Analysis Report iJdlvBxhYu.dll
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 5 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | File opened: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: |
Source: | IP Address: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Window detected: |
Source: | File opened: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation1 | Path Interception | Process Injection12 | Masquerading1 | OS Credential Dumping | System Time Discovery2 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection12 | LSASS Memory | Query Registry1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Deobfuscate/Decode Files or Information1 | Security Account Manager | Security Software Discovery3 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information2 | NTDS | Process Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol3 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Rundll321 | LSA Secrets | Account Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing1 | Cached Domain Credentials | System Owner/User Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | File and Directory Discovery2 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | System Information Discovery23 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Virustotal | Browse | ||
0% | ReversingLabs |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1108168 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
outlook.com | 40.97.128.194 | true | false | high | |
HHN-efz.ms-acdc.office.com | 52.97.150.2 | true | false | high | |
FRA-efz.ms-acdc.office.com | 52.97.201.82 | true | false | high | |
www.outlook.com | unknown | unknown | false | high | |
outlook.office365.com | unknown | unknown | false | high |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
52.97.150.2 | HHN-efz.ms-acdc.office.com | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
40.97.128.194 | outlook.com | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
52.97.201.82 | FRA-efz.ms-acdc.office.com | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
Private |
---|
IP |
---|
192.168.2.1 |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 404149 |
Start date: | 04.05.2021 |
Start time: | 18:51:40 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 48s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | iJdlvBxhYu.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 22 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal60.troj.winDLL@12/5@3/4 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
18:53:49 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
52.97.150.2 | Get hash | malicious | Browse | ||
40.97.128.194 | Get hash | malicious | Browse |
| |
52.97.201.82 | Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
HHN-efz.ms-acdc.office.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
outlook.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
FRA-efz.ms-acdc.office.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
MICROSOFT-CORP-MSN-AS-BLOCKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
MICROSOFT-CORP-MSN-AS-BLOCKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29272 |
Entropy (8bit): | 1.7690028446621529 |
Encrypted: | false |
SSDEEP: | 48:IwOGcprWGwpL3G/ap8vZGIpcKGYGvnZpvKcGomRqp9KXGo4qW1pmEjGWmzy1MGWu:rSZOZ/2vLWbt6AfPqW1MfODIL+TNRDB |
MD5: | 7002C28F8DAFB19C321D8F3802742CAC |
SHA1: | 10586DB11264F5FB282E742B7C439209155B4A41 |
SHA-256: | AF3751488A7F551AE1A019B306EC610845E7424749F28AE6BF40C9F8BDFEC153 |
SHA-512: | 74ABC47BE2FA0394B397E0BCC83052452EC870C0141D01FF9CCAC3A284C556DD7464D9692CABAC3A64A7B015B5C5EC0A5153F528752C65ABC0D3F463CEF1D2DB |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 27440 |
Entropy (8bit): | 1.8692767005485296 |
Encrypted: | false |
SSDEEP: | 192:r+ZdQF6fkZj52dWxMN64GBKG7x4GBKGuA:rKiwcVI0Kguouq |
MD5: | 8FA8A2AC554320BF7B927691D0E9AA33 |
SHA1: | 37BB604AF62C4236281E0640728FAB1A40E61068 |
SHA-256: | 5CFA609F2EE9DD30D833ADF282288AB25CBE0619EF014B63A2D71DD0636FD61E |
SHA-512: | DC3570C168CC2174D16E1908AAFB7C3C4BDD8E13192131EAFA8FB6F91D7E4717CFF5B49FC9B29F6E41D77A18388A53EFD7668760024C4603851EECE097196909 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | modified |
Size (bytes): | 89 |
Entropy (8bit): | 4.440534734931472 |
Encrypted: | false |
SSDEEP: | 3:oVXUWRFEfQRcS4T48JOGXnEWRFEfQRcS4uULun:o9UChcwqEChcS7 |
MD5: | 5B1B55767347E99D9DF8CFDEA6ABE92F |
SHA1: | 21E2F35CA929750943C12141583CCA5D3EAB76A3 |
SHA-256: | A93DEB522A49F2709E978A2F8F1B8A35FBF8B9EAFA8AF6499EC096BE71E0555A |
SHA-512: | B4FE7A36552EE0BF60DB9781C17B8A7F2E8B81D6C67B1480319C26C1E6B8D898AAC7C23374414E59594A65E67E4404BCBBDEE0EB22D9929EE6BD833EA1DBF570 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 39777 |
Entropy (8bit): | 0.6001466555757741 |
Encrypted: | false |
SSDEEP: | 192:kBqoxKAuqR+CkuH0S4GBKGz4GBKG/4GBKGE:kBqoxKAuqR+CkuH0SuWueuX |
MD5: | 648119EC3976EFE617D1F81C477C1B69 |
SHA1: | 941D0AD9905FF41F28A51FC7463C7E80E63DFBAC |
SHA-256: | 0AE66953DBE3EBBC42F7D50BFF3568F07E10D28C9205B89CBCADFA5FD327A0D4 |
SHA-512: | 3DD2AEF4769544D679FE1BCDF7D18408AE61C5070D1123914D46CC4AED5890D0F217B31AC77990A554A2ED7CE49D694030A85F17B9223D62516C97E765186ED5 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12933 |
Entropy (8bit): | 0.4101257122829776 |
Encrypted: | false |
SSDEEP: | 24:c9lLh9lLh9lIn9lIn9lof9lof9lWJatrFat5B:kBqoIAeo10fB |
MD5: | 0182845E86B74629EC312B38783F6A31 |
SHA1: | B0FBDA728E7F1458FF95368C850A0CC9F5C534B8 |
SHA-256: | 73172B66EC5FE590A7CC6F5F2CC197082ABCC57AF15A2943A739F91995081D4F |
SHA-512: | 8FD0EEE8E84724EC60A73A512D834F87297AD6A40260A25C4EF97BD0CFE513B690B177164E351D32AAD994E1A12D211486826BCC5038CA629E4C65AED74745C5 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.549323607622641 |
TrID: |
|
File name: | iJdlvBxhYu.dll |
File size: | 523264 |
MD5: | 18d613d02eaf8d339feebb21f578f329 |
SHA1: | 01ea39853139ccfe82f0bd19f8963d3ccebf8e8a |
SHA256: | bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1 |
SHA512: | a432ca4267f56530945e2dd352e658d72b3fc84101b84dcd86bc0adcf42e218e394556d6b69cec92cb30a960ce83586e8c026e971f02fa5154d100a198f1e4ce |
SSDEEP: | 12288:CddaT8lLVrp6I7MsfHqWxSWlNTjGoLYTbgOJpXLH:Cddhp1YCMuFx/jGo0XL |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................^.G.......T......AN.......V.......i.......h.....^.B...............l.......U.......R.......W.....Rich........... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x104a38a |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x1000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x6089CC25 [Wed Apr 28 20:57:09 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 61abfa6d76443dd7d018df0c9cf8b0a5 |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007FD0D4954B07h |
call 00007FD0D495B0D4h |
push dword ptr [ebp+10h] |
push dword ptr [ebp+0Ch] |
push dword ptr [ebp+08h] |
call 00007FD0D4954B0Ch |
add esp, 0Ch |
pop ebp |
retn 000Ch |
push 0000000Ch |
push 0107B4A8h |
call 00007FD0D4955A1Ch |
xor eax, eax |
inc eax |
mov esi, dword ptr [ebp+0Ch] |
test esi, esi |
jne 00007FD0D4954B0Eh |
cmp dword ptr [0118E36Ch], esi |
je 00007FD0D4954BEAh |
and dword ptr [ebp-04h], 00000000h |
cmp esi, 01h |
je 00007FD0D4954B07h |
cmp esi, 02h |
jne 00007FD0D4954B37h |
mov ecx, dword ptr [01075238h] |
test ecx, ecx |
je 00007FD0D4954B0Eh |
push dword ptr [ebp+10h] |
push esi |
push dword ptr [ebp+08h] |
call ecx |
mov dword ptr [ebp-1Ch], eax |
test eax, eax |
je 00007FD0D4954BB7h |
push dword ptr [ebp+10h] |
push esi |
push dword ptr [ebp+08h] |
call 00007FD0D4954916h |
mov dword ptr [ebp-1Ch], eax |
test eax, eax |
je 00007FD0D4954BA0h |
mov ebx, dword ptr [ebp+10h] |
push ebx |
push esi |
push dword ptr [ebp+08h] |
call 00007FD0D4952376h |
mov edi, eax |
mov dword ptr [ebp-1Ch], edi |
cmp esi, 01h |
jne 00007FD0D4954B2Ah |
test edi, edi |
jne 00007FD0D4954B26h |
push ebx |
push eax |
push dword ptr [ebp+08h] |
call 00007FD0D495235Eh |
push ebx |
push edi |
push dword ptr [ebp+08h] |
call 00007FD0D49548DCh |
mov eax, dword ptr [01075238h] |
test eax, eax |
je 00007FD0D4954B09h |
push ebx |
push edi |
push dword ptr [ebp+08h] |
call eax |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x7bbd0 | 0x58 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7bc28 | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x191000 | 0x498 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x192000 | 0x2818 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6b200 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x7a980 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x6b000 | 0x1ac | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6988d | 0x69a00 | False | 0.70416512574 | data | 6.62140187581 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x6b000 | 0x115e0 | 0x11600 | False | 0.471967738309 | data | 5.23669501131 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x7d000 | 0x113300 | 0x1800 | False | 0.333984375 | data | 3.88700180982 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x191000 | 0x498 | 0x600 | False | 0.356119791667 | data | 2.99935790597 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x192000 | 0x2818 | 0x2a00 | False | 0.743117559524 | data | 6.59705049508 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x1910a0 | 0x35c | data | English | United States |
RT_MANIFEST | 0x191400 | 0x91 | XML 1.0 document text | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetEnvironmentVariableA, SetStdHandle, SetFilePointerEx, WriteConsoleW, CloseHandle, GetFileAttributesW, GetWindowsDirectoryW, CreateProcessW, OpenMutexW, VirtualProtectEx, EncodePointer, DecodePointer, HeapAlloc, GetSystemTimeAsFileTime, RaiseException, RtlUnwind, GetCommandLineA, GetCurrentThreadId, IsProcessorFeaturePresent, GetLastError, HeapFree, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, HeapSize, GetStdHandle, WriteFile, GetModuleFileNameW, GetProcessHeap, IsDebuggerPresent, GetTimeZoneInformation, SetLastError, GetCurrentThread, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, CreateEventW, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetTickCount, GetModuleHandleW, CreateSemaphoreW, SetConsoleCtrlHandler, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, EnterCriticalSection, LeaveCriticalSection, FatalAppExitA, FreeLibrary, LoadLibraryExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, HeapReAlloc, OutputDebugStringW, GetStringTypeW, CreateFileW |
USER32.dll | GetPropW, CreateMenu, DeferWindowPos, BeginDeferWindowPos, UnregisterHotKey, TranslateMessage, RegisterWindowMessageW |
GDI32.dll | MoveToEx, SetTextColor, SetBkMode, SetBkColor, LineTo, IntersectClipRect, GetClipBox, GetCharWidthW, CreateBitmap |
COMCTL32.dll | ImageList_SetDragCursorImage, ImageList_Draw, PropertySheetW, CreatePropertySheetPageA |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
Enterbeen | 1 | 0x1047ed0 |
Multiply | 2 | 0x1047fb0 |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Fingergeneral Corporation. All rights reserved |
InternalName | Probable |
FileVersion | 5.5.2.216 Sidedone |
CompanyName | Fingergeneral Corporation |
ProductName | Fingergeneral Wear twenty |
ProductVersion | 5.5.2.216 |
FileDescription | Fingergeneral Wear twenty |
OriginalFilename | turn.dll |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
05/04/21-18:52:29.692083 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:29.727060 | ICMP | 449 | ICMP Time-To-Live Exceeded in Transit | 84.17.52.126 | 192.168.2.6 | ||
05/04/21-18:52:29.727454 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:29.763162 | ICMP | 449 | ICMP Time-To-Live Exceeded in Transit | 149.11.89.129 | 192.168.2.6 | ||
05/04/21-18:52:29.763557 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:29.799375 | ICMP | 449 | ICMP Time-To-Live Exceeded in Transit | 130.117.49.165 | 192.168.2.6 | ||
05/04/21-18:52:29.800094 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:29.840838 | ICMP | 449 | ICMP Time-To-Live Exceeded in Transit | 130.117.0.18 | 192.168.2.6 | ||
05/04/21-18:52:29.841596 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:29.888178 | ICMP | 449 | ICMP Time-To-Live Exceeded in Transit | 154.54.36.53 | 192.168.2.6 | ||
05/04/21-18:52:29.888557 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:29.935589 | ICMP | 449 | ICMP Time-To-Live Exceeded in Transit | 154.54.56.190 | 192.168.2.6 | ||
05/04/21-18:52:29.936007 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:29.981493 | ICMP | 449 | ICMP Time-To-Live Exceeded in Transit | 4.68.37.93 | 192.168.2.6 | ||
05/04/21-18:52:29.981978 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:33.661732 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:37.677969 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:41.678428 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:46.273239 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:50.163683 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:54.183288 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:52:58.210718 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:02.180671 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:06.166018 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:10.165814 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:14.165998 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:18.170708 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:22.187264 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:26.185740 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:30.169625 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:34.182432 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:38.621192 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:42.637472 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:46.627649 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:50.623633 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:54.618741 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:53:59.048851 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:54:02.619742 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:54:06.619825 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:54:10.620244 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:54:14.620372 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:54:18.627035 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:54:22.627997 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:54:26.622060 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:54:30.622421 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:54:34.623800 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:54:38.622781 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 | ||
05/04/21-18:54:42.626771 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.238.27.126 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 4, 2021 18:54:06.545804977 CEST | 49725 | 80 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:06.545804024 CEST | 49726 | 80 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:06.689771891 CEST | 80 | 49726 | 40.97.128.194 | 192.168.2.6 |
May 4, 2021 18:54:06.689989090 CEST | 49726 | 80 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:06.690716028 CEST | 49726 | 80 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:06.691628933 CEST | 80 | 49725 | 40.97.128.194 | 192.168.2.6 |
May 4, 2021 18:54:06.691734076 CEST | 49725 | 80 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:06.838143110 CEST | 80 | 49726 | 40.97.128.194 | 192.168.2.6 |
May 4, 2021 18:54:06.838278055 CEST | 49726 | 80 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:06.838489056 CEST | 49726 | 80 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:06.846282005 CEST | 49727 | 443 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:06.982461929 CEST | 80 | 49726 | 40.97.128.194 | 192.168.2.6 |
May 4, 2021 18:54:06.992594004 CEST | 443 | 49727 | 40.97.128.194 | 192.168.2.6 |
May 4, 2021 18:54:06.992799997 CEST | 49727 | 443 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:07.001812935 CEST | 49727 | 443 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:07.150540113 CEST | 443 | 49727 | 40.97.128.194 | 192.168.2.6 |
May 4, 2021 18:54:07.150578022 CEST | 443 | 49727 | 40.97.128.194 | 192.168.2.6 |
May 4, 2021 18:54:07.150607109 CEST | 443 | 49727 | 40.97.128.194 | 192.168.2.6 |
May 4, 2021 18:54:07.150631905 CEST | 49727 | 443 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:07.150660038 CEST | 49727 | 443 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:07.188564062 CEST | 49727 | 443 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:07.195911884 CEST | 49727 | 443 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:07.338144064 CEST | 443 | 49727 | 40.97.128.194 | 192.168.2.6 |
May 4, 2021 18:54:07.338247061 CEST | 49727 | 443 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:07.346502066 CEST | 443 | 49727 | 40.97.128.194 | 192.168.2.6 |
May 4, 2021 18:54:07.346637011 CEST | 49727 | 443 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:07.347060919 CEST | 49727 | 443 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:07.414005995 CEST | 49728 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.414077997 CEST | 49729 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.463756084 CEST | 443 | 49729 | 52.97.150.2 | 192.168.2.6 |
May 4, 2021 18:54:07.463836908 CEST | 443 | 49728 | 52.97.150.2 | 192.168.2.6 |
May 4, 2021 18:54:07.463890076 CEST | 49729 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.463932991 CEST | 49728 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.464896917 CEST | 49729 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.465254068 CEST | 49728 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.492871046 CEST | 443 | 49727 | 40.97.128.194 | 192.168.2.6 |
May 4, 2021 18:54:07.514828920 CEST | 443 | 49729 | 52.97.150.2 | 192.168.2.6 |
May 4, 2021 18:54:07.514866114 CEST | 443 | 49729 | 52.97.150.2 | 192.168.2.6 |
May 4, 2021 18:54:07.514894009 CEST | 443 | 49729 | 52.97.150.2 | 192.168.2.6 |
May 4, 2021 18:54:07.514909029 CEST | 443 | 49728 | 52.97.150.2 | 192.168.2.6 |
May 4, 2021 18:54:07.514928102 CEST | 443 | 49728 | 52.97.150.2 | 192.168.2.6 |
May 4, 2021 18:54:07.514945030 CEST | 443 | 49728 | 52.97.150.2 | 192.168.2.6 |
May 4, 2021 18:54:07.515085936 CEST | 49729 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.515105963 CEST | 49728 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.515187025 CEST | 49728 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.525580883 CEST | 49729 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.525724888 CEST | 49728 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.526541948 CEST | 49728 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.575365067 CEST | 443 | 49728 | 52.97.150.2 | 192.168.2.6 |
May 4, 2021 18:54:07.575416088 CEST | 443 | 49728 | 52.97.150.2 | 192.168.2.6 |
May 4, 2021 18:54:07.575449944 CEST | 443 | 49729 | 52.97.150.2 | 192.168.2.6 |
May 4, 2021 18:54:07.575480938 CEST | 49728 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.575510979 CEST | 49729 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.578187943 CEST | 443 | 49728 | 52.97.150.2 | 192.168.2.6 |
May 4, 2021 18:54:07.578321934 CEST | 49728 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.578660965 CEST | 49728 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:07.627228022 CEST | 443 | 49728 | 52.97.150.2 | 192.168.2.6 |
May 4, 2021 18:54:07.639496088 CEST | 49730 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.639502048 CEST | 49731 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.686299086 CEST | 443 | 49730 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:07.686391115 CEST | 49730 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.687308073 CEST | 49730 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.692817926 CEST | 443 | 49731 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:07.693005085 CEST | 49731 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.703771114 CEST | 49731 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.734812975 CEST | 443 | 49730 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:07.734844923 CEST | 443 | 49730 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:07.734864950 CEST | 443 | 49730 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:07.735014915 CEST | 49730 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.745953083 CEST | 49730 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.746764898 CEST | 49730 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.757808924 CEST | 443 | 49731 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:07.757838011 CEST | 443 | 49731 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:07.757853985 CEST | 443 | 49731 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:07.757935047 CEST | 49731 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.758002996 CEST | 49731 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.764975071 CEST | 49731 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.793373108 CEST | 443 | 49730 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:07.793854952 CEST | 443 | 49730 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:07.793988943 CEST | 49730 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.799103975 CEST | 443 | 49730 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:07.799125910 CEST | 443 | 49730 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:07.799235106 CEST | 49730 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:07.819248915 CEST | 443 | 49731 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:07.819401026 CEST | 49731 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:08.096868038 CEST | 443 | 49731 | 52.97.201.82 | 192.168.2.6 |
May 4, 2021 18:54:08.097042084 CEST | 49731 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:08.861166954 CEST | 49725 | 80 | 192.168.2.6 | 40.97.128.194 |
May 4, 2021 18:54:08.861208916 CEST | 49730 | 443 | 192.168.2.6 | 52.97.201.82 |
May 4, 2021 18:54:08.861330986 CEST | 49729 | 443 | 192.168.2.6 | 52.97.150.2 |
May 4, 2021 18:54:08.861331940 CEST | 49731 | 443 | 192.168.2.6 | 52.97.201.82 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 4, 2021 18:52:22.970918894 CEST | 63791 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:52:23.019690037 CEST | 53 | 63791 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:52:23.403167009 CEST | 64267 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:52:23.463300943 CEST | 53 | 64267 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:52:24.167635918 CEST | 49448 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:52:24.216428041 CEST | 53 | 49448 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:52:24.945031881 CEST | 60342 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:52:24.996774912 CEST | 53 | 60342 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:52:26.020801067 CEST | 61346 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:52:26.069710016 CEST | 53 | 61346 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:52:27.312602997 CEST | 51774 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:52:27.361246109 CEST | 53 | 51774 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:52:28.160480022 CEST | 56023 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:52:28.209218025 CEST | 53 | 56023 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:52:29.012883902 CEST | 58384 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:52:29.072856903 CEST | 53 | 58384 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:52:29.475900888 CEST | 60261 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:52:29.690892935 CEST | 53 | 60261 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:52:29.991524935 CEST | 56061 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:52:30.040215015 CEST | 53 | 56061 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:52:30.890821934 CEST | 58336 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:52:30.939558983 CEST | 53 | 58336 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:53:22.466109037 CEST | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:53:22.523046017 CEST | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:53:23.511240959 CEST | 54064 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:53:23.568932056 CEST | 53 | 54064 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:53:49.129221916 CEST | 52811 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:53:49.194948912 CEST | 53 | 52811 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:53:49.752892971 CEST | 55299 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:53:49.804584980 CEST | 53 | 55299 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:53:52.110009909 CEST | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:53:52.170139074 CEST | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:02.225565910 CEST | 50055 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:02.287480116 CEST | 53 | 50055 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:05.205369949 CEST | 61374 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:05.264559984 CEST | 53 | 61374 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:06.474169970 CEST | 50339 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:06.525335073 CEST | 53 | 50339 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:07.356297970 CEST | 63307 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:07.405424118 CEST | 53 | 63307 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:07.588264942 CEST | 49694 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:07.637008905 CEST | 53 | 49694 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:25.366008043 CEST | 54982 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:25.414696932 CEST | 53 | 54982 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:32.429203033 CEST | 50010 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:33.435081959 CEST | 50010 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:33.497840881 CEST | 53 | 50010 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:35.170659065 CEST | 63718 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:35.219465971 CEST | 53 | 63718 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:36.184983969 CEST | 63718 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:36.233985901 CEST | 53 | 63718 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:37.201193094 CEST | 63718 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:37.249866962 CEST | 53 | 63718 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:39.216440916 CEST | 63718 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:39.265095949 CEST | 53 | 63718 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:40.336675882 CEST | 62116 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:40.486478090 CEST | 53 | 62116 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:41.825098038 CEST | 63816 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:42.024085999 CEST | 53 | 63816 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:42.507457018 CEST | 55014 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:42.566903114 CEST | 53 | 55014 | 8.8.8.8 | 192.168.2.6 |
May 4, 2021 18:54:43.000472069 CEST | 62208 | 53 | 192.168.2.6 | 8.8.8.8 |
May 4, 2021 18:54:43.051908016 CEST | 53 | 62208 | 8.8.8.8 | 192.168.2.6 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
May 4, 2021 18:54:06.474169970 CEST | 192.168.2.6 | 8.8.8.8 | 0xc384 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 4, 2021 18:54:07.356297970 CEST | 192.168.2.6 | 8.8.8.8 | 0x97c4 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 4, 2021 18:54:07.588264942 CEST | 192.168.2.6 | 8.8.8.8 | 0x3bca | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
May 4, 2021 18:53:49.194948912 CEST | 8.8.8.8 | 192.168.2.6 | 0x7009 | No error (0) | www.tm.a.prd.aadg.akadns.net | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:54:06.525335073 CEST | 8.8.8.8 | 192.168.2.6 | 0xc384 | No error (0) | 40.97.128.194 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:06.525335073 CEST | 8.8.8.8 | 192.168.2.6 | 0xc384 | No error (0) | 40.97.156.114 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:06.525335073 CEST | 8.8.8.8 | 192.168.2.6 | 0xc384 | No error (0) | 40.97.153.146 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:06.525335073 CEST | 8.8.8.8 | 192.168.2.6 | 0xc384 | No error (0) | 40.97.161.50 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:06.525335073 CEST | 8.8.8.8 | 192.168.2.6 | 0xc384 | No error (0) | 40.97.116.82 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:06.525335073 CEST | 8.8.8.8 | 192.168.2.6 | 0xc384 | No error (0) | 40.97.160.2 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:06.525335073 CEST | 8.8.8.8 | 192.168.2.6 | 0xc384 | No error (0) | 40.97.148.226 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:06.525335073 CEST | 8.8.8.8 | 192.168.2.6 | 0xc384 | No error (0) | 40.97.164.146 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:07.405424118 CEST | 8.8.8.8 | 192.168.2.6 | 0x97c4 | No error (0) | outlook.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:54:07.405424118 CEST | 8.8.8.8 | 192.168.2.6 | 0x97c4 | No error (0) | outlook.ha.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:54:07.405424118 CEST | 8.8.8.8 | 192.168.2.6 | 0x97c4 | No error (0) | outlook.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:54:07.405424118 CEST | 8.8.8.8 | 192.168.2.6 | 0x97c4 | No error (0) | HHN-efz.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:54:07.405424118 CEST | 8.8.8.8 | 192.168.2.6 | 0x97c4 | No error (0) | 52.97.150.2 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:07.405424118 CEST | 8.8.8.8 | 192.168.2.6 | 0x97c4 | No error (0) | 40.101.137.18 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:07.405424118 CEST | 8.8.8.8 | 192.168.2.6 | 0x97c4 | No error (0) | 52.97.233.18 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:07.405424118 CEST | 8.8.8.8 | 192.168.2.6 | 0x97c4 | No error (0) | 40.101.137.50 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:07.637008905 CEST | 8.8.8.8 | 192.168.2.6 | 0x3bca | No error (0) | outlook.ha.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:54:07.637008905 CEST | 8.8.8.8 | 192.168.2.6 | 0x3bca | No error (0) | outlook.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:54:07.637008905 CEST | 8.8.8.8 | 192.168.2.6 | 0x3bca | No error (0) | FRA-efz.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:54:07.637008905 CEST | 8.8.8.8 | 192.168.2.6 | 0x3bca | No error (0) | 52.97.201.82 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:07.637008905 CEST | 8.8.8.8 | 192.168.2.6 | 0x3bca | No error (0) | 52.97.144.2 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:54:07.637008905 CEST | 8.8.8.8 | 192.168.2.6 | 0x3bca | No error (0) | 52.97.170.34 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.6 | 49726 | 40.97.128.194 | 80 | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
May 4, 2021 18:54:06.690716028 CEST | 1192 | OUT | |
May 4, 2021 18:54:06.838143110 CEST | 1192 | IN |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 18:52:30 |
Start date: | 04/05/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa50000 |
File size: | 116736 bytes |
MD5 hash: | 542795ADF7CC08EFCF675D65310596E8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:52:30 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:52:30 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1040000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:52:30 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1040000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 18:52:33 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1040000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:54:04 |
Start date: | 04/05/2021 |
Path: | C:\Program Files\internet explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff721e20000 |
File size: | 823560 bytes |
MD5 hash: | 6465CB92B25A7BC1DF8E01D8AC5E7596 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:54:04 |
Start date: | 04/05/2021 |
Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x40000 |
File size: | 822536 bytes |
MD5 hash: | 071277CC2E3DF41EEEA8013E2AB58D5A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|