Analysis Report nT5pUwoJSS.dll
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 4 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | File opened: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: |
Source: | IP Address: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Binary or memory string: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Process created: |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Window detected: |
Source: | File opened: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation1 | Path Interception | Process Injection12 | Masquerading1 | Input Capture1 | System Time Discovery1 | Remote Services | Input Capture1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection12 | LSASS Memory | Security Software Discovery11 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Ingress Tool Transfer1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information1 | Security Account Manager | Process Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Rundll321 | NTDS | Account Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol3 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing1 | LSA Secrets | System Owner/User Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | File and Directory Discovery2 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | System Information Discovery23 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
21% | ReversingLabs | Win32.Trojan.Zusy | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1108168 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
outlook.com | 40.97.153.146 | true | false | high | |
HHN-efz.ms-acdc.office.com | 52.97.233.66 | true | false | high | |
www.outlook.com | unknown | unknown | false | high | |
outlook.office365.com | unknown | unknown | false | high |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
52.97.233.66 | HHN-efz.ms-acdc.office.com | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
40.101.137.82 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
40.97.153.146 | outlook.com | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 412166 |
Start date: | 12.05.2021 |
Start time: | 13:05:21 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 59s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | nT5pUwoJSS.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 19 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal72.troj.winDLL@15/9@3/3 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
13:07:40 | API Interceptor | |
13:08:01 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
40.97.153.146 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
HHN-efz.ms-acdc.office.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
outlook.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
MICROSOFT-CORP-MSN-AS-BLOCKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
MICROSOFT-CORP-MSN-AS-BLOCKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12274 |
Entropy (8bit): | 3.760387811626687 |
Encrypted: | false |
SSDEEP: | 192:+5WBNis0oXZHNXwRjed+E/u7sOS274ItWco:Z7iqXJNXwRjeh/u7sOX4ItWco |
MD5: | 65B1A8F8223E4AB018A95B43305BB1C8 |
SHA1: | 48B24682C2E0631A963EB2BEF63ABD6F50ECF4C5 |
SHA-256: | 5C437229DCC881F3B4F37B7BB9B772AADD7AD70D95C1E89E9A451E8C94726565 |
SHA-512: | B8368FBD391A5E5076D6ECE48C7D72A54678CE7804E745C7F734AD7C0D5F9C950C261ACBAD104FCA66DA226B637B0947043A395E90F4CEE78AD4C4F2FC3B4F1A |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 59358 |
Entropy (8bit): | 1.9984891529039928 |
Encrypted: | false |
SSDEEP: | 192:fMcuApA1pdJOjc9qElfIpsp6Arg76Sn/kc/XOYAg04xG2OFY+GkxMHhrUlnaOuIq:zrA1pbOiPc7NN/r1xOY+GkxMHYaOuJp |
MD5: | 2DFACEB2A6B8E2DB10FA736DE4498EAC |
SHA1: | 59577B330853D4007FFD428C7A70100F6373F93E |
SHA-256: | DF885B82793B6A37F202AD54154B6CDAC1F386C92701CF861E596B7AC12BAD52 |
SHA-512: | E48799E4955583C38E32D6BB69659B283872CA62DB27C401B8649FC3B6E5378CEBBEFDD65BF57CD53438DC72A10605644F1EB0FCE533D40726D15876ABB98A17 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8290 |
Entropy (8bit): | 3.6921112436173114 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiRjB6dq6YTJ64LZLGgmfTkOS3A+pDB89ba6TsfSmkYm:RrlsNiVB6dq6Y964tagmfTkOS3qa64fs |
MD5: | D2AE7D4FC19E3D3F00CB3BBA18716414 |
