Analysis Report cXyHZtgrFS.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: NanoCore |
---|
{"Version": ".0.0.0,", "Mutex": "a7fa722b-7dae-45b1-afa6-302155a5", "Group": "Default", "Domain1": "wespeaktruthtoman.sytes.net", "Domain2": "wespeaktruthtoman12.sytes.net", "Port": 5600, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | ||
NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> |
| |
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
Click to see the 3 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | ||
NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> |
| |
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth |
| |
Click to see the 5 entries |
Sigma Overview |
---|
AV Detection: |
---|
Sigma detected: NanoCore | Show sources |
Source: | Author: Joe Security: |
E-Banking Fraud: |
---|
Sigma detected: NanoCore | Show sources |
Source: | Author: Joe Security: |
System Summary: |
---|
Sigma detected: Possible Applocker Bypass | Show sources |
Source: | Author: juju4: |
Stealing of Sensitive Information: |
---|
Sigma detected: NanoCore | Show sources |
Source: | Author: Joe Security: |
Remote Access Functionality: |
---|
Sigma detected: NanoCore | Show sources |
Source: | Author: Joe Security: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Yara detected Nanocore RAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: | ||
Source: | URLs: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
E-Banking Fraud: |
---|
Yara detected Nanocore RAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Malicious sample detected (through community Yara rule) | Show sources |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_0125C2B0 | |
Source: | Code function: | 0_2_01259968 | |
Source: | Code function: | 0_2_051B4958 | |
Source: | Code function: | 0_2_051BAAD0 | |
Source: | Code function: | 0_2_051B8470 | |
Source: | Code function: | 0_2_051BAAC1 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_012504E2 | |
Source: | Code function: | 0_2_051B83E9 |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: | Process created: |
Hooking and other Techniques for Hiding and Protection: |
---|
Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM3 | Show sources |
Source: | File source: | ||
Source: | File source: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | File opened / queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion: |
---|
Allocates memory in foreign processes | Show sources |
Source: | Memory allocated: | Jump to behavior |
Injects a PE file into a foreign processes | Show sources |
Source: | Memory written: | Jump to behavior |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected Nanocore RAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Nanocore RAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scheduled Task/Job1 | Scheduled Task/Job1 | Process Injection311 | Masquerading1 | Input Capture1 | Security Software Discovery211 | Remote Services | Input Capture1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | DLL Side-Loading1 | Scheduled Task/Job1 | Disable or Modify Tools1 | LSASS Memory | Process Discovery1 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | DLL Side-Loading1 | Virtualization/Sandbox Evasion31 | Security Account Manager | Virtualization/Sandbox Evasion31 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection311 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Hidden Files and Directories1 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information2 | Cached Domain Credentials | File and Directory Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Software Packing2 | DCSync | System Information Discovery12 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | DLL Side-Loading1 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
27% | Virustotal | Browse | ||
19% | ReversingLabs | Win32.Trojan.Wacatac |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
19% | ReversingLabs | Win32.Trojan.Wacatac |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
wespeaktruthtoman.sytes.net | 79.134.225.47 | true | true | unknown | |
wespeaktruthtoman12.sytes.net | unknown | unknown | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 412155 |
Start date: | 12.05.2021 |
Start time: | 12:55:38 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 59s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | cXyHZtgrFS.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 15 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@6/5@49/2 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
12:56:33 | API Interceptor | |
12:56:38 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
79.134.225.47 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
wespeaktruthtoman.sytes.net | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
FINK-TELECOM-SERVICESCH | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\cXyHZtgrFS.exe |
File Type: | |
Category: | modified |
Size (bytes): | 1314 |
Entropy (8bit): | 5.350128552078965 |
Encrypted: | false |
SSDEEP: | 24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR |
MD5: | 1DC1A2DCC9EFAA84EABF4F6D6066565B |
SHA1: | B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9 |
