Analysis Report 13efMb6ayq.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: NanoCore |
---|
{"Version": ".0.0.0,", "Mutex": "a7fa722b-7dae-45b1-afa6-302155a5", "Group": "Default", "Domain1": "wespeaktruthtoman.sytes.net", "Domain2": "wespeaktruthtoman12.sytes.net", "Port": 5600, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | ||
NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> |
| |
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
Click to see the 6 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth |
| |
JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | ||
NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> |
| |
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
Click to see the 5 entries |
Sigma Overview |
---|
AV Detection: |
---|
Sigma detected: NanoCore | Show sources |
Source: | Author: Joe Security: |
E-Banking Fraud: |
---|
Sigma detected: NanoCore | Show sources |
Source: | Author: Joe Security: |
System Summary: |
---|
Sigma detected: Possible Applocker Bypass | Show sources |
Source: | Author: juju4: |
Stealing of Sensitive Information: |
---|
Sigma detected: NanoCore | Show sources |
Source: | Author: Joe Security: |
Remote Access Functionality: |
---|
Sigma detected: NanoCore | Show sources |
Source: | Author: Joe Security: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Yara detected Nanocore RAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_01191690 | |
Source: | Code function: | 0_2_011915A0 | |
Source: | Code function: | 0_2_01191638 | |
Source: | Code function: | 0_2_053D6F54 | |
Source: | Code function: | 0_2_053DA988 |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: | ||
Source: | URLs: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
E-Banking Fraud: |
---|
Yara detected Nanocore RAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Malicious sample detected (through community Yara rule) | Show sources |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
PE file contains section with special chars | Show sources |
Source: | Static PE information: | ||
Source: | Static PE information: |
PE file has nameless sections | Show sources |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_011935F8 | |
Source: | Code function: | 0_2_0119B010 | |
Source: | Code function: | 0_2_01192440 | |
Source: | Code function: | 0_2_011918B0 | |
Source: | Code function: | 0_2_011904F9 | |
Source: | Code function: | 0_2_01192BB0 | |
Source: | Code function: | 0_2_011965B8 | |
Source: | Code function: | 0_2_011965C8 | |
Source: | Code function: | 0_2_01196C31 | |
Source: | Code function: | 0_2_01195370 | |
Source: | Code function: | 0_2_01195360 | |
Source: | Code function: | 0_2_011923A0 | |
Source: | Code function: | 0_2_011967D9 | |
Source: | Code function: | 0_2_011967E8 | |
Source: | Code function: | 0_2_01196211 | |
Source: | Code function: | 0_2_01196A10 | |
Source: | Code function: | 0_2_01196A00 | |
Source: | Code function: | 0_2_053D1F50 | |
Source: | Code function: | 0_2_053D5668 | |
Source: | Code function: | 0_2_053D8070 | |
Source: | Code function: | 0_2_053D1F41 | |
Source: | Code function: | 0_2_05A98908 | |
Source: | Code function: | 0_2_05A94560 | |
Source: | Code function: | 0_2_05A99008 | |
Source: | Code function: | 0_2_05A94078 | |
Source: | Code function: | 0_2_05A97FD8 | |
Source: | Code function: | 0_2_05A9A69D | |
Source: | Code function: | 0_2_05A99638 | |
Source: | Code function: | 0_2_05A98192 | |
Source: | Code function: | 0_2_05A9312D |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Data Obfuscation: |
---|
Detected unpacking (changes PE section rights) | Show sources |
Source: | Unpacked PE file: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_008413CD | |
Source: | Code function: | 0_2_00841B2A | |
Source: | Code function: | 0_2_0119817A | |
Source: | Code function: | 0_2_011984E1 | |
Source: | Code function: | 0_2_011940E7 | |
Source: | Code function: | 0_2_0119931E | |
Source: | Code function: | 0_2_01199328 | |
Source: | Code function: | 0_2_053DE083 | |
Source: | Code function: | 0_2_053DDD5A | |
Source: | Code function: | 0_2_053DDD62 | |
Source: | Code function: | 0_2_053DDD42 | |
Source: | Code function: | 0_2_053DDD4A | |
Source: | Code function: | 0_2_053D9EE1 | |
Source: | Code function: | 0_2_05A91DD0 |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: | Process created: |
Hooking and other Techniques for Hiding and Protection: |
---|
Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM3 | Show sources |
Source: | File source: | ||
Source: | File source: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | File opened / queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Anti Debugging: |
---|
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) | Show sources |
Source: | Code function: | 0_2_01191690 |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion: |
---|
Injects a PE file into a foreign processes | Show sources |
Source: | Memory written: | Jump to behavior |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected Nanocore RAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Detected Nanocore Rat | Show sources |
Source: | String found in binary or memory: |
