Play interactive tourEdit tour
Windows Analysis Report 3b17.dll
Overview
General Information
Detection
Ursnif
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"lang_id": "RU, CN", "RSA Public Key": "ESo3IAssZzE5ysG1EIw/4HtXAsFSsy8tqEpVxnbfbMCCYrlFNqq+URa5v25Vb8Fqg7CHgZW6+XrIJ25ylHpxuJ37IEqPduLid4tbupuJSyqgtTppR4zn02IvafAxKMAHSa619wHPy17p4K0/4kj7C1qaKtM+Xh1a06NCKm5N+m786e7cPquu7R927nhH6gnnNo+As4++HjROKgvXHXtuBEcH4AtLrYsdhCKBIunRJ4/JRjUYKn0tSnPBDf+Na9jWpvJHGTOYnu1CoHdLJTA2dOf5StD7LA6zUT/gtRsdQh+Fypc8IFyYvOY0WUwFr+dLMrtodQ8p5Mt7Wi/ACSlplY8XX2NGugFn+jyVYhw+Opw=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "PNJeXnLTijShJqmR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 17 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Code function: |
Source: | Static PE information: |
Source: | File opened: |
Source: | Static PE information: |
Source: | Binary string: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: |
System Summary: |
---|
Writes or reads registry keys via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: |
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Window detected: |
Source: | File opened: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Last function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation2 | Path Interception | Process Injection12 | Masquerading1 | OS Credential Dumping | System Time Discovery2 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Data Encrypted for Impact1 |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection12 | LSASS Memory | Query Registry1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer3 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Deobfuscate/Decode Files or Information1 | Security Account Manager | Security Software Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol3 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information2 | NTDS | Process Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol3 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Rundll321 | LSA Secrets | Account Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Owner/User Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | File and Directory Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | System Information Discovery34 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
23% | Metadefender | Browse | ||
55% | ReversingLabs | Win32.Trojan.Wacatac |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1108168 | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
gtr.antoinfer.com | 165.232.183.49 | true | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
165.232.183.49 | gtr.antoinfer.com | United States | 22255 | ALLEGHENYHEALTHNETWORKUS | true |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 444315 |
Start date: | 05.07.2021 |
Start time: | 16:50:19 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 42s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 3b17.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 29 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal80.troj.winDLL@18/8@6/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
165.232.183.49 | Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
gtr.antoinfer.com | Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ALLEGHENYHEALTHNETWORKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 33448 |
Entropy (8bit): | 1.9157082965419407 |
Encrypted: | false |
SSDEEP: | 192:rxZ2Z62NLWst1Yf8txdM7J7DJZ/4WWjiQLMMnsQL3:r3y5NiY1mYx+7J7DJZ/4WiiQL5nsQL3 |
MD5: | 3928A30DF03768803E774801C3F4E561 |
SHA1: | AF25581F03824CBF0A6EBFED628C1E8E39AC8A2A |
SHA-256: | 156FB623D241F07C64B078E4AC5A1A6DA3D1F0CBF12B52A6ADA2AA9C59733691 |
SHA-512: | 0AB27C29FE614E23B521507B10B353A71930786B1419297BBECA36B347AD62ED7D71736B65992F3BEA9DFAEB9D0E561A0D5926183546AA31D4428663ECD816D9 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 24844 |
Entropy (8bit): | 1.7646611420791007 |
Encrypted: | false |
SSDEEP: | 48:Iw4GcprBGwpaQG4pQoGrapbSyZGQpB1oGHHpc16aTGUp81UGzYpm1yGOGopLnytS:rMZbQQ62BSyzjp2IqWmMX+tw2Wldrgkg |
MD5: | 29FD5C1C69C7FC7F8CA99BE1A73BBF11 |
SHA1: | 9BFD2294C0CF68C65F03227C23080967B33497D2 |
SHA-256: | C7BF1096E4F9835AC4CE120913AAE7DAA62E3B0A22551E8D2F6F17F6C20CC74D |
SHA-512: | 39131C8A41616DA3A2662C0A3FC1EA00D4858B76274646F9AABB63EA04BFC9CE0C93317638A534D273C41479A1AF79D7BDED5E7ECD8495B932A2A02D57A172BC |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 24844 |