SHA-256: | 28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF |
SHA-512: | 95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7 |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\cXyHZtgrFS.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1645 |
Entropy (8bit): | 5.198641179123284 |
Encrypted: | false |
SSDEEP: | 24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBLPtn:cbh47TlNQ//rydbz9I3YODOLNdq3r |
MD5: | 95F93C14F0527685C610DC5DE83209DF |
SHA1: | 0006AB4EA22FD79E519519667A28A91785A022FB |
SHA-256: | E038B8065134AB7E8AB8C15B958DA55AFDC7B348CA41FBD120C5468BB2177CEE |
SHA-512: | D60E566B23840FAE514526980E6BA62ACEE037382ED56E8AA56F03B8EAF9BF39F4A7C55891FBFB87496B2935E74422217DEDCD75B9D527CEA1C18498A65A492D |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8 |
Entropy (8bit): | 3.0 |
Encrypted: | false |
SSDEEP: | 3:Rj:Rj |
MD5: | 3A842E5A46DE30A8EE03515B6EA4C30D |
SHA1: | 06F2BB28EAFB4F6A64572940C5BC7F8D11685E8D |
SHA-256: | 446DD73D186F12F387AE5B361D3C20368530C3197914EBC2D80E7775426ED8E2 |
SHA-512: | 51D97EAEBE213844A8602A9E3329D76F0DAFD0A3F788DB31E0784BE516D105D2801F3E462D332C8F2FCA2909317B23F99F8F24EBDB4995E5D519F16C48CFC548 |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\cXyHZtgrFS.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1399296 |
Entropy (8bit): | 7.924027323952348 |
Encrypted: | false |
SSDEEP: | 24576:ochI6jw9IwuOLQuBwP3F5tTrtGzT0dhdYlFlHriUJpqoLElXBI/:LuSyD0F5lozTuhdUuUXLAXO |
MD5: | 82F9B9752D04017D3EA889F8A83C6C17 |
SHA1: | E192196BD3415149952549B8FA5CF9C2753D5BF3 |
SHA-256: | EADBBB8B375AD2B983ED4E9653D7CBBE980CADCA775BE3B597CFD0524743676E |
SHA-512: | D2B862E35929C96F43651FE9AA1121ADF4918183B10948064309C4E9626FD15B85FABB4406834DBAD7E2451541B6ACBF313891630E45434DE1AFD92157A9D9C8 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\cXyHZtgrFS.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.924027323952348 |
TrID: |
|
File name: | cXyHZtgrFS.exe |
File size: | 1399296 |
MD5: | 82f9b9752d04017d3ea889f8a83c6c17 |
SHA1: | e192196bd3415149952549b8fa5cf9c2753d5bf3 |
SHA256: | eadbbb8b375ad2b983ed4e9653d7cbbe980cadca775be3b597cfd0524743676e |
SHA512: | d2b862e35929c96f43651fe9aa1121adf4918183b10948064309c4e9626fd15b85fabb4406834dbad7e2451541b6acbf313891630e45434de1afd92157a9d9c8 |
SSDEEP: | 24576:ochI6jw9IwuOLQuBwP3F5tTrtGzT0dhdYlFlHriUJpqoLElXBI/:LuSyD0F5lozTuhdUuUXLAXO |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1.`..............P.. ...8.......?... ...@....@.. ....................................@................................ |
File Icon |
---|
Icon Hash: | f2d2e9fcc4ead362 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x553fb6 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x609B31CE [Wed May 12 01:39:26 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
---|
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add al, 00h |
add eax, dword ptr [eax] |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax+0000000Eh], al |
pushad |
add byte ptr [eax], al |
adc byte ptr [eax], 00000000h |
add byte ptr [eax], al |
nop |
add byte ptr [eax], al |
sbb byte ptr [eax], 00000000h |
add byte ptr [eax], al |
rol byte ptr [eax], 00000000h |
add byte ptr [eax], 00000000h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add dword ptr [eax], eax |
add dword ptr [eax], eax |
add byte ptr [eax], al |
dec eax |
add byte ptr [eax], al |
add byte ptr [eax], 00000000h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add dword ptr [eax], eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
lock add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [ecx], al |
add byte ptr [eax], al |
jnle 00007F68A0A0BAE2h |
add byte ptr [eax+00h], bh |
add byte ptr [eax+00000000h], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x153f64 | 0x4f | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x154000 | 0x34dc | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x158000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x153e2c | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x151fbc | 0x152000 | False | 0.937950721154 | data | 7.93649392422 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0x154000 | 0x34dc | 0x3600 | False | 0.361689814815 | data | 5.25494603231 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x158000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x154100 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0 | ||
RT_GROUP_ICON | 0x1566b8 | 0x14 | data | ||
RT_VERSION | 0x1566dc | 0x384 | data | ||
RT_MANIFEST | 0x156a70 | 0xa65 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
---|
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | Copyright 2013 |
Assembly Version | 3.0.0.0 |
InternalName | TraceLoggingDataCollector.exe |
FileVersion | 3.0.0.0 |
CompanyName | |
LegalTrademarks | |
Comments | |
ProductName | ServerManager_Core |
ProductVersion | 3.0.0.0 |
FileDescription | ServerManager_Core |