Yara detected Nanocore RAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scheduled Task/Job1 | Scheduled Task/Job1 | Process Injection211 | Masquerading1 | OS Credential Dumping | Security Software Discovery221 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Scheduled Task/Job1 | Disable or Modify Tools1 | LSASS Memory | Process Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion41 | Security Account Manager | Virtualization/Sandbox Evasion41 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Remote Access Software1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection211 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol1 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Hidden Files and Directories1 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol11 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information3 | Cached Domain Credentials | File and Directory Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Software Packing12 | DCSync | System Information Discovery12 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
26% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
8% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
wespeaktruthtoman.sytes.net | 79.134.225.47 | true | true |
| unknown |
wespeaktruthtoman12.sytes.net | unknown | unknown | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
79.134.225.47 | wespeaktruthtoman.sytes.net | Switzerland | 6775 | FINK-TELECOM-SERVICESCH | true |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 412090 |
Start date: | 12.05.2021 |
Start time: | 11:55:20 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 49s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | 13efMb6ayq.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 25 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@6/5@48/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
11:56:14 | API Interceptor | |
11:56:19 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
79.134.225.47 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
wespeaktruthtoman.sytes.net | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
FINK-TELECOM-SERVICESCH | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\13efMb6ayq.exe |
File Type: | |
Category: | modified |
Size (bytes): | 1314 |
Entropy (8bit): | 5.350128552078965 |
Encrypted: | false |
SSDEEP: | 24:ML9E4Ks2f84jE4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MxHKXfvjHKx1qHiYHKhQnoPtHoxHhAHR |
MD5: | 8198C64CE0786EABD4C792E7E6FC30E5 |
SHA1: | 71E1676126F4616B18C751A0A775B2D64944A15A |
SHA-256: | C58018934011086A883D1D56B21F6C1916B1CD83206ADD1865C9BDD29DADCBC4 |
SHA-512: | EE293C0F88A12AB10041F66DDFAE89BC11AB3B3AAD8604F1A418ABE43DF0980245C3B7F8FEB709AEE8E9474841A280E073EC063045EA39948E853AA6B4EC0FB0 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\13efMb6ayq.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1651 |
Entropy (8bit): | 5.173489332133557 |
Encrypted: | false |
SSDEEP: | 24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB4jtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3A |
MD5: | AA258ECF15D4B8EAE0D25BC14E9364DB |
SHA1: | C86E67F2A208055B174B948ABD563D99E8F3247D |
SHA-256: | C99758943A96EF108590C403E08989158C1E3F970A479F26611DB42E8BC9E96F |
SHA-512: | D4F1735572F337B008258527B35517D73BFE76BA32584B1A02C53511886D32242F35A390BE6C0DEC56837F06AF2F0855AE84567547618ED67B6B3BC7BD78528D |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8 |
Entropy (8bit): | 3.0 |
Encrypted: | false |
SSDEEP: | 3:oi8n:oi8 |
MD5: | 3C7F8EF66EA764B5B594543E8361A6B6 |
SHA1: | 58DCDCC3E7F7575E5768ED9A5F335D15B50D63BC |
SHA-256: | 538BC6C18A2964BF839571116569E8BEB0D388ED8AF16090349D990BF2D24AD4 |
SHA-512: | D288DA67A544D4F15B525672A89DF9F791EF26530DC8D4FB5EA7E65A01823AB4EB81B4A9276304D00A5BF6D6774452C91AD7D5DAB5E0E1A643F4474549488F6E |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\13efMb6ayq.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1250816 |
Entropy (8bit): | 7.982339309647317 |
Encrypted: | false |
SSDEEP: | 24576:fB4YJ28quwK87NXNAekJ+pL04NVMOVgrmjX0970Jorgb8OvDUo80:6d1uwHNXeeD0zOVxjE97060b8Ov38 |
MD5: | 5003ED514F5EC9F0C5FBBC8994DFBFE7 |
SHA1: | 71E8666304C34B0E4F96502C1A9747ACF19ACFA5 |
SHA-256: | EEC100FDEF88C4BCD7FE30040CCD0476CAC543AB8EDDA576C5E5A799606C585E |
SHA-512: | 33C17242AD0F184610CFF328EFD33833636C4A479C0990DB32EF78E88EC73B113D4A968107F04C6DC6708A6A1510F1C5C4954A94F5E5FDA65BBB87DA0A2DED89 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\13efMb6ayq.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.982339309647317 |
TrID: |
|
File name: | 13efMb6ayq.exe |
File size: | 1250816 |
MD5: | 5003ed514f5ec9f0c5fbbc8994dfbfe7 |
SHA1: | 71e8666304c34b0e4f96502c1a9747acf19acfa5 |
SHA256: | eec100fdef88c4bcd7fe30040ccd0476cac543ab8edda576c5e5a799606c585e |
SHA512: | 33c17242ad0f184610cff328efd33833636c4a479c0990db32ef78e88ec73b113d4a968107f04c6dc6708a6a1510f1c5c4954a94f5e5fda65bbb87da0a2ded89 |
SSDEEP: | 24576:fB4YJ28quwK87NXNAekJ+pL04NVMOVgrmjX0970Jorgb8OvDUo80:6d1uwHNXeeD0zOVxjE97060b8Ov38 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P......P.......`...@... ....@.. ....................................@................................ |
File Icon |
---|
Icon Hash: | f2d2e9fcc4ead362 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x53600a |