SHA1: | F27E57C80022F1AD378735B72957A6A4B05805E4 |
SHA-256: | A73833AD0DB5A85528DAD79B81C85DB2EC216A26CE6E5E54EE4EFAF76ACD3C37 |
SHA-512: | EF0D028A7827972648BC05A27D663712021B1B60ADA68BEE39322953D14959E472A79B7929F6DDFA7CCCD49BB5A064FCEB1EBF41BF1A4DA7FA042F844D27016D |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4629 |
Entropy (8bit): | 4.450080143760217 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsLtJgtWI96UWSC8BZ78fm8M4JCds9FK+q8/5CA4SrSMd:uITfLH9NSN/4JgwDWMd |
MD5: | 3A363033BCDA509CC11610F8EAE185F1 |
SHA1: | 78454D6E43EC4DA98F46B02EF181673BCD929E6E |
SHA-256: | E9E57C10B891757381366073C1037A28BD36DB3DAB60F99BEE3D2690BC0107EB |
SHA-512: | 2EEE18A1B383B6EFD63A077EB19D6962376420E14767329925B1C99B8FE4E415A2482D67B9DF1D39FE3FF0744AF5407F6AA97304F6FF5B1CADDB7B3170EB834A |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29272 |
Entropy (8bit): | 1.7680840235180313 |
Encrypted: | false |
SSDEEP: | 192:rwZPZTw22TwzWTwttTwyifTwVJnzMTwLvd6vbBTwuYpB:rgxilQArz0 |
MD5: | F75591F98019D2A0608F3FB097EA2F15 |
SHA1: | 4787CAEFE912FB167C6FEB9FE00EEC553BDEA5FC |
SHA-256: | EB3FC9C41D9193ED4B8409124C88AF54D920E178F2CF2FBF466CA0CEA4C4A534 |
SHA-512: | 8D9EF494C0885A2E3A489E923F8934839E91B90383DD56785E715EECC13F0170C3696DDFFF0200AEC840505CF2EF538A393BDD870573BBC676F7D75D9C781D80 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 27392 |
Entropy (8bit): | 1.8524964337535361 |
Encrypted: | false |
SSDEEP: | 192:rHZUQs6Skhjl2pWAM0KIRKDDZBRIRKDDZNKD/A:r5d3L9cYVTCKD5CKDvKDo |
MD5: | 8B7FC14949EEB4934FD6671CDF794B2E |
SHA1: | 258C482B68B3B6141A58274D970E0B6207DB7ED9 |
SHA-256: | 9EC0132700BAA61FE67AFAFF537B02FE5A31E856547FD0D7528964F4AC7EC3B6 |
SHA-512: | E29B09803C09DE623B3BB597AF7A4993B948AEE901871C459E6B2A5F024B15313688FBBAD3F181B042C39DBCDE1B9C3321DCDD67D6E696A60BA2854AC11F9C70 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | modified |
Size (bytes): | 89 |
Entropy (8bit): | 4.488012965147007 |
Encrypted: | false |
SSDEEP: | 3:oVXUXvcXSdH8JOGXnEXvcSeFUUCn:o9UXEXwqEXES |
MD5: | 174BE973E6B0C3BD797883F3212802DF |
SHA1: | 954D60C1360503B14A9E51AB3ACA4BDD2A5C0EB4 |
SHA-256: | C13A06C3F7825D7230CB567F756CDE4F8CADDE35A8FBED07F36E4688E0432EBA |
SHA-512: | 2E197883B6869C97B25DF329FFDB17A3AFAFEADF364613E0DB314B3CCFEC53E74658F36F66B605987E48B8BB53CD63B017242DC22228EC2121E56DA6A4434702 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 39681 |
Entropy (8bit): | 0.5798862163096153 |
Encrypted: | false |
SSDEEP: | 192:kBqoxKAuqR+9DhAjxIRKDDZ3IRKDDZjIRKDDZo:kBqoxKAuqR+9DhAjxCKDdCKDRCKD2 |
MD5: | 4B91B3F5A88EEBB6F58712D6DAC44382 |
SHA1: | 3E64372F0900AD52FE1259E702A1F0C2DE8004B0 |
SHA-256: | E2BA9974330571C2AD06972236C49D39DABF23514931341E6CCD45518C3F1AF4 |
SHA-512: | DFE874DEB1728240E12D778A374C521AD84BD7FA013D222665EF5E2032540DDB3333CEF9B722C1FEADC4E8077980F9F915517590A628CBCB0F5B4788CB9EBCFB |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12933 |
Entropy (8bit): | 0.4074938468026375 |
Encrypted: | false |
SSDEEP: | 24:c9lLh9lLh9lIn9lIn9loTwP9loTwP9lWTwkci:kBqoITwQTwuTwO |
MD5: | A7BD0ABE7B8FC7B1D1EADEC39A42E343 |
SHA1: | 83109B9245E2D070D04B32FA123C9D81EC10F66F |
SHA-256: | 51542B6CDC943EB6BE14D54417295C84A4FAF1FE953309D01F82ACAC05E59684 |
SHA-512: | B4B3E3AA2E56352062DDD43124FE1E1E8615C586546498A43346A6A8A27204601F55AA9405F90596767ECDFC2B2845AFE2A2F27CD04EE3953DFF71B1F4DBCE45 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.324538219307157 |
TrID: |
|
File name: | nT5pUwoJSS.dll |
File size: | 478720 |
MD5: | 6fdbd25f7a84da80ee9d8577122c3291 |
SHA1: | 39a52cbc48be934cf953d4699e8a1ea5ff53a5bf |
SHA256: | 4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3 |
SHA512: | 935e43b18efb458f246523976f6b71655cf5c4465cddc86e5b91a9acc8e5d77f3bc3d2b0414d9e08114f286afd682cb9364193babaec4cd6b6ca871abf5b79de |
SSDEEP: | 12288:4Z31u8+a95+CA9lROexg8P7CbxXTTbWA:4Z31P9wr9lROog8W/ |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C...".J.".J.".J...J.".J.pwJ.".J4mrJ.".J.pqJ.".J.pgJ.".J.p`J.".J...J.".J.".J.#.J.pkJ.".J.pvJ.".J.ppJ.".J.puJ.".JRich.".J....... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x1041953 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x1000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE |
Time Stamp: | 0x608B79B0 [Fri Apr 30 03:29:52 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | a2f0d616525ae6c643810961c7d4fdfe |
Entrypoint Preview |
---|
Instruction |
---|
mov edi, edi |
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007FC9209ACBD7h |
call 00007FC9209B153Ch |
push dword ptr [ebp+08h] |
mov ecx, dword ptr [ebp+10h] |
mov edx, dword ptr [ebp+0Ch] |
call 00007FC9209ACAC1h |
pop ecx |
pop ebp |
retn 000Ch |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
xor ecx, ecx |
cmp eax, dword ptr [01073618h+ecx*8] |
je 00007FC9209ACBE5h |
inc ecx |
cmp ecx, 2Dh |
jc 00007FC9209ACBC3h |
lea ecx, dword ptr [eax-13h] |
cmp ecx, 11h |
jnbe 00007FC9209ACBE0h |
push 0000000Dh |
pop eax |
pop ebp |
ret |
mov eax, dword ptr [0107361Ch+ecx*8] |
pop ebp |
ret |
add eax, FFFFFF44h |
push 0000000Eh |
pop ecx |
cmp ecx, eax |
sbb eax, eax |
and eax, ecx |
add eax, 08h |
pop ebp |
ret |
call 00007FC9209AE4A6h |
test eax, eax |
jne 00007FC9209ACBD8h |
mov eax, 01073780h |
ret |
add eax, 08h |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
mov dword ptr [0108B5ACh], eax |
pop ebp |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
push dword ptr [0108B5ACh] |
call 00007FC9209AE2A6h |
pop ecx |
test eax, eax |
je 00007FC9209ACBE1h |
push dword ptr [ebp+08h] |
call eax |
pop ecx |
test eax, eax |
je 00007FC9209ACBD7h |
xor eax, eax |
inc eax |
pop ebp |
ret |
xor eax, eax |
pop ebp |
ret |
mov edi, edi |
push esi |
push edi |
xor esi, esi |
mov edi, 0108B5B8h |
cmp dword ptr [0107378Ch+esi*8], 01h |
jne 00007FC9209ACBF0h |
lea eax, dword ptr [00000088h+esi*8] |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x72630 | 0x6f | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x71e64 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x8d000 | 0x3bc | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x8e000 | 0x1544 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x49190 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x70c08 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x49000 | 0x15c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4732e | 0x47400 | False | 0.745877878289 | data | 6.57408998047 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x49000 | 0x2969f | 0x29800 | False | 0.65666768637 | data | 5.42368765721 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x73000 | 0x1917c | 0x1400 | False | 0.2435546875 | data | 3.63177828336 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x8d000 | 0x3bc | 0x400 | False | 0.4091796875 | data | 3.09285651514 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x8e000 | 0x2588 | 0x2600 | False | 0.456106085526 | data | 4.61056666922 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x8d058 | 0x364 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | QueryPerformanceCounter, GetVolumeInformationW, GetSystemTime, GetModuleHandleW, GetVersionExW, OpenProcess, GetDateFormatW, FindResourceW, LockResource, GetLocalTime, HeapCreate, CreateFileW, HeapFree, HeapCompact, HeapAlloc, VirtualProtectEx, GetCurrentDirectoryW, SetConsoleCP, SetConsoleOutputCP, GetStringTypeW, GetStringTypeA, GetLocaleInfoA, LoadLibraryA, GetLastError, HeapReAlloc, RtlUnwind, GetCurrentThreadId, GetCommandLineA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapDestroy, VirtualFree, VirtualAlloc, Sleep, GetProcAddress, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, RaiseException, HeapSize, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount |
ole32.dll | CoCreateInstance, CoUninitialize, OleInitialize, OleUninitialize, CoInitialize |
WINSPOOL.DRV | EnumPrintersW, GetPrinterDataW, GetPrinterW, DocumentPropertiesW, OpenPrinterW, ClosePrinter |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
Eithernothing | 1 | 0x103a020 |
Order | 2 | 0x1039f40 |
Smileschool | 3 | 0x1039b20 |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Notice sister Corporation. All rights reserved |
InternalName | Slow |
FileVersion | 3.2.1.380 |
CompanyName | Notice sister Corporation |
ProductName | Notice sister Soil read |
Observe | 38 |
ProductVersion | 3.2.1 |
FileDescription | Notice sister Soil read Skinneed |
OriginalFilename | Tail.dll |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 12, 2021 13:07:56.524216890 CEST | 49753 | 80 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:56.524513006 CEST | 49754 | 80 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:56.652859926 CEST | 80 | 49753 | 40.97.153.146 | 192.168.2.4 |
May 12, 2021 13:07:56.653002977 CEST | 49753 | 80 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:56.653544903 CEST | 80 | 49754 | 40.97.153.146 | 192.168.2.4 |
May 12, 2021 13:07:56.653630018 CEST | 49754 | 80 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:56.654592991 CEST | 49753 | 80 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:56.787769079 CEST | 80 | 49753 | 40.97.153.146 | 192.168.2.4 |
May 12, 2021 13:07:56.788000107 CEST | 49753 | 80 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:56.788275957 CEST | 49753 | 80 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:56.807976961 CEST | 49755 | 443 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:56.917027950 CEST | 80 | 49753 | 40.97.153.146 | 192.168.2.4 |
May 12, 2021 13:07:56.939476013 CEST | 443 | 49755 | 40.97.153.146 | 192.168.2.4 |
May 12, 2021 13:07:56.939598083 CEST | 49755 | 443 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:56.956787109 CEST | 49755 | 443 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:57.088217020 CEST | 443 | 49755 | 40.97.153.146 | 192.168.2.4 |
May 12, 2021 13:07:57.088253975 CEST | 443 | 49755 | 40.97.153.146 | 192.168.2.4 |
May 12, 2021 13:07:57.088278055 CEST | 443 | 49755 | 40.97.153.146 | 192.168.2.4 |
May 12, 2021 13:07:57.088347912 CEST | 49755 | 443 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:57.088407993 CEST | 49755 | 443 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:57.135567904 CEST | 49755 | 443 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:57.141473055 CEST | 49755 | 443 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:57.267406940 CEST | 443 | 49755 | 40.97.153.146 | 192.168.2.4 |
May 12, 2021 13:07:57.267497063 CEST | 49755 | 443 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:57.273684978 CEST | 443 | 49755 | 40.97.153.146 | 192.168.2.4 |
May 12, 2021 13:07:57.273825884 CEST | 49755 | 443 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:57.274255991 CEST | 49755 | 443 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:57.340895891 CEST | 49757 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.341072083 CEST | 49756 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.389771938 CEST | 443 | 49757 | 52.97.233.66 | 192.168.2.4 |
May 12, 2021 13:07:57.389811039 CEST | 443 | 49756 | 52.97.233.66 | 192.168.2.4 |
May 12, 2021 13:07:57.389878988 CEST | 49757 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.389921904 CEST | 49756 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.391278028 CEST | 49757 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.392539024 CEST | 49756 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.404428005 CEST | 443 | 49755 | 40.97.153.146 | 192.168.2.4 |
May 12, 2021 13:07:57.440767050 CEST | 443 | 49757 | 52.97.233.66 | 192.168.2.4 |
May 12, 2021 13:07:57.440804958 CEST | 443 | 49757 | 52.97.233.66 | 192.168.2.4 |
May 12, 2021 13:07:57.440829992 CEST | 443 | 49757 | 52.97.233.66 | 192.168.2.4 |
May 12, 2021 13:07:57.440850973 CEST | 49757 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.440888882 CEST | 49757 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.441837072 CEST | 443 | 49756 | 52.97.233.66 | 192.168.2.4 |
May 12, 2021 13:07:57.441859961 CEST | 443 | 49756 | 52.97.233.66 | 192.168.2.4 |
May 12, 2021 13:07:57.441878080 CEST | 443 | 49756 | 52.97.233.66 | 192.168.2.4 |
May 12, 2021 13:07:57.441922903 CEST | 49756 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.441966057 CEST | 49756 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.456420898 CEST | 49756 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.456739902 CEST | 49757 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.457509995 CEST | 49756 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.507992983 CEST | 443 | 49757 | 52.97.233.66 | 192.168.2.4 |
May 12, 2021 13:07:57.508028984 CEST | 443 | 49756 | 52.97.233.66 | 192.168.2.4 |
May 12, 2021 13:07:57.508058071 CEST | 443 | 49756 | 52.97.233.66 | 192.168.2.4 |
May 12, 2021 13:07:57.508086920 CEST | 49757 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.508121967 CEST | 49756 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.510467052 CEST | 443 | 49756 | 52.97.233.66 | 192.168.2.4 |
May 12, 2021 13:07:57.510528088 CEST | 49756 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.511269093 CEST | 49756 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:57.559741020 CEST | 443 | 49756 | 52.97.233.66 | 192.168.2.4 |
May 12, 2021 13:07:57.595808029 CEST | 49758 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.595855951 CEST | 49759 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.645627022 CEST | 443 | 49759 | 40.101.137.82 | 192.168.2.4 |
May 12, 2021 13:07:57.645654917 CEST | 443 | 49758 | 40.101.137.82 | 192.168.2.4 |
May 12, 2021 13:07:57.645747900 CEST | 49759 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.645814896 CEST | 49758 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.649241924 CEST | 49759 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.650088072 CEST | 49758 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.701133013 CEST | 443 | 49759 | 40.101.137.82 | 192.168.2.4 |
May 12, 2021 13:07:57.701167107 CEST | 443 | 49759 | 40.101.137.82 | 192.168.2.4 |
May 12, 2021 13:07:57.701189041 CEST | 443 | 49759 | 40.101.137.82 | 192.168.2.4 |
May 12, 2021 13:07:57.701257944 CEST | 49759 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.701292038 CEST | 49759 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.701807976 CEST | 443 | 49758 | 40.101.137.82 | 192.168.2.4 |
May 12, 2021 13:07:57.701838017 CEST | 443 | 49758 | 40.101.137.82 | 192.168.2.4 |
May 12, 2021 13:07:57.701862097 CEST | 443 | 49758 | 40.101.137.82 | 192.168.2.4 |
May 12, 2021 13:07:57.701891899 CEST | 49758 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.701932907 CEST | 49758 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.715931892 CEST | 49759 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.716289043 CEST | 49759 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.720307112 CEST | 49758 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.765304089 CEST | 443 | 49759 | 40.101.137.82 | 192.168.2.4 |
May 12, 2021 13:07:57.766113043 CEST | 443 | 49759 | 40.101.137.82 | 192.168.2.4 |
May 12, 2021 13:07:57.766210079 CEST | 49759 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.770592928 CEST | 443 | 49758 | 40.101.137.82 | 192.168.2.4 |
May 12, 2021 13:07:57.770699978 CEST | 49758 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.794503927 CEST | 443 | 49759 | 40.101.137.82 | 192.168.2.4 |
May 12, 2021 13:07:57.794528008 CEST | 443 | 49759 | 40.101.137.82 | 192.168.2.4 |
May 12, 2021 13:07:57.794564962 CEST | 49759 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:57.794585943 CEST | 49759 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:58.988245010 CEST | 49754 | 80 | 192.168.2.4 | 40.97.153.146 |
May 12, 2021 13:07:58.988343954 CEST | 49759 | 443 | 192.168.2.4 | 40.101.137.82 |
May 12, 2021 13:07:58.989630938 CEST | 49757 | 443 | 192.168.2.4 | 52.97.233.66 |
May 12, 2021 13:07:58.989656925 CEST | 49758 | 443 | 192.168.2.4 | 40.101.137.82 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 12, 2021 13:06:00.430233955 CEST | 53097 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:06:00.479023933 CEST | 53 | 53097 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:06:01.537579060 CEST | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:06:01.589147091 CEST | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:06:01.686364889 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:06:01.749185085 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:06:02.330004930 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:06:02.381606102 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:06:03.079670906 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:06:03.131386995 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:06:03.838140965 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:06:03.890248060 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:06:05.137980938 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:06:05.186661959 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:06:06.116621017 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:06:06.165359974 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:06:07.012972116 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:06:07.064455986 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:06:59.158689022 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:06:59.218735933 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:13.575684071 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:13.624511003 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:33.184400082 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:33.233283997 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:34.089867115 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:34.147365093 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:35.026246071 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:35.086539030 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:35.351069927 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:35.401068926 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:36.008440971 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:36.083830118 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:37.127737045 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:37.176460028 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:38.093313932 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:38.143081903 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:39.032254934 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:39.081478119 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:41.426986933 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:41.476294041 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:42.213614941 CEST | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:42.263492107 CEST | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:42.913527966 CEST | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:42.973959923 CEST | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:43.147269964 CEST | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:43.198693991 CEST | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:44.032737017 CEST | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:44.083465099 CEST | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:54.982896090 CEST | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:55.040282965 CEST | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:56.442893982 CEST | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:56.493007898 CEST | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:57.287398100 CEST | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:57.337733984 CEST | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:07:57.538420916 CEST | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:07:57.587490082 CEST | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
May 12, 2021 13:08:01.508614063 CEST | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
May 12, 2021 13:08:01.557399988 CEST | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
May 12, 2021 13:07:56.442893982 CEST | 192.168.2.4 | 8.8.8.8 | 0x4465 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 13:07:57.287398100 CEST | 192.168.2.4 | 8.8.8.8 | 0x80a2 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 13:07:57.538420916 CEST | 192.168.2.4 | 8.8.8.8 | 0x4050 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
May 12, 2021 13:07:35.401068926 CEST | 8.8.8.8 | 192.168.2.4 | 0x64b5 | No error (0) | www.tm.a.prd.aadg.trafficmanager.net | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:07:56.493007898 CEST | 8.8.8.8 | 192.168.2.4 | 0x4465 | No error (0) | 40.97.153.146 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:56.493007898 CEST | 8.8.8.8 | 192.168.2.4 | 0x4465 | No error (0) | 40.97.161.50 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:56.493007898 CEST | 8.8.8.8 | 192.168.2.4 | 0x4465 | No error (0) | 40.97.116.82 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:56.493007898 CEST | 8.8.8.8 | 192.168.2.4 | 0x4465 | No error (0) | 40.97.160.2 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:56.493007898 CEST | 8.8.8.8 | 192.168.2.4 | 0x4465 | No error (0) | 40.97.148.226 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:56.493007898 CEST | 8.8.8.8 | 192.168.2.4 | 0x4465 | No error (0) | 40.97.164.146 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:56.493007898 CEST | 8.8.8.8 | 192.168.2.4 | 0x4465 | No error (0) | 40.97.128.194 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:56.493007898 CEST | 8.8.8.8 | 192.168.2.4 | 0x4465 | No error (0) | 40.97.156.114 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:57.337733984 CEST | 8.8.8.8 | 192.168.2.4 | 0x80a2 | No error (0) | outlook.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:07:57.337733984 CEST | 8.8.8.8 | 192.168.2.4 | 0x80a2 | No error (0) | outlook.ha.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:07:57.337733984 CEST | 8.8.8.8 | 192.168.2.4 | 0x80a2 | No error (0) | outlook.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:07:57.337733984 CEST | 8.8.8.8 | 192.168.2.4 | 0x80a2 | No error (0) | HHN-efz.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:07:57.337733984 CEST | 8.8.8.8 | 192.168.2.4 | 0x80a2 | No error (0) | 52.97.233.66 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:57.337733984 CEST | 8.8.8.8 | 192.168.2.4 | 0x80a2 | No error (0) | 40.101.137.98 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:57.337733984 CEST | 8.8.8.8 | 192.168.2.4 | 0x80a2 | No error (0) | 52.98.152.178 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:57.337733984 CEST | 8.8.8.8 | 192.168.2.4 | 0x80a2 | No error (0) | 52.97.233.82 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:57.587490082 CEST | 8.8.8.8 | 192.168.2.4 | 0x4050 | No error (0) | outlook.ha.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:07:57.587490082 CEST | 8.8.8.8 | 192.168.2.4 | 0x4050 | No error (0) | outlook.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:07:57.587490082 CEST | 8.8.8.8 | 192.168.2.4 | 0x4050 | No error (0) | HHN-efz.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:07:57.587490082 CEST | 8.8.8.8 | 192.168.2.4 | 0x4050 | No error (0) | 40.101.137.82 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:57.587490082 CEST | 8.8.8.8 | 192.168.2.4 | 0x4050 | No error (0) | 52.97.233.98 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:57.587490082 CEST | 8.8.8.8 | 192.168.2.4 | 0x4050 | No error (0) | 40.101.136.18 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:07:57.587490082 CEST | 8.8.8.8 | 192.168.2.4 | 0x4050 | No error (0) | 52.98.175.18 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49753 | 40.97.153.146 | 80 | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
May 12, 2021 13:07:56.654592991 CEST | 1552 | OUT | |
May 12, 2021 13:07:56.787769079 CEST | 1552 | IN |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 13:06:05 |
Start date: | 12/05/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x190000 |
File size: | 116736 bytes |
MD5 hash: | 542795ADF7CC08EFCF675D65310596E8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:06:06 |
Start date: | 12/05/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x11d0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:06:06 |
Start date: | 12/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:06:06 |
Start date: | 12/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 13:06:10 |
Start date: | 12/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:06:14 |
Start date: | 12/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:07:51 |
Start date: | 12/05/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xcf0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:07:53 |
Start date: | 12/05/2021 |
Path: | C:\Program Files\internet explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7fded0000 |
File size: | 823560 bytes |
MD5 hash: | 6465CB92B25A7BC1DF8E01D8AC5E7596 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:07:54 |
Start date: | 12/05/2021 |
Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe90000 |
File size: | 822536 bytes |
MD5 hash: | 071277CC2E3DF41EEEA8013E2AB58D5A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|