OriginalFilename | TraceLoggingDataCollector.exe |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 12, 2021 12:56:40.512617111 CEST | 49693 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:56:40.588664055 CEST | 5600 | 49693 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:56:41.099802017 CEST | 49693 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:56:41.175457001 CEST | 5600 | 49693 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:56:41.677934885 CEST | 49693 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:56:41.753674030 CEST | 5600 | 49693 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:56:46.053966045 CEST | 49699 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:56:46.129770994 CEST | 5600 | 49699 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:56:46.638493061 CEST | 49699 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:56:46.714185953 CEST | 5600 | 49699 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:56:47.225359917 CEST | 49699 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:56:47.301090002 CEST | 5600 | 49699 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:56:51.402374983 CEST | 49701 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:56:51.480460882 CEST | 5600 | 49701 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:56:52.085212946 CEST | 49701 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:56:52.162516117 CEST | 5600 | 49701 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:56:52.772712946 CEST | 49701 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:56:52.849281073 CEST | 5600 | 49701 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:09.826275110 CEST | 49705 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:09.905472040 CEST | 5600 | 49705 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:10.414889097 CEST | 49705 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:10.493894100 CEST | 5600 | 49705 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:11.008740902 CEST | 49705 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:11.087760925 CEST | 5600 | 49705 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:15.179896116 CEST | 49706 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:15.255753994 CEST | 5600 | 49706 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:15.759206057 CEST | 49706 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:15.835309982 CEST | 5600 | 49706 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:16.337306023 CEST | 49706 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:16.413285971 CEST | 5600 | 49706 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:20.497596979 CEST | 49707 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:20.576368093 CEST | 5600 | 49707 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:21.087666035 CEST | 49707 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:21.166415930 CEST | 5600 | 49707 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:21.681576014 CEST | 49707 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:21.761924028 CEST | 5600 | 49707 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:39.160238981 CEST | 49708 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:39.236049891 CEST | 5600 | 49708 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:39.745572090 CEST | 49708 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:39.821310997 CEST | 5600 | 49708 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:40.323801041 CEST | 49708 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:40.399591923 CEST | 5600 | 49708 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:44.479228973 CEST | 49709 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:44.555296898 CEST | 5600 | 49709 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:45.058511972 CEST | 49709 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:45.134550095 CEST | 5600 | 49709 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:45.636789083 CEST | 49709 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:45.713602066 CEST | 5600 | 49709 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:49.848792076 CEST | 49710 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:49.924684048 CEST | 5600 | 49710 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:50.433967113 CEST | 49710 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:50.511605024 CEST | 5600 | 49710 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:57:51.012428999 CEST | 49710 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:57:51.088206053 CEST | 5600 | 49710 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:58:08.526103020 CEST | 49711 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:58:08.602035999 CEST | 5600 | 49711 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:58:09.107485056 CEST | 49711 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:58:09.183195114 CEST | 5600 | 49711 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:58:09.685790062 CEST | 49711 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:58:09.761878014 CEST | 5600 | 49711 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:58:13.849675894 CEST | 49712 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:58:13.928164959 CEST | 5600 | 49712 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:58:14.436135054 CEST | 49712 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:58:14.514753103 CEST | 5600 | 49712 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:58:15.029930115 