Entropy (8bit): | 1.767594786399834 |
Encrypted: | false |
SSDEEP: | 96:rsZzQr6dBShzjN28qWkMd+tLyTPXoIwcg:rsZzQr6dkhzjN28qWkMd+tLG4Iwcg |
MD5: | 95B02B154963EB5617DE99433FDF03F5 |
SHA1: | 893E930D4040A1453A034979F3E718726C97AC97 |
SHA-256: | 5E24B25EB859E4C5BA40C3929D5E3DAF8CA21DE8875E0757ABA18432D4CADB00 |
SHA-512: | B272E54BB1660B5811590BC124F3E7A00C71CBB0EC3A1AD30D5FAF00BEFB9921A7602223BCE22557EEB717017F00D478E51320A495DEE179B5B7ACB078FB0C00 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 236270 |
Entropy (8bit): | 5.999802763577416 |
Encrypted: | false |
SSDEEP: | 6144:i/d/ybCg2dciObr8mv4iQRV9JGAO/KZpAeXoIXQUkuySbN:i/3+UHiQyPKPPgZabN |
MD5: | 9B70C50AD598C9590F179E69C851569A |
SHA1: | 1221CCA6F041E66E10C09D1188801EE0B6AC2B20 |
SHA-256: | 7D13B1A54AB1861868E01CF63FE17AA99A27AD4CD014F7BBB48ACD74891C9B73 |
SHA-512: | 5D521E3D1B265F7219DFC9C30DE5FEF12617959D930951039B322E1559D7341E30744C63A8856649B7E943B1B0B259EFF97DD03415085E6361A6F70389563FDB |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 258240 |
Entropy (8bit): | 5.999817357934779 |
Encrypted: | false |
SSDEEP: | 6144:i/d/ybCg2dciObr8mv4iQRV9JGAO/KZpAeXoIXQUkuySb39kC:i/3+UHiQyPKPPgZabtF |
MD5: | DFB6898B5C07756E927BC079F55B7EF7 |
SHA1: | 4972812015301D42C9E890801EA36BA4C7838AEB |
SHA-256: | 46BF96945DD89AD3C83CF46973B6CD50E48C2F7C004443C99A3AE81FA0722AA4 |
SHA-512: | F49798EACD58002F08F9056CB5B80D3FFFFCAB40F11914D64285603C0FB0D959898C46881C878D0B3DC8C60E4DBE017AAA50F2F0C9F92F7A216BED8D2D7241CF |
Malicious: | false |
IE Cache URL: | http://gtr.antoinfer.com/TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/BeoUjWvi9/GRgtTT2_2Fre8pZfIDlE/fPFOTkpE85cBWdt2Aor/5Y_2FWklStfFd9eU3TULSv/7l6H_2BVDc6Tn/LKJndKHH/PFJdkVMTIBMr500KWPhrAdO/8KvhNtw8HT/7mBX52dH5SplZXRyl/g96OGJKS4dVz/jB8OfmZgeb2/W3zD8P6To_2Fz1/V_2BecT6OliET_2F_2Boh/g6HDdicMqOjqFGcv/ETnCqudWareoM50/LlKXg0AU/cEv179y_2/BaWO |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13141 |
Entropy (8bit): | 0.5397612142950505 |
Encrypted: | false |
SSDEEP: | 48:kBqoIESEMEjJGBAJGjrLfGjrdGn+JGjrdGBE:kBqoIb9ZXHL+HAfHA2 |
MD5: | C459193FAA74EC923EDD2AEE7869BF97 |
SHA1: | 33532D83C18FF5424850FE6A291EA2C1BF074C11 |
SHA-256: | 8489A8C19C851490538B90EB97FD817191EE9E0BE42D5A14136A2388B615DDF4 |
SHA-512: | DA69F632F055ADDE01D8B51BD3A9C8F971500DA9B1B922E300B23F0954F1D0105AA2EF97F89D0E54B2151B5BC0566152A24525CDE3C9E963257637370FB04DCB |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 35037 |
Entropy (8bit): | 0.46882852126003777 |
Encrypted: | false |
SSDEEP: | 48:kBqoxKAuvScS+1T1t1f1W1yI1yBnytcaRZXExaDldr3cb/:kBqoxKAuvScS+9DhAjOw2Wldrg/ |
MD5: | C7AB3144DBD6F31E51B6BA3D6775A9E3 |
SHA1: | E4FF20612654765E51E5AE6D15C598DE2781EBEC |
SHA-256: | E03D537B7D47DDE288AA5E0E258DFC2AEEB0B830B0C681D59978373FC5508208 |
SHA-512: | 73B7B6C79A95DAC22283F34D0752815F67B8A9F6C6A289B69E370B1E7F5D363A4B6D1B46956DC3BF931608CBC2AE8A47678A5DCA2689A70532EF965550AA43BE |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 35037 |
Entropy (8bit): | 0.4698005102135692 |
Encrypted: | false |
SSDEEP: | 48:kBqoxKAuvScS+/hDqOIOB4UlC/Rxj1dXoIkKe+yyOc:kBqoxKAuvScS+/hDqxQLyTPXoIwc |
MD5: | 32DFB7B6A629E0708D86B3606A57C577 |
SHA1: | 57557B3CA0F8AD2AFAF689A9535B418E215D9F5C |
SHA-256: | AE85778291C2C6AF1A4C3600B3DDB892563F750499854ADD500C2889AEF15694 |
SHA-512: | 76DF9433D1F2CAA2B16601B5CC0B07603265D0699056E618CEC2E360144C47EC807A3B47125905EE495937B32484AFF94F328F4DA954F84D13FFD4D378DD561D |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.74420793959966 |
TrID: |
|
File name: | 3b17.dll |
File size: | 621568 |
MD5: | 3b17fcc55cee8cbe4cd1b443f358c36d |
SHA1: | 45d1e652f282a94b37ac32afb62ff563afb2fb39 |
SHA256: | 9ae13bdb906bf774982242a378a20fb25da3e29dd7b5e1acd2531562319edba6 |
SHA512: | 6b299214396c3ea94d01f7211ffed949f4e615c12586d2191b633c12f6d7d2881c01bc2d1b360bf05d15b58c604104e222d7f33297e63c067144de4bf2c5c337 |
SSDEEP: | 12288:DDq7QuHqfYJvHfikOqXr/nQKDEaQVOjTHCmjem/s9IoxAZgv6Hqip969aqnugCSh:/evfijqLvDEJYTiOem/i6lH69/2e6c |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{..\..H\..H\..H.r.IW..H.r.I...H.r.IN..H.k.IS..H.k.IO..H.k.I}..HUbIHM..H\..H...H.h.I]..H.h.I]..H.h%H]..H.h.I]..HRich\..H....... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x104dfd0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x1000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x60CB68D7 [Thu Jun 17 15:23:03 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 3618a66a29eac020b8f3ecc6a1cb392b |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007F2508D69687h |
call 00007F2508D69A18h |
push dword ptr [ebp+10h] |
push dword ptr [ebp+0Ch] |
push dword ptr [ebp+08h] |
call 00007F2508D6952Ah |
add esp, 0Ch |
pop ebp |
retn 000Ch |
push ebp |
mov ebp, esp |
push 00000000h |
call dword ptr [01122160h] |
push dword ptr [ebp+08h] |
call dword ptr [0112215Ch] |
push C0000409h |
call dword ptr [01122164h] |
push eax |
call dword ptr [01122168h] |
pop ebp |
ret |
push ebp |
mov ebp, esp |
sub esp, 00000324h |
push 00000017h |
call 00007F2508DA28CCh |
test eax, eax |
je 00007F2508D69687h |
push 00000002h |
pop ecx |
int 29h |
mov dword ptr [0108C920h], eax |
mov dword ptr [0108C91Ch], ecx |
mov dword ptr [0108C918h], edx |
mov dword ptr [0108C914h], ebx |
mov dword ptr [0108C910h], esi |
mov dword ptr [0108C90Ch], edi |
mov word ptr [0108C938h], ss |
mov word ptr [0108C92Ch], cs |
mov word ptr [0108C908h], ds |
mov word ptr [0108C904h], es |
mov word ptr [0108C900h], fs |
mov word ptr [0108C8FCh], gs |
pushfd |
pop dword ptr [0108C930h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [0108C924h], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [0108C928h], eax |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x8abd0 | 0x7e | .text |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1222a4 | 0xb4 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x12c000 | 0xe68 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x12d000 | 0x2af4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x91d4 | 0x54 | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x9228 | 0x40 | .text |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x122000 | 0x29c | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x89c4e | 0x89e00 | False | 0.646934142679 | data | 6.66431498915 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x8b000 | 0x96854 | 0x1a00 | False | 0.563551682692 | data | 5.65671037078 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.idata | 0x122000 | 0x1108 | 0x1200 | False | 0.428602430556 | data | 5.38081725829 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.gfids | 0x124000 | 0x71f7 | 0x7200 | False | 0.745922423246 | data | 5.77791689152 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x12c000 | 0xe68 | 0x1000 | False | 0.340087890625 | data | 3.21593318356 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x12d000 | 0x2af4 | 0x2c00 | False | 0.792702414773 | data | 6.66891196238 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_DIALOG | 0x12c250 | 0xf0 | data | English | United States |
RT_DIALOG | 0x12c340 | 0xe8 | data | English | United States |
RT_DIALOG | 0x12c428 | 0xcc | data | English | United States |
RT_DIALOG | 0x12c4f8 | 0xc4 | data | English | United States |
RT_DIALOG | 0x12c5c0 | 0x140 | data | English | United States |
RT_DIALOG | 0x12c700 | 0xec | data | English | United States |
RT_DIALOG | 0x12c7f0 | 0x142 | data | English | United States |
RT_DIALOG | 0x12c938 | 0x120 | data | English | United States |
RT_DIALOG | 0x12ca58 | 0x144 | data | English | United States |
RT_DIALOG | 0x12cba0 | 0x144 | data | English | United States |
RT_MANIFEST | 0x12cce8 | 0x17d | XML 1.0 document text | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetStdHandle, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, ReadFile, ReadConsoleW, GetFileType, CreateFileW, CloseHandle, WriteConsoleW, GetSystemTimeAsFileTime, GetWindowsDirectoryA, GetSystemDirectoryA, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetStringTypeW, GetProcessHeap, GetTempPathA, VirtualProtect, GetCurrentDirectoryA, SetSystemPowerState, OutputDebugStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, RaiseException, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, GetCurrentThread, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, DecodePointer |
USER32.dll | LoadBitmapA, GetWindowLongA, DrawTextA, IsDialogMessageA, GetClassInfoExA, SetWindowTextA, GetIconInfo, SendMessageTimeoutA, DefWindowProcA, CheckDlgButton, ReleaseDC, CallNextHookEx, EnumWindows |
GDI32.dll | SetRectRgn, CreateFontA, AbortDoc, EndDoc, GetStockObject, PtVisible, SetAbortProc, GetPixel, CreateRectRgn, SelectClipRgn, GetTextMetricsA, CombineRgn |
ole32.dll | CoRegisterClassObject, CoRegisterSurrogate, CoUninitialize, CoInitialize |
ADVAPI32.dll | RegOpenKeyExA, OpenServiceA, OpenThreadToken, InitializeSecurityDescriptor, FreeSid, SetSecurityDescriptorDacl, SetEntriesInAclA, RegEnumKeyA, RegCloseKey, StartServiceCtrlDispatcherA, RegOpenKeyA, QueryServiceStatus, RegDeleteKeyA, RegQueryValueExA, AllocateAndInitializeSid, LookupPrivilegeValueA, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenSCManagerA, RegCreateKeyExA, DeleteService, RegSetValueExA, OpenProcessToken, GetTokenInformation |
WS2_32.dll | WSACleanup, recv, htonl, htons, recvfrom, getservbyname, ntohs, socket, send, getservbyport, WSAStartup, getprotobynumber, setsockopt |
COMDLG32.dll | GetSaveFileNameA, GetOpenFileNameA |
COMCTL32.dll | ImageList_DragEnter, ImageList_DragShowNolock, ImageList_ReplaceIcon, ImageList_DragMove |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
Seasonthing | 1 | 0x104cc20 |
Seatforce | 2 | 0x104c3b0 |
Spaceclose | 3 | 0x104cad0 |
Time | 4 | 0x104c9d0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
07/05/21-16:53:08.812255 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
07/05/21-16:53:08.812255 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
07/05/21-16:53:10.181783 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49723 | 80 | 192.168.2.3 | 165.232.183.49 |
07/05/21-16:53:13.536216 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49728 | 80 | 192.168.2.3 | 165.232.183.49 |
07/05/21-16:53:13.536216 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49728 | 80 | 192.168.2.3 | 165.232.183.49 |
07/05/21-16:53:17.360210 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49733 | 80 | 192.168.2.3 | 165.232.183.49 |
07/05/21-16:53:17.360210 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49733 | 80 | 192.168.2.3 | 165.232.183.49 |
07/05/21-16:53:17.531348 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49734 | 80 | 192.168.2.3 | 165.232.183.49 |
07/05/21-16:53:21.708479 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49736 | 80 | 192.168.2.3 | 165.232.183.49 |
07/05/21-16:53:21.708479 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49736 | 80 | 192.168.2.3 | 165.232.183.49 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 5, 2021 16:53:08.607325077 CEST | 49722 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:08.607326031 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:08.793066025 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:08.793174982 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:08.802515984 CEST | 80 | 49722 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:08.802618027 CEST | 49722 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:08.812254906 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.041553974 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.719300032 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.719336987 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.719362974 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.719382048 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.719403982 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.719458103 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.719484091 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.719497919 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.719510078 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.719531059 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.719551086 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.721137047 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.721170902 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.721195936 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.721203089 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.721221924 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.721237898 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.721275091 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.905205965 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.905241966 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.905265093 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.905272007 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.905288935 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.905294895 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.905313969 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.905327082 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.905337095 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.905359030 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.905364037 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.905386925 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.905405045 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.905411959 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.905433893 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.905436993 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.905462027 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.905463934 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.905486107 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.905492067 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.905514956 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.905531883 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.906817913 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.906850100 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.906878948 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.906882048 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.906903028 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:09.906903982 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.906929016 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.906949043 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.982459068 CEST | 49723 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:09.982815027 CEST | 49724 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:10.052690983 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.052727938 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.052748919 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.052767992 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.052772045 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:10.052831888 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:10.091197968 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.091232061 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.091253042 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.091265917 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.091279030 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.091298103 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.091310978 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.091325045 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.091336966 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.091351986 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.091363907 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:10.091371059 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.091383934 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.091396093 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.091413975 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:10.091461897 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:10.172796965 CEST | 80 | 49723 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.174853086 CEST | 80 | 49724 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.175024033 CEST | 49723 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:10.175987959 CEST | 49724 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:10.181782961 CEST | 49723 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:10.219580889 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.219610929 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.219630003 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.219650984 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.219671011 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.219669104 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:10.219686031 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.219705105 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.219715118 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:10.219722986 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.219742060 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.219758034 CEST | 80 | 49721 | 165.232.183.49 | 192.168.2.3 |
Jul 5, 2021 16:53:10.219760895 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:10.219784975 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
Jul 5, 2021 16:53:10.219831944 CEST | 49721 | 80 | 192.168.2.3 | 165.232.183.49 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 5, 2021 16:51:48.367106915 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 5, 2021 16:51:48.421518087 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Jul 5, 2021 16:51:57.685502052 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 5, 2021 16:51:57.746710062 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Jul 5, 2021 16:52:10.821851969 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 5, 2021 16:52:10.885199070 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Jul 5, 2021 16:52:11.435316086 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 5, 2021 16:52:11.502516031 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Jul 5, 2021 16:52:52.494676113 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 5, 2021 16:52:52.561688900 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Jul 5, 2021 16:53:06.716258049 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 5, 2021 16:53:06.775631905 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Jul 5, 2021 16:53:08.535655022 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 5, 2021 16:53:08.589963913 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Jul 5, 2021 16:53:09.912365913 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 5, 2021 16:53:09.969793081 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jul 5, 2021 16:53:12.396389008 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 5, 2021 16:53:12.452733994 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Jul 5, 2021 16:53:13.274960995 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 5, 2021 16:53:13.332395077 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Jul 5, 2021 16:53:17.103620052 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 5, 2021 16:53:17.160681963 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Jul 5, 2021 16:53:17.287802935 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 5, 2021 16:53:17.335887909 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Jul 5, 2021 16:53:21.436383009 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 5, 2021 16:53:21.498718977 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jul 5, 2021 16:53:08.535655022 CEST | 192.168.2.3 | 8.8.8.8 | 0x6f30 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 5, 2021 16:53:09.912365913 CEST | 192.168.2.3 | 8.8.8.8 | 0x7236 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 5, 2021 16:53:13.274960995 CEST | 192.168.2.3 | 8.8.8.8 | 0xb70f | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 5, 2021 16:53:17.103620052 CEST | 192.168.2.3 | 8.8.8.8 | 0x3765 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 5, 2021 16:53:17.287802935 CEST | 192.168.2.3 | 8.8.8.8 | 0x509f | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 5, 2021 16:53:21.436383009 CEST | 192.168.2.3 | 8.8.8.8 | 0x856d | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jul 5, 2021 16:52:10.885199070 CEST | 8.8.8.8 | 192.168.2.3 | 0xd1d4 | No error (0) | www.tm.a.prd.aadg.akadns.net | CNAME (Canonical name) | IN (0x0001) | ||
Jul 5, 2021 16:53:08.589963913 CEST | 8.8.8.8 | 192.168.2.3 | 0x6f30 | No error (0) | 165.232.183.49 | A (IP address) | IN (0x0001) | ||
Jul 5, 2021 16:53:09.969793081 CEST | 8.8.8.8 | 192.168.2.3 | 0x7236 | No error (0) | 165.232.183.49 | A (IP address) | IN (0x0001) | ||
Jul 5, 2021 16:53:13.332395077 CEST | 8.8.8.8 | 192.168.2.3 | 0xb70f | No error (0) | 165.232.183.49 | A (IP address) | IN (0x0001) | ||
Jul 5, 2021 16:53:17.160681963 CEST | 8.8.8.8 | 192.168.2.3 | 0x3765 | No error (0) | 165.232.183.49 | A (IP address) | IN (0x0001) | ||
Jul 5, 2021 16:53:17.335887909 CEST | 8.8.8.8 | 192.168.2.3 | 0x509f | No error (0) | 165.232.183.49 | A (IP address) | IN (0x0001) | ||
Jul 5, 2021 16:53:21.498718977 CEST | 8.8.8.8 | 192.168.2.3 | 0x856d | No error (0) | 165.232.183.49 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49721 | 165.232.183.49 | 80 | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jul 5, 2021 16:53:08.812254906 CEST | 1174 | OUT | |
Jul 5, 2021 16:53:09.719300032 CEST | 1175 | IN |