
A2HOSTINGUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
AS-COLOCROSSINGUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
DIMENOCUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\msiexec.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 389120 |
Entropy (8bit): | 6.772300701631193 |
Encrypted: | false |
SSDEEP: | 6144:j2yIqOCYbeyUaNpV55IQB5ykPgScnOfIvI+ZcZfqAf7Vv7U0+jG8CuJ:jPYb3UaNpV52QB5ykXcqacZfqARv7Bmj |
MD5: | E0AF3054669D6232870B87E1E239A689 |
SHA1: | F0AA6E50471E70D07A1B70207F38538CB31ED569 |
SHA-256: | F8503947E0E984865A29D1E3F8A62CE7034069F49C2A2DD902AF68274F192224 |
SHA-512: | 1574E2ACA2415A90677053DA5F625D4A9E3BB2E85362CC7ACC7B6430A35EB889883DA1FDA694D79EE38349FEE01B5843D0717D864E2D801302755188308D513F |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.772300701631193 |
TrID: |
|
File name: | v1Us5AICBm.dll |
File size: | 389120 |
MD5: | e0af3054669d6232870b87e1e239a689 |
SHA1: | f0aa6e50471e70d07a1b70207f38538cb31ed569 |
SHA256: | f8503947e0e984865a29d1e3f8a62ce7034069f49c2a2dd902af68274f192224 |
SHA512: | 1574e2aca2415a90677053da5f625d4a9e3bb2e85362cc7acc7b6430a35eb889883da1fda694d79ee38349fee01b5843d0717d864e2d801302755188308d513f |
SSDEEP: | 6144:j2yIqOCYbeyUaNpV55IQB5ykPgScnOfIvI+ZcZfqAf7Vv7U0+jG8CuJ:jPYb3UaNpV52QB5ykXcqacZfqARv7Bmj |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=B..S...S...S.[(-...S..*>...S..*....S..*(...S..*=...S.......S...R.+.S..*!...S..*)...S..*/...S..*+...S.Rich..S................ |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x100026e5 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | |
Time Stamp: | 0x457D36C4 [Mon Dec 11 10:45:24 2006 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | ac30ec1b90a9fedffe3cfc3e897b5a40 |
Entrypoint Preview |
---|
Instruction |
---|
cmp dword ptr [esp+08h], 01h |
jne 00007F0A38FE5CE7h |
call 00007F0A38FEAD5Ah |
push dword ptr [esp+04h] |
mov ecx, dword ptr [esp+10h] |
mov edx, dword ptr [esp+0Ch] |
call 00007F0A38FE5BD2h |
pop ecx |
retn 000Ch |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
mov ecx, dword ptr [esp+04h] |
test ecx, 00000003h |
je 00007F0A38FE5D06h |
mov al, byte ptr [ecx] |
add ecx, 01h |
test al, al |
je 00007F0A38FE5D30h |
test ecx, 00000003h |
jne 00007F0A38FE5CD1h |
add eax, 00000000h |
lea esp, dword ptr [esp+00000000h] |
lea esp, dword ptr [esp+00000000h] |
mov eax, dword ptr [ecx] |
mov edx, 7EFEFEFFh |
add edx, eax |
xor eax, FFFFFFFFh |
xor eax, edx |
add ecx, 04h |
test eax, 81010100h |
je 00007F0A38FE5CCAh |
mov eax, dword ptr [ecx-04h] |
test al, al |
je 00007F0A38FE5D14h |
test ah, ah |
je 00007F0A38FE5D06h |
test eax, 00FF0000h |
je 00007F0A38FE5CF5h |
test eax, FF000000h |
je 00007F0A38FE5CE4h |
jmp 00007F0A38FE5CAFh |
lea eax, dword ptr [ecx-01h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
lea eax, dword ptr [ecx-02h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
lea eax, dword ptr [ecx-03h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
lea eax, dword ptr [ecx-04h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
push ebp |
mov ebp, esp |
sub esp, 20h |
mov eax, dword ptr [ebp+08h] |
push esi |
push edi |
push 00000008h |
pop ecx |
mov esi, 000512D0h |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x58568 | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x63000 | 0xf80 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x64000 | 0x11b0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x51220 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x57bf8 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x51000 | 0x1e0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4fb28 | 0x50000 | False | 0.811544799805 | data | 6.97945124569 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x51000 | 0x800c | 0x9000 | False | 0.459689670139 | data | 5.7180496081 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x5a000 | 0x87f8 | 0x2000 | False | 0.2216796875 | data | 2.42882006124 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x63000 | 0xf80 | 0x1000 | False | 0.371826171875 | data | 3.49422984211 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x64000 | 0x1f06 | 0x2000 | False | 0.472290039062 | data | 4.57666635881 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_DIALOG | 0x63588 | 0xcc | data | English | United States |
RT_DIALOG | 0x63658 | 0xc0 | data | English | United States |
RT_DIALOG | 0x63718 | 0xbc | data | English | United States |
RT_DIALOG | 0x637d8 | 0x148 | data | English | United States |
RT_DIALOG | 0x63920 | 0xd0 | data | English | United States |