CEST | 49712 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:58:15.108514071 CEST | 5600 | 49712 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:58:19.220876932 CEST | 49713 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:58:19.296777010 CEST | 5600 | 49713 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:58:19.811644077 CEST | 49713 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:58:19.887623072 CEST | 5600 | 49713 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:58:20.389714956 CEST | 49713 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:58:20.466945887 CEST | 5600 | 49713 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:58:37.309508085 CEST | 49714 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:58:37.388200998 CEST | 5600 | 49714 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:58:37.891330957 CEST | 49714 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:58:37.971410036 CEST | 5600 | 49714 | 79.134.225.47 | 192.168.2.3 |
May 12, 2021 12:58:38.485261917 CEST | 49714 | 5600 | 192.168.2.3 | 79.134.225.47 |
May 12, 2021 12:58:38.563935041 CEST | 5600 | 49714 | 79.134.225.47 | 192.168.2.3 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 12, 2021 12:56:23.406985044 CEST | 51904 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:23.458626986 CEST | 53 | 51904 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:24.518009901 CEST | 61328 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:24.568092108 CEST | 53 | 61328 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:25.969326973 CEST | 54130 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:26.020956993 CEST | 53 | 54130 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:27.158277035 CEST | 56961 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:27.209981918 CEST | 53 | 56961 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:28.309333086 CEST | 59353 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:28.358119011 CEST | 53 | 59353 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:29.464442968 CEST | 52238 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:29.516005039 CEST | 53 | 52238 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:30.612071991 CEST | 49873 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:30.663625956 CEST | 53 | 49873 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:31.754771948 CEST | 53196 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:31.806375980 CEST | 53 | 53196 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:33.239487886 CEST | 56777 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:33.288306952 CEST | 53 | 56777 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:34.502676010 CEST | 58643 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:34.551583052 CEST | 53 | 58643 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:35.866019011 CEST | 60985 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:35.914777994 CEST | 53 | 60985 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:36.802933931 CEST | 50200 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:36.851660967 CEST | 53 | 50200 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:40.448347092 CEST | 51281 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:40.499564886 CEST | 53 | 51281 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:40.940287113 CEST | 49199 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:40.989149094 CEST | 53 | 49199 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:42.111762047 CEST | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:42.163259029 CEST | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:43.645148039 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:43.693763018 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:44.513176918 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:44.562557936 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:45.427418947 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:45.478907108 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:45.989885092 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:46.051681042 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:47.784763098 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:47.835608006 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:51.339147091 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:51.398415089 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:56.221163988 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:56.382705927 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:56.920252085 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:56.971091986 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:56:56.974450111 CEST | 60831 | 53 | 192.168.2.3 | 8.8.4.4 |
May 12, 2021 12:56:57.036442995 CEST | 53 | 60831 | 8.8.4.4 | 192.168.2.3 |
May 12, 2021 12:56:57.085217953 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:56:57.137903929 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:01.205702066 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:01.267685890 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:01.295872927 CEST | 50141 | 53 | 192.168.2.3 | 8.8.4.4 |
May 12, 2021 12:57:01.353230000 CEST | 53 | 50141 | 8.8.4.4 | 192.168.2.3 |
May 12, 2021 12:57:01.381684065 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:01.438649893 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:05.497879982 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:05.546752930 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:05.550687075 CEST | 51352 | 53 | 192.168.2.3 | 8.8.4.4 |
May 12, 2021 12:57:05.602098942 CEST | 53 | 51352 | 8.8.4.4 | 192.168.2.3 |
May 12, 2021 12:57:05.653584003 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:05.704133987 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:09.738672972 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:09.796117067 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:15.127099991 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:15.178808928 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:20.438766003 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:20.496140003 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:25.928478956 CEST | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:25.988092899 CEST | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:25.990446091 CEST | 54366 | 53 | 192.168.2.3 | 8.8.4.4 |
May 12, 2021 12:57:26.050812960 CEST | 53 | 54366 | 8.8.4.4 | 192.168.2.3 |
May 12, 2021 12:57:26.250632048 CEST | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:26.303728104 CEST | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:30.330436945 CEST | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:30.387943029 CEST | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:30.565342903 CEST | 55435 | 53 | 192.168.2.3 | 8.8.4.4 |
May 12, 2021 12:57:30.625178099 CEST | 53 | 55435 | 8.8.4.4 | 192.168.2.3 |
May 12, 2021 12:57:30.668559074 CEST | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:30.725766897 CEST | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:34.819576025 CEST | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:34.868236065 CEST | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:34.872184038 CEST | 58987 | 53 | 192.168.2.3 | 8.8.4.4 |
May 12, 2021 12:57:34.929403067 CEST | 53 | 58987 | 8.8.4.4 | 192.168.2.3 |
May 12, 2021 12:57:34.962059975 CEST | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:35.010709047 CEST | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:39.097064018 CEST | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:39.159198999 CEST | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:44.428934097 CEST | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:44.477756023 CEST | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:49.797447920 CEST | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:49.847168922 CEST | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:55.455099106 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:55.512248039 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:55.542064905 CEST | 61946 | 53 | 192.168.2.3 | 8.8.4.4 |
May 12, 2021 12:57:55.599591017 CEST | 53 | 61946 | 8.8.4.4 | 192.168.2.3 |
May 12, 2021 12:57:55.629410028 CEST | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:55.690160990 CEST | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:59.791951895 CEST | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:57:59.843535900 CEST | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:57:59.848723888 CEST | 56130 | 53 | 192.168.2.3 | 8.8.4.4 |
May 12, 2021 12:57:59.897557020 CEST | 53 | 56130 | 8.8.4.4 | 192.168.2.3 |
May 12, 2021 12:57:59.989219904 CEST | 56338 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:58:00.049000978 CEST | 53 | 56338 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:58:04.107609034 CEST | 59420 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:58:04.167186975 CEST | 53 | 59420 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:58:04.195837021 CEST | 58784 | 53 | 192.168.2.3 | 8.8.4.4 |
May 12, 2021 12:58:04.256079912 CEST | 53 | 58784 | 8.8.4.4 | 192.168.2.3 |
May 12, 2021 12:58:04.366200924 CEST | 63978 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:58:04.423655033 CEST | 53 | 63978 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:58:08.459110975 CEST | 62938 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:58:08.524970055 CEST | 53 | 62938 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:58:13.791480064 CEST | 55708 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:58:13.848495960 CEST | 53 | 55708 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:58:19.162184000 CEST | 56803 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:58:19.219518900 CEST | 53 | 56803 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:58:24.524244070 CEST | 57145 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:58:24.581593037 CEST | 53 | 57145 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:58:24.610419035 CEST | 55359 | 53 | 192.168.2.3 | 8.8.4.4 |
May 12, 2021 12:58:24.670089960 CEST | 53 | 55359 | 8.8.4.4 | 192.168.2.3 |
May 12, 2021 12:58:24.679236889 CEST | 58306 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:58:24.739588022 CEST | 53 | 58306 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:58:28.774804115 CEST | 64124 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:58:28.832019091 CEST | 53 | 64124 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:58:28.835751057 CEST | 49361 | 53 | 192.168.2.3 | 8.8.4.4 |
May 12, 2021 12:58:28.893269062 CEST | 53 | 49361 | 8.8.4.4 | 192.168.2.3 |
May 12, 2021 12:58:28.929292917 CEST | 63150 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:58:28.989382029 CEST | 53 | 63150 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:58:33.031136990 CEST | 53279 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:58:33.083081007 CEST | 53 | 53279 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:58:33.085609913 CEST | 56881 | 53 | 192.168.2.3 | 8.8.4.4 |
May 12, 2021 12:58:33.143788099 CEST | 53 | 56881 | 8.8.4.4 | 192.168.2.3 |
May 12, 2021 12:58:33.188982964 CEST | 53642 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:58:33.249139071 CEST | 53 | 53642 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 12:58:37.251457930 CEST | 55667 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 12:58:37.308605909 CEST | 53 | 55667 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
May 12, 2021 12:56:40.448347092 CEST | 192.168.2.3 | 8.8.8.8 | 0x10e3 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:56:45.989885092 CEST | 192.168.2.3 | 8.8.8.8 | 0x90a9 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:56:51.339147091 CEST | 192.168.2.3 | 8.8.8.8 | 0x2c8d | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:56:56.920252085 CEST | 192.168.2.3 | 8.8.8.8 | 0x4e23 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:56:56.974450111 CEST | 192.168.2.3 | 8.8.4.4 | 0x2cb1 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:56:57.085217953 CEST | 192.168.2.3 | 8.8.8.8 | 0x47f0 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:01.205702066 CEST | 192.168.2.3 | 8.8.8.8 | 0xebc2 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:01.295872927 CEST | 192.168.2.3 | 8.8.4.4 | 0x6461 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:01.381684065 CEST | 192.168.2.3 | 8.8.8.8 | 0x8cac | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:05.497879982 CEST | 192.168.2.3 | 8.8.8.8 | 0x4aef | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:05.550687075 CEST | 192.168.2.3 | 8.8.4.4 | 0x429b | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:05.653584003 CEST | 192.168.2.3 | 8.8.8.8 | 0x18ac | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:09.738672972 CEST | 192.168.2.3 | 8.8.8.8 | 0x51c | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:15.127099991 CEST | 192.168.2.3 | 8.8.8.8 | 0xa95f | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:20.438766003 CEST | 192.168.2.3 | 8.8.8.8 | 0x61a4 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:25.928478956 CEST | 192.168.2.3 | 8.8.8.8 | 0x3852 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:25.990446091 CEST | 192.168.2.3 | 8.8.4.4 | 0xa79f | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:26.250632048 CEST | 192.168.2.3 | 8.8.8.8 | 0xc041 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:30.330436945 CEST | 192.168.2.3 | 8.8.8.8 | 0x7228 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:30.565342903 CEST | 192.168.2.3 | 8.8.4.4 | 0xce8a | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:30.668559074 CEST | 192.168.2.3 | 8.8.8.8 | 0x8dce | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:34.819576025 CEST | 192.168.2.3 | 8.8.8.8 | 0x9aa1 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:34.872184038 CEST | 192.168.2.3 | 8.8.4.4 | 0x4632 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:34.962059975 CEST | 192.168.2.3 | 8.8.8.8 | 0x32e5 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:39.097064018 CEST | 192.168.2.3 | 8.8.8.8 | 0x143f | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:44.428934097 CEST | 192.168.2.3 | 8.8.8.8 | 0xb405 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:49.797447920 CEST | 192.168.2.3 | 8.8.8.8 | 0x82e5 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:55.455099106 CEST | 192.168.2.3 | 8.8.8.8 | 0x6095 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:55.542064905 CEST | 192.168.2.3 | 8.8.4.4 | 0x99ef | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:55.629410028 CEST | 192.168.2.3 | 8.8.8.8 | 0xfbfe | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:59.791951895 CEST | 192.168.2.3 | 8.8.8.8 | 0x88d | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:59.848723888 CEST | 192.168.2.3 | 8.8.4.4 | 0xb243 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:57:59.989219904 CEST | 192.168.2.3 | 8.8.8.8 | 0x785b | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:04.107609034 CEST | 192.168.2.3 | 8.8.8.8 | 0x442d | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:04.195837021 CEST | 192.168.2.3 | 8.8.4.4 | 0xf896 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:04.366200924 CEST | 192.168.2.3 | 8.8.8.8 | 0xad5a | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:08.459110975 CEST | 192.168.2.3 | 8.8.8.8 | 0x1677 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:13.791480064 CEST | 192.168.2.3 | 8.8.8.8 | 0x8106 