Entrypoint Section: | |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x609B8A89 [Wed May 12 07:58:01 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
---|
Instruction |
---|
jmp dword ptr [00536000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1248ac | 0x4f | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x130000 | 0x34c0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x134000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x136000 | 0x8 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x124000 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
+j821Zo | 0x2000 | 0x1217bc | 0x121800 | False | 1.00031287106 | data | 7.99985504348 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.text | 0x124000 | 0xbeb8 | 0xc000 | False | 0.444742838542 | data | 5.99458868006 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0x130000 | 0x34c0 | 0x3600 | False | 0.361038773148 | data | 5.24830765917 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x134000 | 0xc | 0x200 | False | 0.044921875 | data | 0.0980041756627 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
0x136000 | 0x10 | 0x200 | False | 0.044921875 | data | 0.142635768149 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x130130 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0 | ||
RT_GROUP_ICON | 0x1326d8 | 0x14 | data | ||
RT_VERSION | 0x1326ec | 0x36c | data | ||
RT_MANIFEST | 0x132a58 | 0xa65 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
---|
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | Copyright 2013 |
Assembly Version | 3.0.0.0 |
InternalName | IRuntimeMethodInfo.exe |
FileVersion | 3.0.0.0 |
CompanyName | |
LegalTrademarks | |
Comments | |
ProductName | ServerManager_Core |
ProductVersion | 3.0.0.0 |
FileDescription | ServerManager_Core |
OriginalFilename | IRuntimeMethodInfo.exe |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 12, 2021 11:56:22.281764984 CEST | 49715 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:22.357716084 CEST | 5600 | 49715 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:22.864218950 CEST | 49715 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:22.941792965 CEST | 5600 | 49715 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:23.552285910 CEST | 49715 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:23.628170013 CEST | 5600 | 49715 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:28.048727036 CEST | 49718 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:28.128902912 CEST | 5600 | 49718 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:28.645586014 CEST | 49718 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:28.725637913 CEST | 5600 | 49718 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:29.239418030 CEST | 49718 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:29.320132971 CEST | 5600 | 49718 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:33.456083059 CEST | 49723 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:33.532042980 CEST | 5600 | 49723 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:34.064884901 CEST | 49723 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:34.140707970 CEST | 5600 | 49723 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:34.771064997 CEST | 49723 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:34.846941948 CEST | 5600 | 49723 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:52.535027027 CEST | 49725 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:52.610995054 CEST | 5600 | 49725 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:53.272712946 CEST | 49725 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:53.348802090 CEST | 5600 | 49725 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:53.960200071 CEST | 49725 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:54.036463976 CEST | 5600 | 49725 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:58.121556044 CEST | 49727 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:58.198653936 CEST | 5600 | 49727 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:58.773147106 CEST | 49727 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:58.853504896 CEST | 5600 | 49727 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:56:59.460745096 CEST | 49727 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:56:59.536813974 CEST | 5600 | 49727 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:03.647186041 CEST | 49729 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:03.723046064 CEST | 5600 | 49729 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:04.226886988 CEST | 49729 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:04.302859068 CEST | 5600 | 49729 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:04.805072069 CEST | 49729 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:04.883039951 CEST | 5600 | 49729 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:22.134888887 CEST | 49737 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:22.213671923 CEST | 5600 | 49737 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:22.728266001 CEST | 49737 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:22.807145119 CEST | 5600 | 49737 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:23.322186947 CEST | 49737 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:23.402050018 CEST | 5600 | 49737 