RT_DIALOG | 0x639f0 | 0x140 | data | English | United States |
RT_DIALOG | 0x63b30 | 0xc8 | data | English | United States |
RT_DIALOG | 0x63bf8 | 0x142 | data | English | United States |
RT_DIALOG | 0x63d40 | 0xbc | data | English | United States |
RT_VERSION | 0x63270 | 0x318 | data | English | United States |
RT_MANIFEST | 0x63e00 | 0x17d | XML 1.0 document text | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | LCMapStringW, VirtualProtect, GetStringTypeA, HeapReAlloc, GetStringTypeW, GetCurrentThreadId, GetLocaleInfoA, HeapSize, LoadLibraryA, InitializeCriticalSection, CompareStringA, CompareStringW, GetVersion, WriteFile, FindFirstChangeNotificationA, GetDiskFreeSpaceA, RemoveDirectoryA, CreateProcessA, CreateEventA, LCMapStringA, Sleep, GetSystemTimeAsFileTime, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetLastError, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, GetProcAddress, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, MultiByteToWideChar, GetTimeFormatA, GetDateFormatA, WideCharToMultiByte, GetTimeZoneInformation, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, SetEnvironmentVariableA |
USER32.dll | GetMessageA, CloseClipboard, GetClassNameA, MapDialogRect, LoadIconA, SetParent, ExitWindowsEx, GetDC, InflateRect, OffsetRect, GetWindowTextA, GetAsyncKeyState, IntersectRect, EndDialog, EnumChildWindows, UpdateWindow, FindWindowA, EndDeferWindowPos, GetMessagePos |
GDI32.dll | SetTextColor, SetBkColor, SetAbortProc, CreateBitmap, SetRectRgn, CombineRgn, StretchDIBits, GetClipBox, GetTextMetricsA, AbortDoc, EndDoc |
COMDLG32.dll | CommDlgExtendedError, GetOpenFileNameA, GetSaveFileNameA, GetFileTitleA, ChooseFontA, ReplaceTextA |
COMCTL32.dll | ImageList_Remove, InitCommonControlsEx, ImageList_SetBkColor, ImageList_SetIconSize, ImageList_Destroy, ImageList_SetDragCursorImage |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Figskin Corporation. All rights reserved |
InternalName | Pound Bit |
FileVersion | 8.3.0.634 |
CompanyName | Figskin Corporation |
ProductName | Figskin Scienceland |
ProductVersion | 8.3.0.634 |
FileDescription | Figskin Scienceland |
OriginalFilename | hole.dll |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 13, 2020 18:00:44.319030046 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:44.445207119 CET | 443 | 49735 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:44.445550919 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:44.496025085 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:44.623572111 CET | 443 | 49735 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:44.623622894 CET | 443 | 49735 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:44.623661041 CET | 443 | 49735 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:44.623702049 CET | 443 | 49735 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:44.623739958 CET | 443 | 49735 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:44.623748064 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:44.623790026 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:44.623796940 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:44.623801947 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:44.740991116 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:44.867456913 CET | 443 | 49735 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:44.867938042 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:44.900187969 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:45.065598965 CET | 443 | 49735 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:45.370954037 CET | 443 | 49735 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:45.370989084 CET | 443 | 49735 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:45.371026039 CET | 443 | 49735 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:45.371112108 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:45.371161938 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:45.371515036 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:45.371678114 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:45.498420954 CET | 443 | 49735 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:45.498591900 CET | 49735 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:45.621951103 CET | 49736 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:45.748013020 CET | 443 | 49736 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:45.748150110 CET | 49736 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:45.748992920 