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:19.162184000 CEST | 192.168.2.3 | 8.8.8.8 | 0xef26 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:24.524244070 CEST | 192.168.2.3 | 8.8.8.8 | 0xf4b4 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:24.610419035 CEST | 192.168.2.3 | 8.8.4.4 | 0xa3a3 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:24.679236889 CEST | 192.168.2.3 | 8.8.8.8 | 0x34bc | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:28.774804115 CEST | 192.168.2.3 | 8.8.8.8 | 0xba8c | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:28.835751057 CEST | 192.168.2.3 | 8.8.4.4 | 0xf23d | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:28.929292917 CEST | 192.168.2.3 | 8.8.8.8 | 0xc83c | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:33.031136990 CEST | 192.168.2.3 | 8.8.8.8 | 0x8c10 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:33.085609913 CEST | 192.168.2.3 | 8.8.4.4 | 0x96ed | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:33.188982964 CEST | 192.168.2.3 | 8.8.8.8 | 0xffd4 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 12:58:37.251457930 CEST | 192.168.2.3 | 8.8.8.8 | 0xc88f | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
May 12, 2021 12:56:40.499564886 CEST | 8.8.8.8 | 192.168.2.3 | 0x10e3 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 12:56:46.051681042 CEST | 8.8.8.8 | 192.168.2.3 | 0x90a9 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 12:56:51.398415089 CEST | 8.8.8.8 | 192.168.2.3 | 0x2c8d | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 12:57:09.796117067 CEST | 8.8.8.8 | 192.168.2.3 | 0x51c | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 12:57:15.178808928 CEST | 8.8.8.8 | 192.168.2.3 | 0xa95f | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 12:57:20.496140003 CEST | 8.8.8.8 | 192.168.2.3 | 0x61a4 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 12:57:39.159198999 CEST | 8.8.8.8 | 192.168.2.3 | 0x143f | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 12:57:44.477756023 CEST | 8.8.8.8 | 192.168.2.3 | 0xb405 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 12:57:49.847168922 CEST | 8.8.8.8 | 192.168.2.3 | 0x82e5 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 12:58:08.524970055 CEST | 8.8.8.8 | 192.168.2.3 | 0x1677 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 12:58:13.848495960 CEST | 8.8.8.8 | 192.168.2.3 | 0x8106 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 12:58:19.219518900 CEST | 8.8.8.8 | 192.168.2.3 | 0xef26 | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) | ||
May 12, 2021 12:58:37.308605909 CEST | 8.8.8.8 | 192.168.2.3 | 0xc88f | No error (0) | 79.134.225.47 | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 12:56:31 |
Start date: | 12/05/2021 |
Path: | C:\Users\user\Desktop\cXyHZtgrFS.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x7d0000 |
File size: | 1399296 bytes |
MD5 hash: | 82F9B9752D04017D3EA889F8A83C6C17 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 12:56:35 |
Start date: | 12/05/2021 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x180000 |
File size: | 185856 bytes |
MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:56:35 |
Start date: | 12/05/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b2800000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:56:35 |
Start date: | 12/05/2021 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xaa0000 |
File size: | 45152 bytes |
MD5 hash: | 2867A3817C9245F7CF518524DFD18F28 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 051B4958, Relevance: .6, Instructions: 640COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 051B8470, Relevance: .6, Instructions: 632COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 051BAAC1, Relevance: .1, Instructions: 82COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 051BAAD0, Relevance: .1, Instructions: 78COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0125BBB8, Relevance: 1.7, APIs: 1, Instructions: 199COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0125DC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0125DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01256D51, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 051B1E9C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01256DC0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01256DC8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0125BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0125DEB9, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0125DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011ED4D8, Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011FD01C, Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011FD006, Relevance: .1, Instructions: 62COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011ED4D3, Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011ED7FD, Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011ED7FC, Relevance: .0, Instructions: 36COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 0125C2B0, Relevance: .5, Instructions: 522COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01259968, Relevance: .3, Instructions: 265COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |