Play interactive tourEdit tour
Analysis Report SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.19261
Overview
General Information
Sample Name: | SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.19261 (renamed file extension from 19261 to dll) |
Analysis ID: | 351337 |
MD5: | 4e62d8a29ba5805407ece642d63df461 |
SHA1: | 320f45735c2da0a93359d00ae8d714b48f9c5531 |
SHA256: | ded0afec1ce538699df52daf0e024a3b2965fd0520e9ff4d5a8ed4c141967fb9 |
Tags: | Gozi |
Most interesting Screenshot: |
Detection
Ursnif
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "217", "system": "b81731599bd7bb2de2d9647341cc92e4hh", "size": "201281", "crc": "2", "action": "00000000", "id": "1100", "time": "1612998941", "user": "d095a5848695dc15e71ab15c7c3f3fe3", "hash": "0x4a63e4e6", "soft": "3"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 8 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: MSHTA Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Compliance: |
---|
Uses 32bit PE files | Show sources |
Source: | Static PE information: |
Uses new MSVCR Dlls | Show sources |
Source: | File opened: |
Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources |
Source: | Static PE information: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Malicious sample detected (through community Yara rule) | Show sources |
Source: | Matched rule: |
Writes or reads registry keys via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: |
Source: | Key opened: |
Source: | Static PE information: |
Source: | Matched rule: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Key opened: |
Source: | Window detected: |
Source: | File opened: |
Source: | File opened: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Data Obfuscation: |
---|
Suspicious powershell command line found | Show sources |
Source: | Process created: | ||
Source: | Process created: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Hooks registry keys query functions (used to hide registry keys) | Show sources |
Source: | IAT, EAT, inline or SSDT hook detected: |
Modifies the export address table of user mode modules (user mode EAT hooks) | Show sources |
Source: | IAT of a user mode module has changed: |
Modifies the import address table of user mode modules (user mode IAT hooks) | Show sources |
Source: | EAT of a user mode module has changed: |
Modifies the prolog of user mode functions (user mode inline hooks) | Show sources |
Source: | User mode code has changed: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | File opened / queried: |
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process token adjusted: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Compiles code for process injection (via .Net compiler) | Show sources |
Source: | File written: | Jump to dropped file |
Creates a thread in another existing process (thread injection) | Show sources |
Source: | Thread created: |
Maps a DLL or memory area into another process | Show sources |
Source: | Section loaded: |
Modifies the context of a thread in another process (thread injection) | Show sources |
Source: | Thread register set: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation2 | Path Interception | Process Injection412 | Rootkit4 | Credential API Hooking3 | System Time Discovery1 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Command and Scripting Interpreter1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Masquerading1 | LSASS Memory | Security Software Discovery31 | Remote Desktop Protocol | Credential API Hooking3 | Exfiltration Over Bluetooth | Ingress Tool Transfer3 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | PowerShell1 | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion3 | Security Account Manager | Virtualization/Sandbox Evasion3 | SMB/Windows Admin Shares | Archive Collected Data1 | Automated Exfiltration | Non-Application Layer Protocol4 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection412 | NTDS | Process Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol4 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information1 | LSA Secrets | Application Window Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Rundll321 | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | File and Directory Discovery2 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | System Information Discovery45 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Virustotal | Browse | ||
9% | ReversingLabs | Win32.Trojan.Wacatac |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | Avira URL Cloud | phishing | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
c56.lepini.at | 35.228.31.40 | true | true |
| unknown |
resolver1.opendns.com | 208.67.222.222 | true | false | high | |
api3.lepini.at | 35.228.31.40 | true | false |
| unknown |
api10.laptok.at | 35.228.31.40 | true | false | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
true |
| unknown | |
false |
| unknown | |
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
35.228.31.40 | unknown | United States | 15169 | GOOGLEUS | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 351337 |
Start date: | 10.02.2021 |
Start time: | 15:13:01 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 9m 16s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.19261 (renamed file extension from 19261 to dll) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 40 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winDLL@18/24@11/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
15:15:10 | API Interceptor | |
15:15:58 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
35.228.31.40 | Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
resolver1.opendns.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
c56.lepini.at | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
GOOGLEUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 71272 |
Entropy (8bit): | 2.036853286280987 |
Encrypted: | false |
SSDEEP: | 192:ryZ9ZW2eW3tKifeRHJzMJBC6eVBgCptD9asAavVtHm1a+9s2Ok+EhkquiOkqH4m5:ruztVdTXoZRB3BMYgc1 |
MD5: | DF09867101E3F8250FBE69F8D23A4B73 |
SHA1: | BFA09E7C5A3086E01BFF99115E15B1E5CD8722D7 |
SHA-256: | 719032F8605BCEEC1A8EC3E72D1CB407C2DA4C950A001588D5099C683366D4C8 |
SHA-512: | 7CEEF13B0ED2498471444117B806BB0C35430FB647467D8606FD8A3D3804E4D247DEC080786C55E0A66C111617B1D82B70647A2774F107DB00FE1A64F4A6FDF5 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 27592 |
Entropy (8bit): | 1.9063458055602907 |
Encrypted: | false |
SSDEEP: | 192:rVZiQ268k7jN21W+MaBQ9caQlRdlQ9caQlRa9cPA:rbPBhnEMXCjlRfjlRw |
MD5: | 364B6E0AA1651A7AE7CF03BA0480CE9C |
SHA1: | 2D6D4F4B05DBF0C591611232A9E19C00392E28F7 |
SHA-256: | 6B0EDB1E1F7B5533BFD311E809E10EF132E339C6E72FB225E9325349918DE83C |
SHA-512: | 90B047B7F19C7AADF1DC82FC1F1F8C3CF60E34D291F3EABC2669F49A76850A9C427F53B64B29145C6941B4348758204DC09B0FE29FF7C14A47585AB83A30D4D9 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 28160 |
Entropy (8bit): | 1.9152388232640587 |
Encrypted: | false |
SSDEEP: | 192:rdZeQ76DkRjt2GWlMRpl3API5Vq3APIeA:rzb+Itk9mbGPE/PM |
MD5: | 7EFB43ED6ECDC8B3570A04A5CBA04CCD |
SHA1: | DB0C541B57D7E548316C1F0A7CEA70DB787D6AFC |
SHA-256: | 6FDE2C85058D5DE139C661A710CFA6E07D6ABFB9F7ABA943D631EE9F1E9F59DF |
SHA-512: | DC4582B4D4BF21DD27D2E0619C0C4E1EFCE57BF4BE21D0A82473F20FB9B5D48AADA3961ECE077FC5DA6432C8DA2929757B977896C770D5801E3C3092DEED90A4 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | modified |
Size (bytes): | 28168 |
Entropy (8bit): | 1.914344516289633 |
Encrypted: | false |
SSDEEP: | 192:rDZAQH61kNjN27GWQMUB8sVYtHl8sVrsVYtmA:rFZa+pExl89+/9u+X |
MD5: | 77E2081D6B12BA1F82C27A50A61F41A2 |
SHA1: | 7D7D20463427B20B2496F504450158988B664F36 |
SHA-256: | 0B925B764B23695484C25E534672AEA304964C4171355CE8444741303ED99718 |
SHA-512: | 2E949F3C62B54EF060136FEBB534E3DB51E156BDBAB3F75AC9153D1BC83EBD6D74AB28DF20E6D7DF3587307C45D90DFBCF2DAC4EAE5FF870D4E9289937B4C7AA |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 268376 |
Entropy (8bit): | 5.99986572855491 |
Encrypted: | false |
SSDEEP: | 6144:P//YVVzIMeq+LNg0lu4FYPG4JcPj5hUHBDgegKOlx+eeXUa:PnYVV0Me7Ng0lxFYO4JcPjvUHaBKEx+d |
MD5: | 894CB0CC7F8D2DCD25FE8C9ECD291A55 |
SHA1: | 53CD35A91200A6A714464B79C5BF515C24C7981B |
SHA-256: | DEC91CFEC640FEC357A71EE645D392877FB431FFAACAD6B7092311059FDAEC48 |
SHA-512: | E50954B2F62EF8EC47EB1785B596F154DFB2008B080D1B56E33AF181DA0489B9865C096B55B824686CBCB33B54DC005A73EDFBA90F62E9679B89B26FE5C41FEE |
Malicious: | false |
Reputation: | low |
IE Cache URL: | http://api10.laptok.at/api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lknlxGzswe1f42DY/0ZRJKHiwVKqzREh7F1zZfC/xDcrm70JTSUqg/KfoZXHqy/gtcnRpNm54H7DKUH3incyf7/pb15dMsyWG/BetCueYOwQDaUpKex/cvRYM5W54J_2/F_2BvDZYdxx/C0N9hknbzclgNA/1DbqE0vpldFICv5iJdPAy/ml70ZyZiOpRDJ78b/h5qzpBVY36LCiZe/ZMZBhSfYbmpSZEV5ew/ylnSPhfpP/ctfktke6drAYijwp6R_2/Bn8ddXU |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 340056 |
Entropy (8bit): | 5.999886531203639 |
Encrypted: | false |
SSDEEP: | 6144:1xweTwNw6sNoJ+l4Zdpa0XjzOPMMY4+Do6I9OHt1Sq49x90fGQh9UmHYS8pyiEaP:weT5BQ+l4ZdpVWMMY4+0jAHt1SLePdHS |
MD5: | F63F71D70312557722C592AB8260C283 |
SHA1: | 6FC1F160C1E50EC5DB8C0E64067C34ADFE6DF94C |
SHA-256: | 1EC8D9741146A63B75AEA79C12E26DE14922A191AF1DE5BC396785B20EF298AB |
SHA-512: | 9C4AF768F8CC3A595C2009F7E233A63610B6C5DB964009F85D5B6FA8B811DA9C2450164589ABED7C667C491D14442845CE338F12A845E0EA2081A7A018AF32C6 |
Malicious: | false |
IE Cache URL: | http://api10.laptok.at/api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S8BQMDt78kCRWVvFKTW/T3z7jl77vtn31nAs/fsEjsZ1w6_2BM0e/_2B_2BAVLSWZlML2mx/fdFEX0w2l/0RPfFIvYjfZTYoK47bE8/B49X4mtNiudogIoMpOJ/IxyYMxMKBO_2F3ZR_2BAor/8kAylO6X_2Fiq/EdNEwQOa/FYHDMjDZgQLZqSkWO3yLWuc/j3i_2F5QMC/DRHsxypVX90thJgYh/6MpfO8pdNUGy/KOAPjs479Yf/dCe7rPiQO_2FVf/cp_2BP6SlyfefKqn_2BbT/iqLzQdVK/s |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 2452 |
Entropy (8bit): | 5.9891472068248675 |
Encrypted: | false |
SSDEEP: | 48:ubGcN0E+8HZmz6Z1K49CUct/K1+YMXZ/ZRLaP9zNHB1oE+0plUpi0E3zeGtM:3cN1WgLcty1+YMpBROPZNhd+0pGDEje7 |
MD5: | 3911A5CD043629DE358BF4D794062E07 |
SHA1: | D6F0991B11B84B676A27260A6D79ABD0BCD544FB |
SHA-256: | A6F4E2B905615E2D4A9DF6454BD86A911D55CC27C7D43F1E0D94B642C34F450C |
SHA-512: | 8D90C352803B21B084D00610E04D71DB14F479F3A8FCA1081AF383905C135B3DF3F1BF546B7E88D584FE0128BA3153113EF26576A18A22337F1CFC183A625FC7 |
Malicious: | false |
IE Cache URL: | http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG77Zbx14Y4xpnJSaU_/2BLefveYrx/RefMzSY5Upyfbovm3/qmR0BBGI5hNv/ThDaqb_2FWx/xtufh9Msga_2BR/n0Re_2F1kn8UjgqbyTzQA/dUEEQb_2FY20zF3P/aP2AGWgGjayZp9N/yWUTgNMTKZ6EUJxA4O/ga_2BAyhH/6Y4krin4Qd0F9dpWa_2B/Ch_2FWBvvOfaFtGBtaq/0_2BX8pwR_2BJW2aCmXSlR/nA3h5ZuemZjTY/QscPrV_2/FMUurtz9meWYyTWZTPSvYNG/TWbWCTxFm9i/RC |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 64 |
Entropy (8bit): | 0.9260988789684415 |
Encrypted: | false |
SSDEEP: | 3:Nlllulb/lj:NllUb/l |
MD5: | 13AF6BE1CB30E2FB779EA728EE0A6D67 |
SHA1: | F33581AC2C60B1F02C978D14DC220DCE57CC9562 |
SHA-256: | 168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F |
SHA-512: | 1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | modified |
Size (bytes): | 89 |
Entropy (8bit): | 4.45974266689267 |
Encrypted: | false |
SSDEEP: | 3:oVXUHMkQKR8JOGXnEHMkQKwun:o9UaaqEaBu |
MD5: | AC56B7F46C974F8C46780540160E8CD1 |
SHA1: | A1D125750D9A342A2AAEA7953121991A08A32588 |
SHA-256: | AC7F1B99012C8F08604FAD41B1E2E1CA0A112145B9C0C4E7A446E417FC46EFBF |
SHA-512: | F7F6C24D40548379142B051F48FF005BB782FFFC508C88A9027174F43F4052AF90525DB6D6E6F80FE5395B1CDBA4B893825BBD4113966A641AEB0E197C08D1EF |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 411 |
Entropy (8bit): | 5.022568322197063 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJwQ5mMRSR7a1yTyShSRa+rVSSRnA/fh14v02JKy:V/DTLDfuqRySQ9rV5nA/TDy |
MD5: | 9B2165E59D51BB6E8E99190BD9C6BC8B |
SHA1: | 02B2F188D7654CA079ADA726994D383CF75FF114 |
SHA-256: | 36E14435EE02B02C2B06087FF3750569342E8B8D8571F3F45E61AF50D3B03CEA |
SHA-512: | 20E05DE0D57D1F6F53FB3290CB1C533D152C6076E2451B0A463D5AD6342976F49F31DDA8CC668E3EC26775E75EE191B8DD44645F40F723667EE8376C84998209 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 377 |
Entropy (8bit): | 5.295656735826802 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fPdIzxs7+AEszIcNwi23fPd/9n:p37Lvkmb6KwZH+WZEJZHzn |
MD5: | D73F765AC032CEA3F9323DCAED890E6B |
SHA1: | 2934F90F8F1798940B157A8A1F61F4C8EC5BFC06 |
SHA-256: | 4E7A2A7A38D2B63F5D8D7EBCBD35A8D9577DC8E9B1EEAE92C243E0AFD2CF6C84 |
SHA-512: | 57DFB6E01D005720C9F5AC0D6A0265C467EF24BF1EB6621D03E97461C85E52EA1C8277AA58F72A9F1E1D130C1E92F4DDF056EACA9CB47244AEC8FDFB324C9892 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 462 |
Entropy (8bit): | 5.400028983229418 |
Encrypted: | false |
SSDEEP: | 6:IM7mLAA9VwRhMuAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fPdIzxs7+AEszIcNF:xKIR37Lvkmb6KwZH+WZEJZHz+ |
MD5: | 3379AD6C0C28F4AA1426E2AA04D35BFD |
SHA1: | 13B83CB4F1BF6F6085DDCAA8AB3D809EA209C155 |
SHA-256: | 67FBC7767356EA93B23EE908AD04C8EF7A51D86F260B9C7E7460768E6F88CB6A |
SHA-512: | BCD04B4F2C2580058B2C7A522C0FF409BAAA182DE3A2765E475FF0C8D257B7EBCAB5821D4B61B09F3DF16A38E93C64111496F0496F4672C8B16DB3915B7E0F27 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 413 |
Entropy (8bit): | 4.95469485629364 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJAMRSRa+eNMjSSRrEMx9SRHq1DAfWZSEehEFQy:V/DTLDfuA9eg5rEMx8u25hZy |
MD5: | 66C992425F6FC8E496BCA0C59044EDFD |
SHA1: | 9900C115A66028CD4E43BD8C2D01401357FD7579 |
SHA-256: | 85FEE59EDA69CF81416915A84F0B8F7D8980A3A582B5FA6CC27A8C1340838B6C |
SHA-512: | D674884748328A261D3CB4298F2EB63B37A77182869C5E3B462FAB917631FC1A6BB9B266CAD4E627F68C3016A2EEADCD508FDDBAF818E2F12E51B97325D9406D |
Malicious: | true |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 377 |
Entropy (8bit): | 5.234228044756695 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fhW8BHH0zxs7+AEszIcNwi23fhW8DH:p37Lvkmb6KwZpFUWZEJZpPH |
MD5: | 446A92A1E2D822C8F9F92DCB3F2D900B |
SHA1: | 0D392001482565526F910197907AAAA547B4D30D |
SHA-256: | 4F87A5DE81196FA5F977390E9AEBD50E8A9B41B72D76D2ED1F47C4D9B3713261 |
SHA-512: | BFF2676061BAED37DE47D3EA3094C706BC9F635E5E9D189C6BFEDB611CB0D45EF5EF195DE505ED19F7BDB694208D9D583336D51C48B987B281FE40BEE64F6460 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 462 |
Entropy (8bit): | 5.352977848393511 |
Encrypted: | false |
SSDEEP: | 6:IM7mLAA9VwRhMuAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fhW8BHH0zxs7+AEst:xKIR37Lvkmb6KwZpFUWZEJZpPe |
MD5: | 2949F8143DCE7B1D7AF6C6F3D0C1BE5A |
SHA1: | 8778CAB63CDD31AE7EBCA343F0E7BDCD551DEC29 |
SHA-256: | 47A94EEBBBA630B341499F1567C6293382F16474C10D08FD1DCDD1BDC832925D |
SHA-512: | 84807D0BDC0A52B735DA78383638BD0BC8AF7746DA8D92359BA3AC190F9E0DA14D47AA71D469496871EF49C0D738E3896BB7FCCC76B6C33C842D775AD519AB41 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13269 |
Entropy (8bit): | 0.6103640625181596 |
Encrypted: | false |
SSDEEP: | 24:c9lLh9lLh9lIn9lIn9loJ9lop9lWkRKuyu3APmW:kBqoIysWK2APmW |
MD5: | 6024D4D37AEB823BC4AB3AE0EF49A1B1 |
SHA1: | 91C5B02835C93C4A80B47CCF087B6496AA502811 |
SHA-256: | 4C0D04E4087FD1B1BC3F0C3E4843576862C1EFC07A3272342A691E9CB9E98870 |
SHA-512: | BF646841D5F113A443238DBB9E8CD106ADBC36ECDA58A406A0C69308A4A16BE72542A9EA0F74AB5423B50DE61612B2AA213C026BD6A6E210A45EBB2554F794F7 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 40209 |
Entropy (8bit): | 0.6730675925195002 |
Encrypted: | false |
SSDEEP: | 192:kBqoxKAuqR+FrJ4biDYsVYt+DYsVYttDYsVYte:kBqoxKAuqR+FrJ4bi9+Y9+n9+g |
MD5: | BA8745C5334040BF64073483349DCC92 |
SHA1: | 4395DF3D29D467D5218AF9B8DB739ACDBC3476E1 |
SHA-256: | D4BAF7F316BC61134DFF7ABD147F417AA4E4D043C9211522F265843DB1217C9D |
SHA-512: | F1060AA1751145BF481FE7B765F4D5714EEBC3F97AE0CAC946C8A613AEB2C9B23EB3B8133EE977445CB8F5E59FED24D0EFA552913E241555545B53D9B9CCBB9C |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 40081 |
Entropy (8bit): | 0.6522001093489276 |
Encrypted: | false |
SSDEEP: | 192:kBqoxKAuqR+FrJ4biMZ9caQlRFMZ9caQlR9YMZ9caQlRf:kBqoxKAuqR+FrJ4bijlRFjlR9YjlRf |
MD5: | F1BBF4CDD59D9EC56E8B1C65E0985908 |
SHA1: | 8745C826FFB28BED74E70CB20B4AA9FC42FB81CE |
SHA-256: | E47DAAE985501E8D61DA6E45500A03F68BDD0DAC2E3B66E9F0F33DCEFE54B6CC |
SHA-512: | 9F151AE0CB84B841F57ABD10D46CFDF595CBDC5AAFD3634635C97E63953D9E4E3EFEF870F175B5BA4D005A4B1C0341EE13BDBD551671A753F2B0C8D9A5E131A9 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 40193 |
Entropy (8bit): | 0.6733666051952991 |
Encrypted: | false |
SSDEEP: | 192:kBqoxKAuqR+LFX+FIyw3APILyw3APIIyw3APIl:kBqoxKAuqR+LFX+FIGP4GP/GPI |
MD5: | B236051A995F237674C8AB08DCA6FDD5 |
SHA1: | 1B186A268AAF949297403D25A8AB3EF3E7703789 |
SHA-256: | CDDBFC63406E1139ABBBC33F0566A1F20527ABCF0EC2E8DC7C8ADA4BED722E20 |
SHA-512: | D693710622D51BB18C28EB7968440A2A4BD522F22224E7A5234CF85C770B23A1070F959619A9009B89F8815A0719286E1239F1891713D213810512355E5E37DE |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1197 |
Entropy (8bit): | 5.300725908906392 |
Encrypted: | false |
SSDEEP: | 24:BxSA+dZOvBdaazx2DOXUWOLCHGIYBtLW5HjeTKKjX4CIym1ZJXAOLCHGIYBtfnx9:BZ1v6aoORF/5qDYB1Z+FeZZb |
MD5: | 008CA8AC4F159E5A7280A662FF0FDA97 |
SHA1: | 898189E71E064D07CD17704793A20016C32ADCA1 |
SHA-256: | B498461ECE71305EB162295B9F4A8D82BBF3A639BE18D7AD65236621190AE38A |
SHA-512: | 6611E2537FB3D8410982D786685B674670BDFD9DAA95299927C3501D6BAB34977D2A59C40F0C366546186FB615B1F2C834D1BFF6D8D3978CA667E09EE48CAA5F |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.505516676528311 |
TrID: |
|
File name: | SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll |
File size: | 466944 |
MD5: | 4e62d8a29ba5805407ece642d63df461 |
SHA1: | 320f45735c2da0a93359d00ae8d714b48f9c5531 |
SHA256: | ded0afec1ce538699df52daf0e024a3b2965fd0520e9ff4d5a8ed4c141967fb9 |
SHA512: | 98909fb1403057de43205ddc9cb8d4ce5064bb3ae638f8ef09cdffffd3bf08fcaa8714c0f13ec893c9dabe1bdafdc83e82c84db3195693ed8e901f99b39e4684 |
SSDEEP: | 12288:ZEZ6A+uMuXbMkoMouSkTqT7V9VqJ2Biw:ZWkuMuXb/LTqdq |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8...9...8...9...8...9...8...9...8...9...8...9...8..J8...8...8...8...9...8...9...8..&8...8...9...8Rich...8....... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x10026320 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5660B6D4 [Thu Dec 3 21:40:36 2015 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 281ea861025d7e9240efd01bc3d8f17a |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007F6048A1E2B7h |
call 00007F6048A1EC57h |
mov eax, dword ptr [ebp+10h] |
push eax |
mov ecx, dword ptr [ebp+0Ch] |
push ecx |
mov edx, dword ptr [ebp+08h] |
push edx |
call 00007F6048A1E0C6h |
add esp, 0Ch |
pop ebp |
retn 000Ch |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ebp |
mov ebp, esp |
push ecx |
mov dword ptr [ebp-04h], ecx |
push 00000001h |
mov eax, dword ptr [ebp+08h] |
push eax |
mov ecx, dword ptr [ebp-04h] |
call 00007F6048A1E3D0h |
mov ecx, dword ptr [ebp-04h] |
mov dword ptr [ecx], 1005EB84h |
mov eax, dword ptr [ebp-04h] |
mov esp, ebp |
pop ebp |
retn 0004h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ebp |
mov ebp, esp |
push ecx |
mov dword ptr [ebp-04h], ecx |
mov eax, dword ptr [ebp+08h] |
push eax |
mov ecx, dword ptr [ebp-04h] |
call 00007F6048A1E362h |
mov ecx, dword ptr [ebp-04h] |
mov dword ptr [ecx], 1005EB84h |
mov eax, dword ptr [ebp-04h] |
mov esp, ebp |
pop ebp |
retn 0004h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ebp |
mov ebp, esp |
push ecx |
mov dword ptr [ebp-04h], ecx |
push 00000001h |
push 1005EB8Ch |
mov ecx, dword ptr [ebp-04h] |
call 00007F6048A1E36Fh |
mov eax, dword ptr [ebp-04h] |
mov dword ptr [eax], 1005EB84h |
mov eax, dword ptr [ebp-04h] |
mov esp, ebp |
pop ebp |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ebp |
mov ebp, esp |
push ecx |
mov dword ptr [ebp-04h], ecx |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x6e7e0 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6e830 | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x89000 | 0x34c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x8a000 | 0x2eb4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6cdc0 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x6ce74 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x6ce18 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x56000 | 0x168 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x540ea | 0x54200 | False | 0.547028812221 | data | 6.50211232576 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x56000 | 0x19030 | 0x19200 | False | 0.41747318097 | data | 5.50712561288 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x70000 | 0x161cc | 0x1000 | False | 0.205078125 | data | 3.58289260721 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.tls | 0x87000 | 0x9 | 0x200 | False | 0.033203125 | data | 0.0203931352361 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.gfids | 0x88000 | 0xf8 | 0x200 | False | 0.26171875 | data | 1.29252519589 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x89000 | 0x34c | 0x400 | False | 0.396484375 | data | 2.83417036073 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x8a000 | 0x2eb4 | 0x3000 | False | 0.773518880208 | data | 6.66007908075 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x89058 | 0x2f4 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetProcAddress, VirtualProtect, HeapAlloc, HeapFree, HeapWalk, Sleep, GetLocalTime, GetTickCount, OpenMutexA, LoadLibraryA, GetModuleFileNameA, GetEnvironmentVariableA, GetWindowsDirectoryA, CreateFileA, CreateFileW, SetFilePointerEx, CloseHandle, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, GetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, InterlockedFlushSList, SetLastError, EncodePointer, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapValidate, GetSystemInfo, LCMapStringW, GetStdHandle, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, WriteFile, OutputDebugStringW, WriteConsoleW, HeapReAlloc, HeapSize, HeapQueryInformation, GetStringTypeW, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetStdHandle, GetFileSizeEx, DecodePointer |
ole32.dll | OleUninitialize, OleInitialize, OleSetContainedObject |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
Grewrace | 1 | 0x1001d370 |
Put | 2 | 0x1001d240 |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | 2014 Card sail Corporation. All rights reserved |
InternalName | Go.dll |
FileVersion | 4.2.2.67 |
CompanyName | Card sail |
URL | https://toldsend.com |
ProductName | Card sail Wood why |
FileDescription | Wood why |
OriginalFilename | Go.dll |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
02/10/21-15:15:45.007604 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.7 | 8.8.8.8 | ||
02/10/21-15:16:16.602836 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.7 | 8.8.8.8 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 10, 2021 15:15:40.531838894 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:40.532143116 CET | 49756 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:40.606050968 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:40.606203079 CET | 80 | 49756 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:40.606208086 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:40.606373072 CET | 49756 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:40.607914925 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:40.723108053 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:40.996198893 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:40.996232986 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:40.996254921 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:40.996273041 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:40.996289968 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:40.996294022 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:40.996306896 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:40.996334076 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:40.996361017 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.035697937 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.035742044 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.035768032 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.035793066 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.035871029 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.035919905 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.070897102 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.070955992 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.070991039 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.071019888 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.071026087 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.071059942 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.071069002 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.071083069 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.071105957 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.071140051 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.071158886 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.071176052 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.071192980 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.071208000 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.071223974 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.071259022 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.075469971 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.075516939 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.075649977 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.080199003 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.080323935 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.111747026 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.111783028 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.111808062 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.111828089 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.111850977 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.111874104 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.111895084 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.111915112 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.111998081 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.112059116 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.146960974 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147000074 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147027969 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147044897 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147059917 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147074938 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147079945 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.147092104 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147109985 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147133112 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147146940 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.147155046 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147176981 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147196054 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147212982 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.147216082 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147233963 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.147252083 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.147278070 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.156470060 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.156526089 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.156563997 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.156586885 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.156604052 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.156621933 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.156636953 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.156653881 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.156671047 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.156676054 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.156709909 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.156748056 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.156822920 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.186259031 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.186295986 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.186319113 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.186342955 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.186355114 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.186367989 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.186398029 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.186400890 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.186424017 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.186448097 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.186449051 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.186470985 CET | 80 | 49755 | 35.228.31.40 | 192.168.2.7 |
Feb 10, 2021 15:15:41.186476946 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
Feb 10, 2021 15:15:41.186513901 CET | 49755 | 80 | 192.168.2.7 | 35.228.31.40 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 10, 2021 15:13:49.652070045 CET | 59762 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:13:49.702563047 CET | 53 | 59762 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:13:50.811459064 CET | 54329 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:13:50.869975090 CET | 53 | 54329 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:13:52.083573103 CET | 58052 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:13:52.133831024 CET | 53 | 58052 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:13:53.234210968 CET | 54008 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:13:53.283061981 CET | 53 | 54008 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:13:54.596215010 CET | 59451 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:13:54.649353027 CET | 53 | 59451 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:13:56.392698050 CET | 52914 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:13:56.442547083 CET | 53 | 52914 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:13:58.953134060 CET | 64569 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:13:59.001775980 CET | 53 | 64569 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:00.093838930 CET | 52816 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:00.153899908 CET | 53 | 52816 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:01.123405933 CET | 50781 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:01.175026894 CET | 53 | 50781 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:02.264497042 CET | 54230 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:02.318202019 CET | 53 | 54230 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:03.700726986 CET | 54911 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:03.749423027 CET | 53 | 54911 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:05.865025997 CET | 49958 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:05.913882971 CET | 53 | 49958 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:08.312998056 CET | 50860 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:08.377372026 CET | 53 | 50860 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:17.568866968 CET | 50452 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:17.630748034 CET | 53 | 50452 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:18.863126993 CET | 59730 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:18.914267063 CET | 53 | 59730 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:20.341684103 CET | 59310 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:20.395224094 CET | 53 | 59310 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:21.406733990 CET | 51919 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:21.455353022 CET | 53 | 51919 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:24.958525896 CET | 64296 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:25.007149935 CET | 53 | 64296 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:33.885106087 CET | 56680 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:33.943607092 CET | 53 | 56680 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:38.643295050 CET | 58820 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:38.695013046 CET | 53 | 58820 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:39.806226015 CET | 60983 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:39.875431061 CET | 53 | 60983 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:42.050301075 CET | 49247 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:42.098851919 CET | 53 | 49247 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:47.042896986 CET | 52286 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:47.093307018 CET | 53 | 52286 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:14:54.199312925 CET | 56064 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:14:54.260730982 CET | 53 | 56064 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:13.947529078 CET | 63744 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:13.999607086 CET | 61457 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:14.024338007 CET | 53 | 63744 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:14.064687967 CET | 53 | 61457 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:14.105293989 CET | 58367 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:14.180802107 CET | 53 | 58367 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:21.850204945 CET | 60599 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:21.907396078 CET | 53 | 60599 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:22.573805094 CET | 59571 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:22.630867004 CET | 53 | 59571 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:23.514405012 CET | 52689 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:23.571877956 CET | 53 | 52689 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:23.775295019 CET | 50290 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:23.852691889 CET | 53 | 50290 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:24.125828028 CET | 60427 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:24.192775965 CET | 53 | 60427 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:24.725378990 CET | 56209 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:24.774223089 CET | 53 | 56209 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:25.464097977 CET | 59582 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:25.521266937 CET | 53 | 59582 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:26.559375048 CET | 60949 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:26.613106966 CET | 53 | 60949 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:27.492147923 CET | 58542 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:27.550031900 CET | 53 | 58542 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:28.592166901 CET | 59179 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:28.641925097 CET | 53 | 59179 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:29.088866949 CET | 60927 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:29.137419939 CET | 53 | 60927 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:38.227042913 CET | 57854 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:38.287147045 CET | 53 | 57854 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:39.930980921 CET | 62026 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:40.490346909 CET | 53 | 62026 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:43.667367935 CET | 59453 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:44.307183981 CET | 62468 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:44.355885983 CET | 53 | 62468 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:44.677544117 CET | 59453 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:45.005522013 CET | 53 | 59453 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:45.007438898 CET | 53 | 59453 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:15:48.356102943 CET | 52563 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:15:48.669538021 CET | 53 | 52563 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:16:08.238946915 CET | 54721 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:16:08.292943001 CET | 53 | 54721 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:16:09.291835070 CET | 54721 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:16:09.343228102 CET | 53 | 54721 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:16:10.323930979 CET | 54721 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:16:10.351135969 CET | 62826 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:16:10.377247095 CET | 53 | 54721 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:16:10.412688971 CET | 53 | 62826 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:16:12.318151951 CET | 54721 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:16:12.371541977 CET | 53 | 54721 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:16:14.120670080 CET | 62046 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:16:14.120707035 CET | 51223 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:16:14.169413090 CET | 53 | 62046 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:16:14.171562910 CET | 53 | 51223 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:16:14.428504944 CET | 63908 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:16:14.485508919 CET | 53 | 63908 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:16:15.177875996 CET | 49226 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:16:16.193653107 CET | 49226 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:16:16.334763050 CET | 54721 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:16:16.387345076 CET | 53 | 54721 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:16:16.511574030 CET | 53 | 49226 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:16:16.602700949 CET | 53 | 49226 | 8.8.8.8 | 192.168.2.7 |
Feb 10, 2021 15:16:17.129333019 CET | 60212 | 53 | 192.168.2.7 | 8.8.8.8 |
Feb 10, 2021 15:16:17.188097000 CET | 53 | 60212 | 8.8.8.8 | 192.168.2.7 |
ICMP Packets |
---|
Timestamp | Source IP | Dest IP | Checksum | Code | Type |
---|---|---|---|---|---|
Feb 10, 2021 15:15:45.007603884 CET | 192.168.2.7 | 8.8.8.8 | d006 | (Port unreachable) | Destination Unreachable |
Feb 10, 2021 15:16:16.602835894 CET | 192.168.2.7 | 8.8.8.8 | d005 | (Port unreachable) | Destination Unreachable |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 10, 2021 15:15:39.930980921 CET | 192.168.2.7 | 8.8.8.8 | 0x6fa7 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 10, 2021 15:15:43.667367935 CET | 192.168.2.7 | 8.8.8.8 | 0xa34a | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 10, 2021 15:15:44.677544117 CET | 192.168.2.7 | 8.8.8.8 | 0xa34a | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 10, 2021 15:15:48.356102943 CET | 192.168.2.7 | 8.8.8.8 | 0xe5f9 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 10, 2021 15:16:10.351135969 CET | 192.168.2.7 | 8.8.8.8 | 0x66c1 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 10, 2021 15:16:14.120670080 CET | 192.168.2.7 | 8.8.8.8 | 0x5c05 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 10, 2021 15:16:14.120707035 CET | 192.168.2.7 | 8.8.8.8 | 0xc93a | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 10, 2021 15:16:14.428504944 CET | 192.168.2.7 | 8.8.8.8 | 0x6dcc | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 10, 2021 15:16:15.177875996 CET | 192.168.2.7 | 8.8.8.8 | 0xd109 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 10, 2021 15:16:16.193653107 CET | 192.168.2.7 | 8.8.8.8 | 0xd109 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 10, 2021 15:16:17.129333019 CET | 192.168.2.7 | 8.8.8.8 | 0xe114 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 10, 2021 15:15:40.490346909 CET | 8.8.8.8 | 192.168.2.7 | 0x6fa7 | No error (0) | 35.228.31.40 | A (IP address) | IN (0x0001) | ||
Feb 10, 2021 15:15:45.005522013 CET | 8.8.8.8 | 192.168.2.7 | 0xa34a | No error (0) | 35.228.31.40 | A (IP address) | IN (0x0001) | ||
Feb 10, 2021 15:15:45.007438898 CET | 8.8.8.8 | 192.168.2.7 | 0xa34a | No error (0) | 35.228.31.40 | A (IP address) | IN (0x0001) | ||
Feb 10, 2021 15:15:48.669538021 CET | 8.8.8.8 | 192.168.2.7 | 0xe5f9 | No error (0) | 35.228.31.40 | A (IP address) | IN (0x0001) | ||
Feb 10, 2021 15:16:10.412688971 CET | 8.8.8.8 | 192.168.2.7 | 0x66c1 | No error (0) | 35.228.31.40 | A (IP address) | IN (0x0001) | ||
Feb 10, 2021 15:16:14.169413090 CET | 8.8.8.8 | 192.168.2.7 | 0x5c05 | No error (0) | 208.67.222.222 | A (IP address) | IN (0x0001) | ||
Feb 10, 2021 15:16:14.171562910 CET | 8.8.8.8 | 192.168.2.7 | 0xc93a | No error (0) | 208.67.222.222 | A (IP address) | IN (0x0001) | ||
Feb 10, 2021 15:16:14.485508919 CET | 8.8.8.8 | 192.168.2.7 | 0x6dcc | No error (0) | 35.228.31.40 | A (IP address) | IN (0x0001) | ||
Feb 10, 2021 15:16:16.511574030 CET | 8.8.8.8 | 192.168.2.7 | 0xd109 | No error (0) | 35.228.31.40 | A (IP address) | IN (0x0001) | ||
Feb 10, 2021 15:16:16.602700949 CET | 8.8.8.8 | 192.168.2.7 | 0xd109 | No error (0) | 35.228.31.40 | A (IP address) | IN (0x0001) | ||
Feb 10, 2021 15:16:17.188097000 CET | 8.8.8.8 | 192.168.2.7 | 0xe114 | No error (0) | 35.228.31.40 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.7 | 49755 | 35.228.31.40 | 80 | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Feb 10, 2021 15:15:40.607914925 CET | 5758 | OUT | |
Feb 10, 2021 15:15:40.996198893 CET | 5759 | IN |