CET | 49736 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:45.874871969 CET | 443 | 49736 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:45.876118898 CET | 443 | 49736 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:45.876140118 CET | 443 | 49736 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:45.876154900 CET | 443 | 49736 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:45.876168966 CET | 443 | 49736 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:45.876434088 CET | 49736 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:45.903753996 CET | 49736 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:46.030296087 CET | 443 | 49736 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:46.030777931 CET | 49736 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:46.032215118 CET | 49736 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:46.197670937 CET | 443 | 49736 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:46.478622913 CET | 443 | 49736 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:46.478667974 CET | 443 | 49736 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:46.478696108 CET | 443 | 49736 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:46.478775024 CET | 49736 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:46.478825092 CET | 49736 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:46.478832006 CET | 49736 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:46.478863001 CET | 49736 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:46.478935957 CET | 49736 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:46.591269016 CET | 49737 | 443 | 192.168.2.3 | 67.23.227.19 |
Dec 13, 2020 18:00:46.604706049 CET | 443 | 49736 | 70.32.23.56 | 192.168.2.3 |
Dec 13, 2020 18:00:46.604835033 CET | 49736 | 443 | 192.168.2.3 | 70.32.23.56 |
Dec 13, 2020 18:00:46.718322039 CET | 443 | 49737 | 67.23.227.19 | 192.168.2.3 |
Dec 13, 2020 18:00:46.718473911 CET | 49737 | 443 | 192.168.2.3 | 67.23.227.19 |
Dec 13, 2020 18:00:46.726059914 CET | 49737 | 443 | 192.168.2.3 | 67.23.227.19 |
Dec 13, 2020 18:00:46.853110075 CET | 443 | 49737 | 67.23.227.19 | 192.168.2.3 |
Dec 13, 2020 18:00:46.854614973 CET | 443 | 49737 | 67.23.227.19 | 192.168.2.3 |
Dec 13, 2020 18:00:46.854670048 CET | 443 | 49737 | 67.23.227.19 | 192.168.2.3 |
Dec 13, 2020 18:00:46.854700089 CET | 443 | 49737 | 67.23.227.19 | 192.168.2.3 |
Dec 13, 2020 18:00:46.854820967 CET | 49737 | 443 | 192.168.2.3 | 67.23.227.19 |
Dec 13, 2020 18:00:46.854866028 CET | 49737 | 443 | 192.168.2.3 | 67.23.227.19 |
Dec 13, 2020 18:00:46.869280100 CET | 49737 | 443 | 192.168.2.3 | 67.23.227.19 |
Dec 13, 2020 18:00:46.996562004 CET | 443 | 49737 | 67.23.227.19 | 192.168.2.3 |
Dec 13, 2020 18:00:46.996750116 CET | 49737 | 443 | 192.168.2.3 | 67.23.227.19 |
Dec 13, 2020 18:00:46.997703075 CET | 49737 | 443 | 192.168.2.3 | 67.23.227.19 |
Dec 13, 2020 18:00:47.164597034 CET | 443 | 49737 | 67.23.227.19 | 192.168.2.3 |
Dec 13, 2020 18:00:47.503226995 CET | 443 | 49737 | 67.23.227.19 | 192.168.2.3 |
Dec 13, 2020 18:00:47.503273010 CET | 443 | 49737 | 67.23.227.19 | 192.168.2.3 |
Dec 13, 2020 18:00:47.503510952 CET | 443 | 49737 | 67.23.227.19 | 192.168.2.3 |
Dec 13, 2020 18:00:47.503592014 CET | 49737 | 443 | 192.168.2.3 | 67.23.227.19 |
Dec 13, 2020 18:00:47.503647089 CET | 49737 | 443 | 192.168.2.3 | 67.23.227.19 |
Dec 13, 2020 18:00:47.503796101 CET | 49737 | 443 | 192.168.2.3 | 67.23.227.19 |
Dec 13, 2020 18:00:47.503871918 CET | 49737 | 443 | 192.168.2.3 | 67.23.227.19 |
Dec 13, 2020 18:00:47.630857944 CET | 443 | 49737 | 67.23.227.19 | 192.168.2.3 |
Dec 13, 2020 18:00:47.631016016 CET | 49737 | 443 | 192.168.2.3 | 67.23.227.19 |
Dec 13, 2020 18:00:47.727953911 CET | 49738 | 443 | 192.168.2.3 | 192.254.225.195 |
Dec 13, 2020 18:00:47.886188030 CET | 443 | 49738 | 192.254.225.195 | 192.168.2.3 |
Dec 13, 2020 18:00:47.887159109 CET | 49738 | 443 | 192.168.2.3 | 192.254.225.195 |
Dec 13, 2020 18:00:47.889065981 CET | 49738 | 443 | 192.168.2.3 | 192.254.225.195 |
Dec 13, 2020 18:00:48.047314882 CET | 443 | 49738 | 192.254.225.195 | 192.168.2.3 |
Dec 13, 2020 18:00:48.050368071 CET | 443 | 49738 | 192.254.225.195 | 192.168.2.3 |
Dec 13, 2020 18:00:48.050420046 CET | 443 | 49738 | 192.254.225.195 | 192.168.2.3 |
Dec 13, 2020 18:00:48.050462008 CET | 443 | 49738 | 192.254.225.195 | 192.168.2.3 |
Dec 13, 2020 18:00:48.050683022 CET | 49738 | 443 | 192.168.2.3 | 192.254.225.195 |
Dec 13, 2020 18:00:48.077200890 CET | 49738 | 443 | 192.168.2.3 | 192.254.225.195 |
Dec 13, 2020 18:00:48.236044884 CET | 443 | 49738 | 192.254.225.195 | 192.168.2.3 |
Dec 13, 2020 18:00:48.236316919 CET | 49738 | 443 | 192.168.2.3 | 192.254.225.195 |
Dec 13, 2020 18:00:48.237912893 CET | 49738 | 443 | 192.168.2.3 | 192.254.225.195 |
Dec 13, 2020 18:00:48.406014919 CET | 443 | 49738 | 192.254.225.195 | 192.168.2.3 |
Dec 13, 2020 18:00:48.406060934 CET | 443 | 49738 | 192.254.225.195 | 192.168.2.3 |
Dec 13, 2020 18:00:48.406089067 CET | 443 | 49738 | 192.254.225.195 | 192.168.2.3 |
Dec 13, 2020 18:00:48.406157017 CET | 49738 | 443 | 192.168.2.3 | 192.254.225.195 |
Dec 13, 2020 18:00:48.406202078 CET | 49738 | 443 | 192.168.2.3 | 192.254.225.195 |
Dec 13, 2020 18:00:48.406461000 CET | 49738 | 443 | 192.168.2.3 | 192.254.225.195 |
Dec 13, 2020 18:00:48.406522989 CET | 49738 | 443 | 192.168.2.3 | 192.254.225.195 |
Dec 13, 2020 18:00:48.424137115 CET | 49739 | 443 | 192.168.2.3 | 192.254.225.195 |
Dec 13, 2020 18:00:48.564574957 CET | 443 | 49738 | 192.254.225.195 | 192.168.2.3 |
Dec 13, 2020 18:00:48.564666986 CET | 49738 | 443 | 192.168.2.3 | 192.254.225.195 |
Dec 13, 2020 18:00:48.582658052 CET | 443 | 49739 | 192.254.225.195 | 192.168.2.3 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 13, 2020 17:59:52.110733032 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 17:59:52.134998083 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 17:59:53.136502028 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 17:59:53.161084890 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 17:59:53.969039917 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 17:59:53.996448040 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 17:59:54.775568962 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 17:59:54.799938917 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 17:59:55.968637943 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 17:59:55.995690107 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 17:59:57.135420084 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 17:59:57.159847021 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 17:59:57.871728897 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 17:59:57.899000883 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 17:59:58.493649006 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 17:59:58.518022060 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 17:59:59.518012047 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 17:59:59.545289993 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:00:00.191864014 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:00:00.216548920 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:00:01.227436066 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:00:01.254662991 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:00:02.154442072 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:00:02.181777000 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:00:22.572859049 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:00:22.597362995 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:00:26.736121893 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:00:26.781519890 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:00:42.112818003 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:00:42.137171984 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:00:42.501646996 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:00:42.545161009 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:00:44.156333923 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:00:44.293592930 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:00:45.447274923 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:00:45.616791964 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:00:46.527847052 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:00:46.587399006 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:00:47.556493998 CET | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:00:47.724914074 CET | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:00:58.139362097 CET | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:00:58.166681051 CET | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:01:01.057795048 CET | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:01:01.100646019 CET | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:01:01.960922956 CET | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:01:02.051309109 CET | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:01:02.058600903 CET | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:01:02.094324112 CET | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:01:02.180860043 CET | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:01:02.218029976 CET | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:01:07.111082077 CET | 56130 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:01:07.152836084 CET | 53 | 56130 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:01:07.160408020 CET | 56338 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:01:07.193361044 CET | 53 | 56338 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:01:12.204451084 CET | 59420 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:01:12.287242889 CET | 53 | 59420 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:01:12.304409027 CET | 58784 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:01:12.339963913 CET | 53 | 58784 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:01:32.026865005 CET | 63978 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:01:32.051188946 CET | 53 | 63978 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:01:33.656912088 CET | 62938 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:01:33.697693110 CET | 53 | 62938 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:02:43.275849104 CET | 55708 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:02:43.308525085 CET | 53 | 55708 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:02:43.803208113 CET | 56803 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:02:43.836067915 CET | 53 | 56803 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:02:44.467400074 CET | 57145 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:02:44.500171900 CET | 53 | 57145 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:02:44.832010031 CET | 55359 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:02:44.856794119 CET | 53 | 55359 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:02:45.364487886 CET | 58306 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:02:45.399610996 CET | 53 | 58306 | 8.8.8.8 | 192.168.2.3 |
Dec 13, 2020 18:02:45.700702906 CET | 64124 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 13, 2020 18:02:45.728238106 CET | 53 | 64124 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Dec 13, 2020 18:00:44.156333923 CET | 192.168.2.3 | 8.8.8.8 | 0xca7c | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:00:45.447274923 CET | 192.168.2.3 | 8.8.8.8 | 0xd7d3 | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:00:46.527847052 CET | 192.168.2.3 | 8.8.8.8 | 0xa2f1 | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:00:47.556493998 CET | 192.168.2.3 | 8.8.8.8 | 0xde36 | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:01:01.057795048 CET | 192.168.2.3 | 8.8.8.8 | 0x94b9 | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:01:01.960922956 CET | 192.168.2.3 | 8.8.8.8 | 0xb3a0 | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:01:02.058600903 CET | 192.168.2.3 | 8.8.8.8 | 0x7241 | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:01:07.111082077 CET | 192.168.2.3 | 8.8.8.8 | 0xe276 | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:01:07.160408020 CET | 192.168.2.3 | 8.8.8.8 | 0xb92f | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:01:12.204451084 CET | 192.168.2.3 | 8.8.8.8 | 0xeb0 | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:01:12.304409027 CET | 192.168.2.3 | 8.8.8.8 | 0x79f4 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Dec 13, 2020 18:00:44.293592930 CET | 8.8.8.8 | 192.168.2.3 | 0xca7c | No error (0) | businessinsurancelaw.com | CNAME (Canonical name) | IN (0x0001) | ||
Dec 13, 2020 18:00:44.293592930 CET | 8.8.8.8 | 192.168.2.3 | 0xca7c | No error (0) | 70.32.23.56 | A (IP address) | IN (0x0001) | ||
Dec 13, 2020 18:00:45.616791964 CET | 8.8.8.8 | 192.168.2.3 | 0xd7d3 | No error (0) | 70.32.23.56 | A (IP address) | IN (0x0001) | ||
Dec 13, 2020 18:00:46.587399006 CET | 8.8.8.8 | 192.168.2.3 | 0xa2f1 | No error (0) | 67.23.227.19 | A (IP address) | IN (0x0001) | ||
Dec 13, 2020 18:00:47.724914074 CET | 8.8.8.8 | 192.168.2.3 | 0xde36 | No error (0) | rcclabbd.com | CNAME (Canonical name) | IN (0x0001) | ||
Dec 13, 2020 18:00:47.724914074 CET | 8.8.8.8 | 192.168.2.3 | 0xde36 | No error (0) | 192.254.225.195 | A (IP address) | IN (0x0001) | ||
Dec 13, 2020 18:01:01.100646019 CET | 8.8.8.8 | 192.168.2.3 | 0x94b9 | No error (0) | 192.3.183.226 | A (IP address) | IN (0x0001) | ||