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:27.720781088 CEST | 49738 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:27.798253059 CEST | 5600 | 49738 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:28.306972027 CEST | 49738 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:28.382766008 CEST | 5600 | 49738 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:28.885368109 CEST | 49738 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:28.961153030 CEST | 5600 | 49738 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:33.065783024 CEST | 49739 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:33.141863108 CEST | 5600 | 49739 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:33.651046991 CEST | 49739 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:33.728403091 CEST | 5600 | 49739 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:34.229268074 CEST | 49739 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:34.305474043 CEST | 5600 | 49739 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:51.332679987 CEST | 49742 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:51.411637068 CEST | 5600 | 49742 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:51.918251991 CEST | 49742 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:51.997203112 CEST | 5600 | 49742 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:52.512095928 CEST | 49742 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:52.591227055 CEST | 5600 | 49742 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:56.701483965 CEST | 49743 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:56.781137943 CEST | 5600 | 49743 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:57.293746948 CEST | 49743 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:57.372451067 CEST | 5600 | 49743 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:57:57.887496948 CEST | 49743 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:57:57.966150999 CEST | 5600 | 49743 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:58:02.072910070 CEST | 49744 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:58:02.151597977 CEST | 5600 | 49744 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:58:02.653527975 CEST | 49744 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:58:02.734643936 CEST | 5600 | 49744 | 79.134.225.47 | 192.168.2.5 |
May 12, 2021 11:58:03.247381926 CEST | 49744 | 5600 | 192.168.2.5 | 79.134.225.47 |
May 12, 2021 11:58:03.326116085 CEST | 5600 | 49744 | 79.134.225.47 | 192.168.2.5 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 12, 2021 11:55:59.210716009 CEST | 53 | 65307 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:55:59.225861073 CEST | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:55:59.230595112 CEST | 53 | 64344 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:55:59.243119955 CEST | 61805 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:55:59.292054892 CEST | 53 | 61805 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:55:59.353940010 CEST | 54795 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:55:59.404156923 CEST | 53 | 54795 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:00.123471022 CEST | 49557 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:00.180892944 CEST | 53 | 49557 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:00.927726030 CEST | 61733 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:00.984846115 CEST | 53 | 61733 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:01.720897913 CEST | 65447 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:01.778446913 CEST | 53 | 65447 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:02.521372080 CEST | 52441 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:02.571652889 CEST | 53 | 52441 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:03.420166969 CEST | 62176 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:03.470977068 CEST | 53 | 62176 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:04.322504044 CEST | 59596 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:04.371371984 CEST | 53 | 59596 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:05.106908083 CEST | 65296 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:05.159462929 CEST | 53 | 65296 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:06.032879114 CEST | 63183 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:06.081615925 CEST | 53 | 63183 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:06.975989103 CEST | 60151 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:07.027590990 CEST | 53 | 60151 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:22.142874002 CEST | 56969 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:22.201960087 CEST | 53 | 56969 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:27.984225988 CEST | 55161 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:28.046653032 CEST | 53 | 55161 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:28.945059061 CEST | 54757 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:29.012820959 CEST | 53 | 54757 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:31.553553104 CEST | 49992 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:31.621473074 CEST | 53 | 49992 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:33.361536980 CEST | 60075 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:33.421668053 CEST | 53 | 60075 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:38.899353981 CEST | 55016 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:38.958455086 CEST | 53 | 55016 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:39.105220079 CEST | 64345 | 53 | 192.168.2.5 | 8.8.4.4 |