Dec 13, 2020 18:01:02.051309109 CET | 8.8.8.8 | 192.168.2.3 | 0xb3a0 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:01:02.094324112 CET | 8.8.8.8 | 192.168.2.3 | 0x7241 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:01:07.152836084 CET | 8.8.8.8 | 192.168.2.3 | 0xe276 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:01:07.193361044 CET | 8.8.8.8 | 192.168.2.3 | 0xb92f | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:01:12.287242889 CET | 8.8.8.8 | 192.168.2.3 | 0xeb0 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Dec 13, 2020 18:01:12.339963913 CET | 8.8.8.8 | 192.168.2.3 | 0x79f4 | Name error (3) | none | none | A (IP address) | IN (0x0001) |
HTTPS Packets |
---|
Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
---|---|---|---|---|---|---|---|---|---|---|
Dec 13, 2020 18:00:44.623739958 CET | 70.32.23.56 | 443 | 192.168.2.3 | 49735 | CN=businessinsurancelaw.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB | Tue Sep 29 02:00:00 CEST 2020 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004 | Tue Dec 29 00:59:59 CET 2020 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029 | 771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0 | 37f463bf4616ecd445d4a1937da06e19 |
CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | Mon May 18 02:00:00 CEST 2015 | Sun May 18 01:59:59 CEST 2025 | |||||||
CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB | Thu Jan 01 01:00:00 CET 2004 | Mon Jan 01 00:59:59 CET 2029 | |||||||
Dec 13, 2020 18:00:45.876168966 CET | 70.32.23.56 | 443 | 192.168.2.3 | 49736 | CN=squire.ae CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB | Thu Oct 29 01:00:00 CET 2020 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004 | Thu Jan 28 00:59:59 CET 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029 | 771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0 | 37f463bf4616ecd445d4a1937da06e19 |
CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | Mon May 18 02:00:00 CEST 2015 | Sun May 18 01:59:59 CEST 2025 | |||||||
CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB | Thu Jan 01 01:00:00 CET 2004 | Mon Jan 01 00:59:59 CET 2029 | |||||||
Dec 13, 2020 18:00:46.854670048 CET | 67.23.227.19 | 443 | 192.168.2.3 | 49737 | CN=*.lamun.pk CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US | CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co. | Tue Oct 27 22:33:43 CET 2020 Thu Mar 17 17:40:46 CET 2016 | Mon Jan 25 22:33:43 CET 2021 Wed Mar 17 17:40:46 CET 2021 | 771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0 | 37f463bf4616ecd445d4a1937da06e19 |
CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US | CN=DST Root CA X3, O=Digital Signature Trust Co. | Thu Mar 17 17:40:46 CET 2016 | Wed Mar 17 17:40:46 CET 2021 | |||||||
Dec 13, 2020 18:00:48.050462008 CET | 192.254.225.195 | 443 | 192.168.2.3 | 49738 | CN=cpanel.rcclabbd.com CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US | CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co. | Fri Nov 13 11:07:04 CET 2020 Thu Mar 17 17:40:46 CET 2016 | Thu Feb 11 11:07:04 CET 2021 Wed Mar 17 17:40:46 CET 2021 | 771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0 | 37f463bf4616ecd445d4a1937da06e19 |
CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US | CN=DST Root CA X3, O=Digital Signature Trust Co. | Thu Mar 17 17:40:46 CET 2016 | Wed Mar 17 17:40:46 CET 2021 | |||||||
Dec 13, 2020 18:01:01.329282999 CET | 192.3.183.226 | 443 | 192.168.2.3 | 49747 | CN=webmail.thecype.com CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US | CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co. | Sat Oct 17 20:11:48 CEST 2020 Thu Mar 17 17:40:46 CET 2016 | Fri Jan 15 19:11:48 CET 2021 Wed Mar 17 17:40:46 CET 2021 | 771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0 | 37f463bf4616ecd445d4a1937da06e19 |
CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US | CN=DST Root CA X3, O=Digital Signature Trust Co. | Thu Mar 17 17:40:46 CET 2016 | Wed Mar 17 17:40:46 CET 2021 |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 17:59:56 |
Start date: | 13/12/2020 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x13d0000 |
File size: | 120832 bytes |
MD5 hash: | 2D39D4DFDE8F7151723794029AB8A034 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 18:00:40 |
Start date: | 13/12/2020 |
Path: | C:\Windows\SysWOW64\msiexec.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1140000 |
File size: | 59904 bytes |
MD5 hash: | 12C17B5A5C2A7B97342C362CA467E9A2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|