May 12, 2021 11:56:39.165150881 CEST | 53 | 64345 | 8.8.4.4 | 192.168.2.5 |
May 12, 2021 11:56:39.210704088 CEST | 57128 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:39.268415928 CEST | 53 | 57128 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:42.095846891 CEST | 54791 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:42.154405117 CEST | 53 | 54791 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:43.317101955 CEST | 50463 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:43.379637003 CEST | 53 | 50463 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:43.460725069 CEST | 50394 | 53 | 192.168.2.5 | 8.8.4.4 |
May 12, 2021 11:56:43.518410921 CEST | 53 | 50394 | 8.8.4.4 | 192.168.2.5 |
May 12, 2021 11:56:43.543571949 CEST | 58530 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:43.600579977 CEST | 53 | 58530 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:47.649982929 CEST | 53813 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:47.712074995 CEST | 53 | 53813 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:47.715277910 CEST | 63732 | 53 | 192.168.2.5 | 8.8.4.4 |
May 12, 2021 11:56:47.764663935 CEST | 53 | 63732 | 8.8.4.4 | 192.168.2.5 |
May 12, 2021 11:56:48.144627094 CEST | 57344 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:48.193918943 CEST | 53 | 57344 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:52.470195055 CEST | 54450 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:52.532334089 CEST | 53 | 54450 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:54.883038998 CEST | 59261 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:54.957290888 CEST | 53 | 59261 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:58.062475920 CEST | 57151 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:58.120215893 CEST | 53 | 57151 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:56:59.484330893 CEST | 59413 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:56:59.546802998 CEST | 53 | 59413 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:03.570048094 CEST | 60516 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:03.624087095 CEST | 53 | 60516 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:06.724078894 CEST | 51649 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:06.785554886 CEST | 53 | 51649 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:08.947585106 CEST | 65086 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:09.000730038 CEST | 53 | 65086 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:09.007044077 CEST | 56432 | 53 | 192.168.2.5 | 8.8.4.4 |
May 12, 2021 11:57:09.066996098 CEST | 53 | 56432 | 8.8.4.4 | 192.168.2.5 |
May 12, 2021 11:57:09.161456108 CEST | 52929 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:09.220006943 CEST | 53 | 52929 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:10.326390028 CEST | 64317 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:10.387623072 CEST | 53 | 64317 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:13.378760099 CEST | 61004 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:13.435967922 CEST | 53 | 61004 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:13.470868111 CEST | 56895 | 53 | 192.168.2.5 | 8.8.4.4 |
May 12, 2021 11:57:13.530239105 CEST | 53 | 56895 | 8.8.4.4 | 192.168.2.5 |
May 12, 2021 11:57:13.537861109 CEST | 62372 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:13.595016003 CEST | 53 | 62372 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:17.634048939 CEST | 61515 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:17.691037893 CEST | 53 | 61515 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:17.694406986 CEST | 56675 | 53 | 192.168.2.5 | 8.8.4.4 |
May 12, 2021 11:57:17.751338959 CEST | 53 | 56675 | 8.8.4.4 | 192.168.2.5 |
May 12, 2021 11:57:17.970109940 CEST | 57172 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:18.023912907 CEST | 53 | 57172 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:22.074270964 CEST | 55267 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:22.133522034 CEST | 53 | 55267 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:27.656297922 CEST | 50969 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:27.715954065 CEST | 53 | 50969 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:33.002366066 CEST | 64362 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:33.064666986 CEST | 53 | 64362 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:38.339844942 CEST | 54766 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:38.398958921 CEST | 53 | 54766 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:38.438786030 CEST | 61446 | 53 | 192.168.2.5 | 8.8.4.4 |
May 12, 2021 11:57:38.499377966 CEST | 53 | 61446 | 8.8.4.4 | 192.168.2.5 |
May 12, 2021 11:57:38.542026043 CEST | 57515 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:38.602956057 CEST | 53 | 57515 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:42.564567089 CEST | 58199 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:42.622159004 CEST | 53 | 58199 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:42.631194115 CEST | 65221 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:42.683355093 CEST | 53 | 65221 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:42.688484907 CEST | 61573 | 53 | 192.168.2.5 | 8.8.4.4 |
May 12, 2021 11:57:42.749973059 CEST | 53 | 61573 | 8.8.4.4 | 192.168.2.5 |
May 12, 2021 11:57:42.779257059 CEST | 56562 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:42.839169979 CEST | 53 | 56562 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:46.912286043 CEST | 53591 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:46.975523949 CEST | 53 | 53591 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:47.078147888 CEST | 59688 | 53 | 192.168.2.5 | 8.8.4.4 |
May 12, 2021 11:57:47.138158083 CEST | 53 | 59688 | 8.8.4.4 | 192.168.2.5 |
May 12, 2021 11:57:47.173043966 CEST | 56032 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:47.199074984 CEST | 61150 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:47.230050087 CEST | 53 | 56032 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:47.274666071 CEST | 53 | 61150 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:51.274241924 CEST | 63458 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:51.331151009 CEST | 53 | 63458 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:57:56.642632961 CEST | 50422 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:57:56.699822903 CEST | 53 | 50422 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:58:02.016817093 CEST | 53247 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:58:02.070880890 CEST | 53 | 53247 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:58:07.372509003 CEST | 58544 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:58:07.429737091 CEST | 53 | 58544 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:58:07.433084011 CEST | 53814 | 53 | 192.168.2.5 | 8.8.4.4 |
May 12, 2021 11:58:07.490560055 CEST | 53 | 53814 | 8.8.4.4 | 192.168.2.5 |
May 12, 2021 11:58:07.615370035 CEST | 51305 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:58:07.675365925 CEST | 53 | 51305 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:58:11.712347984 CEST | 53670 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:58:11.763190031 CEST | 53 | 53670 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:58:11.815891027 CEST | 55160 | 53 | 192.168.2.5 | 8.8.4.4 |
May 12, 2021 11:58:11.875965118 CEST | 53 | 55160 | 8.8.4.4 | 192.168.2.5 |
May 12, 2021 11:58:11.963767052 CEST | 61414 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:58:12.012665987 CEST | 53 | 61414 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:58:16.017546892 CEST | 63847 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:58:16.071338892 CEST | 53 | 63847 | 8.8.8.8 | 192.168.2.5 |
May 12, 2021 11:58:16.083134890 CEST | 61523 | 53 | 192.168.2.5 | 8.8.4.4 |
May 12, 2021 11:58:16.131964922 CEST | 53 | 61523 | 8.8.4.4 | 192.168.2.5 |
May 12, 2021 11:58:16.167382002 CEST | 50551 | 53 | 192.168.2.5 | 8.8.8.8 |
May 12, 2021 11:58:16.225055933 CEST | 53 | 50551 | 8.8.8.8 | 192.168.2.5 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
May 12, 2021 11:56:22.142874002 CEST | 192.168.2.5 | 8.8.8.8 | 0x69eb | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:56:27.984225988 CEST | 192.168.2.5 | 8.8.8.8 | 0xd0a5 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:56:33.361536980 CEST | 192.168.2.5 | 8.8.8.8 | 0xd650 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:56:38.899353981 CEST | 192.168.2.5 | 8.8.8.8 | 0xfa70 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:56:39.105220079 CEST | 192.168.2.5 | 8.8.4.4 | 0xfda2 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:56:39.210704088 CEST | 192.168.2.5 | 8.8.8.8 | 0x2df9 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:56:43.317101955 CEST | 192.168.2.5 | 8.8.8.8 | 0xae1c | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:56:43.460725069 CEST | 192.168.2.5 | 8.8.4.4 | 0x32d2 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:56:43.543571949 CEST | 192.168.2.5 | 8.8.8.8 | 0x9370 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:56:47.649982929 CEST | 192.168.2.5 | 8.8.8.8 | 0xbb56 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:56:47.715277910 CEST | 192.168.2.5 | 8.8.4.4 | 0x290 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:56:48.144627094 CEST | 192.168.2.5 | 8.8.8.8 | 0x3617 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:56:52.470195055 CEST | 192.168.2.5 | 8.8.8.8 | 0x2268 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:56:58.062475920 CEST | 192.168.2.5 | 8.8.8.8 | 0x4b7a | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:03.570048094 CEST | 192.168.2.5 | 8.8.8.8 | 0x3fce | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:08.947585106 CEST | 192.168.2.5 | 8.8.8.8 | 0x792a | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:09.007044077 CEST | 192.168.2.5 | 8.8.4.4 | 0xb7c6 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:09.161456108 CEST | 192.168.2.5 | 8.8.8.8 | 0x7f32 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:13.378760099 CEST | 192.168.2.5 | 8.8.8.8 | 0x8e0d | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:13.470868111 CEST | 192.168.2.5 | 8.8.4.4 | 0xd121 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:13.537861109 CEST | 192.168.2.5 | 8.8.8.8 | 0xd97f | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:17.634048939 CEST | 192.168.2.5 | 8.8.8.8 | 0xaa52 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:17.694406986 CEST | 192.168.2.5 | 8.8.4.4 | 0x3479 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:17.970109940 CEST | 192.168.2.5 | 8.8.8.8 | 0x2d58 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:22.074270964 CEST | 192.168.2.5 | 8.8.8.8 | 0x446a | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:27.656297922 CEST | 192.168.2.5 | 8.8.8.8 | 0x439f | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:33.002366066 CEST | 192.168.2.5 | 8.8.8.8 | 0x1e77 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:38.339844942 CEST | 192.168.2.5 | 8.8.8.8 | 0x249d | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:38.438786030 CEST | 192.168.2.5 | 8.8.4.4 | 0x2be | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:38.542026043 CEST | 192.168.2.5 | 8.8.8.8 | 0x6262 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:42.631194115 CEST | 192.168.2.5 | 8.8.8.8 | 0x6c02 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:42.688484907 CEST | 192.168.2.5 | 8.8.4.4 | 0xf13f | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:42.779257059 CEST | 192.168.2.5 | 8.8.8.8 | 0xcd2 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:46.912286043 CEST | 192.168.2.5 | 8.8.8.8 | 0xb7ba | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:47.078147888 CEST | 192.168.2.5 | 8.8.4.4 | 0x342f | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:47.173043966 CEST | 192.168.2.5 | 8.8.8.8 | 0xf1a0 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:51.274241924 CEST | 192.168.2.5 | 8.8.8.8 | 0xee91 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:57:56.642632961 CEST | 192.168.2.5 | 8.8.8.8 | 0xb942 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:58:02.016817093 CEST | 192.168.2.5 | 8.8.8.8 | 0xe468 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:58:07.372509003 CEST | 192.168.2.5 | 8.8.8.8 | 0x5c47 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:58:07.433084011 CEST | 192.168.2.5 | 8.8.4.4 | 0x5831 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:58:07.615370035 CEST | 192.168.2.5 | 8.8.8.8 | 0xd723 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:58:11.712347984 CEST | 192.168.2.5 | 8.8.8.8 | 0x1d02 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:58:11.815891027 CEST | 192.168.2.5 | 8.8.4.4 | 0x17c2 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:58:11.963767052 CEST | 192.168.2.5 | 8.8.8.8 | 0xdfd2 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:58:16.017546892 CEST | 192.168.2.5 | 8.8.8.8 | 0x244d | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:58:16.083134890 CEST | 192.168.2.5 | 8.8.4.4 | 0xdfd9 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 11:58:16.167382002 CEST | 192.168.2.5 | 8.8.8.8 | 0xa769 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
May 12, 2021 11:56:22.201960087 CEST | 8.8.8.8 | 192.168.2.5 | 0x69eb | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 11:56:28.046653032 CEST | 8.8.8.8 | 192.168.2.5 | 0xd0a5 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 11:56:33.421668053 CEST | 8.8.8.8 | 192.168.2.5 | 0xd650 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 11:56:52.532334089 CEST | 8.8.8.8 | 192.168.2.5 | 0x2268 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 11:56:58.120215893 CEST | 8.8.8.8 | 192.168.2.5 | 0x4b7a | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 11:57:03.624087095 CEST | 8.8.8.8 | 192.168.2.5 | 0x3fce | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 11:57:22.133522034 CEST | 8.8.8.8 | 192.168.2.5 | 0x446a | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 11:57:27.715954065 CEST | 8.8.8.8 | 192.168.2.5 | 0x439f | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 11:57:33.064666986 CEST | 8.8.8.8 | 192.168.2.5 | 0x1e77 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 11:57:51.331151009 CEST | 8.8.8.8 | 192.168.2.5 | 0xee91 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 11:57:56.699822903 CEST | 8.8.8.8 | 192.168.2.5 | 0xb942 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 11:58:02.070880890 CEST | 8.8.8.8 | 192.168.2.5 | 0xe468 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 11:56:06 |
Start date: | 12/05/2021 |
Path: | C:\Users\user\Desktop\13efMb6ayq.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x730000 |
File size: | 1250816 bytes |
MD5 hash: | 5003ED514F5EC9F0C5FBBC8994DFBFE7 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 11:56:16 |
Start date: | 12/05/2021 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1280000 |
File size: | 185856 bytes |
MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 11:56:17 |
Start date: | 12/05/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7ecfc0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 11:56:17 |
Start date: | 12/05/2021 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x550000 |
File size: | 45152 bytes |
MD5 hash: | 2867A3817C9245F7CF518524DFD18F28 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 0119B010, Relevance: 2.8, Strings: 2, Instructions: 269COMMON
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A94078, Relevance: 2.8, Strings: 2, Instructions: 260COMMON
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011904F9, Relevance: 2.6, Strings: 2, Instructions: 139COMMON
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011915A0, Relevance: 1.7, APIs: 1, Instructions: 181COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01191638, Relevance: 1.6, APIs: 1, Instructions: 128COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01191690, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A99638, Relevance: 1.4, Strings: 1, Instructions: 198COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01192BB0, Relevance: 1.4, Strings: 1, Instructions: 151COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011918B0, Relevance: 1.4, Strings: 1, Instructions: 112COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A97FD8, Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A99008, Relevance: .3, Instructions: 316COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011923A0, Relevance: .3, Instructions: 256COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01192440, Relevance: .2, Instructions: 195COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A94560, Relevance: .2, Instructions: 190COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A9A69D, Relevance: .1, Instructions: 140COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A98908, Relevance: .1, Instructions: 135COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053D1F41, Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053D1F50, Relevance: .1, Instructions: 92COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011935F8, Relevance: .1, Instructions: 78COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053D7888, Relevance: 1.7, APIs: 1, Instructions: 224COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053D9AAC, Relevance: 1.7, APIs: 1, Instructions: 184COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053D9AB8, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011903B0, Relevance: 1.6, APIs: 1, Instructions: 150COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053DD5A4, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053DF61B, Relevance: 1.6, APIs: 1, Instructions: 122COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053D2A60, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053D2A68, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A96A80, Relevance: 1.6, APIs: 1, Instructions: 106COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A96598, Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011917A9, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053DAB14, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011917B0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01199C88, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A9C390, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011903C8, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A965E8, Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053D7A78, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A965F0, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0113D01C, Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0113D006, Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0112D7FD, Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0112D7FC, Relevance: .0, Instructions: 36COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 01195370, Relevance: 2.7, Strings: 2, Instructions: 172COMMON
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01195360, Relevance: 1.4, Strings: 1, Instructions: 169COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011965B8, Relevance: 1.4, Strings: 1, Instructions: 110COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011965C8, Relevance: 1.4, Strings: 1, Instructions: 107COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053D8070, Relevance: .5, Instructions: 525COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053D5668, Relevance: .3, Instructions: 265COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01196211, Relevance: .2, Instructions: 161COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011967E8, Relevance: .1, Instructions: 149COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011967D9, Relevance: .1, Instructions: 148COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01196A10, Relevance: .1, Instructions: 126COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01196A00, Relevance: .1, Instructions: 126COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A98192, Relevance: .1, Instructions: 109COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053D6F54, Relevance: .1, Instructions: 88COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053DA988, Relevance: .1, Instructions: 87COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01196C31, Relevance: .1, Instructions: 80COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05A9312D, Relevance: .1, Instructions: 74COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |