Play interactive tourEdit tour
Windows Analysis Report 3a94.dll
Overview
General Information
Detection
Ursnif
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Encoded IEX
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Hooks registry keys query functions (used to hide registry keys)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Suspicious powershell command line found
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"lang_id": "RU, CN", "RSA Public Key": "ESo3IAssZzE5ysG1EIw/4HtXAsFSsy8tqEpVxnbfbMCCYrlFNqq+URa5v25Vb8Fqg7CHgZW6+XrIJ25ylHpxuJ37IEqPduLid4tbupuJSyqgtTppR4zn02IvafAxKMAHSa619wHPy17p4K0/4kj7C1qaKtM+Xh1a06NCKm5N+m786e7cPquu7R927nhH6gnnNo+As4++HjROKgvXHXtuBEcH4AtLrYsdhCKBIunRJ4/JRjUYKn0tSnPBDf+Na9jWpvJHGTOYnu1CoHdLJTA2dOf5StD7LA6zUT/gtRsdQh+Fypc8IFyYvOY0WUwFr+dLMrtodQ8p5Mt7Wi/ACSlplY8XX2NGugFn+jyVYhw+Opw=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "PNJeXnLTijShJqmR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 6 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Encoded IEX | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: MSHTA Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag: |
Sigma detected: Mshta Spawning Windows Shell | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Non Interactive PowerShell | Show sources |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Source: | Code function: |
Source: | Static PE information: |
Source: | File opened: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: |
System Summary: |
---|
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Key opened: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Key opened: |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Window detected: |
Source: | File opened: |
Source: | File opened: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation: |
---|
Suspicious powershell command line found | Show sources |
Source: | Process created: | ||
Source: | Process created: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Hooks registry keys query functions (used to hide registry keys) | Show sources |
Source: | IAT, EAT, inline or SSDT hook detected: |
Modifies the export address table of user mode modules (user mode EAT hooks) | Show sources |
Source: | IAT of a user mode module has changed: |
Modifies the import address table of user mode modules (user mode IAT hooks) | Show sources |
Source: | EAT of a user mode module has changed: |
Modifies the prolog of user mode functions (user mode inline hooks) | Show sources |
Source: | User mode code has changed: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Thread sleep time: |
Source: | Thread delayed: |
Source: | Process information queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process token adjusted: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation1 | Path Interception | Process Injection12 | Deobfuscate/Decode Files or Information1 | Credential API Hooking3 | System Time Discovery2 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Ingress Tool Transfer3 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Data Encrypted for Impact1 |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Obfuscated Files or Information2 | LSASS Memory | Account Discovery1 | Remote Desktop Protocol | Email Collection1 | Exfiltration Over Bluetooth | Encrypted Channel2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Command and Scripting Interpreter1 | Logon Script (Windows) | Logon Script (Windows) | Rootkit4 | Security Account Manager | File and Directory Discovery1 | SMB/Windows Admin Shares | Credential API Hooking3 | Automated Exfiltration | Non-Application Layer Protocol4 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | PowerShell1 | Logon Script (Mac) | Logon Script (Mac) | Masquerading1 | NTDS | System Information Discovery45 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol4 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Virtualization/Sandbox Evasion21 | LSA Secrets | Security Software Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Process Injection12 | Cached Domain Credentials | Virtualization/Sandbox Evasion21 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Rundll321 | DCSync | Process Discovery3 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | System Owner/User Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Metadefender | Browse | ||
69% | ReversingLabs | Win32.Trojan.Midie |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1108168 | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
gtr.antoinfer.com | 165.232.183.49 | true | true | unknown | |
resolver1.opendns.com | 208.67.222.222 | true | false | high | |
todo.faroin.at | 165.232.183.49 | true | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
165.232.183.49 | gtr.antoinfer.com | United States | 22255 | ALLEGHENYHEALTHNETWORKUS | true |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 444316 |
Start date: | 05.07.2021 |
Start time: | 16:50:20 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 50s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 3a94.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 31 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winDLL@24/16@7/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
16:52:17 | API Interceptor | |
16:53:08 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
165.232.183.49 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
resolver1.opendns.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
gtr.antoinfer.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ALLEGHENYHEALTHNETWORKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 72360 |
Entropy (8bit): | 2.100864962810027 |
Encrypted: | false |
SSDEEP: | 192:rFZOZ92JLW/tAflxM6+HKkMN9VfOqhGfiWGzMGWiGrpGeG7xzt:rLa0Jiluo6+AN9tSHmm1m |
MD5: | 317F0A36C770F6DE16BF5981B51C5D15 |
SHA1: | BF0CE97F5B36315AE8B4D734A42DBD339F96CCA8 |
SHA-256: | 2D7D550080AD16AF04A5CC5BF68B729F9730371174C7E84FEF8A00F54DF0A695 |
SHA-512: | 7FFC3FFD628BA208B161BC72F71290971E8E0BAEAC72AAAEB8331773836435BE584C94A8EF4362B5BD6770354E4754D6A3815C88BD4234F455D064EC9F406144 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 28120 |
Entropy (8bit): | 1.9095750288955466 |
Encrypted: | false |
SSDEEP: | 96:r8ZPQ+6kBSIzjR2MqWuMv+lqt/1itCgpr:r8ZPQ+6kkIzjR2MqWuMv+lqR1iZr |
MD5: | 5EDD21BA1C8AF437F843240FF522681C |
SHA1: | E8A998A143D74959F8DCBBBE9DBA74B0D4D9D9BC |
SHA-256: | 298E60E3FB5ABFA79D5E0DB72F08BA43D6C7982A1FB0B3FF5FF139653F05541C |
SHA-512: | 0D85CAB259DE2F5AECFAFEAD469CD4FB8119B846F110E90C4E113B4A3190C918B2B780C6C4A143D00A1D75B4BD3E1BA7178690605EEEA8BE36705639E1E011BA |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 28172 |
Entropy (8bit): | 1.9263177932111364 |
Encrypted: | false |
SSDEEP: | 192:rFZyQd6zkdzjJ2QqWJMw+t3z7cubRl3zwz7cubhYA:rLfI4d/YQpSwa3zwuv3zwzwut7 |
MD5: | E90FF1B86959F97D97684E87AB3F7817 |
SHA1: | 85B587F1F1FA7EE7B82C850D8256BF8E7E215201 |
SHA-256: | E051DEEA1BAE06F68B74C780D73E504B2F6696273CDDFF34614E0027C8A8D099 |
SHA-512: | CD592CD3E5319397AD3F2D1018295AC8E4EB0A36F20A11270A46BE51E095F98DC6E8F5CA139EC395A1012831332F0E4E7FF72E3D86F37B1557E7CE349E153BA8 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 28140 |
Entropy (8bit): | 1.9175696715482693 |
Encrypted: | false |
SSDEEP: | 96:rNZeQu6wBS5zjx2IqWfMB+NhjpdHlhmEsjpTn4A:rNZeQu6wk5zjx2IqWfMB+N1Tlgxn4A |
MD5: | 0F48B7FD8CA90F110E8BEF7E4682EBD5 |
SHA1: | C8FAA577FB9EF645C505FAB36F4AFDE27EF6561A |
SHA-256: | 9409DEC02170C770DD4E0F50A6E4C6AFC146D32BBFA25037A66B8464A79CB687 |
SHA-512: | 795A4DF8C75FACFD475CE798BA74A09F4DF26C13E8CFBFB36E804E718E6A8384A024992B1F40C633E24AB262620184B1FD2AAA6B22179FB8DBCA9BCB91AADD7C |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 2456 |
Entropy (8bit): | 5.97847634324252 |
Encrypted: | false |
SSDEEP: | 48:MlibnPXXpF+lCn4XkIonzd8MTpIZMLaxaOwDRiAShsB:AqPXXpv40Ionzd8rWaoOEiB6 |
MD5: | CA69CFFD97933BDB9C98DEEDCFF5CF74 |
SHA1: | 2E5BBAFE5ECFB6CEAF52AD34D42BF1119E9942E9 |
SHA-256: | 9B3C39A568F5156A5144643614466E11961C83AFF2B4E8CECFEE07954C811556 |
SHA-512: | 95F9DE72CBC5622CE6F2738793AFF2EAB0F721CEAE0CB5877BFE570EB069243C82F45D45877F8054B8726E7803F4DA7D318B47E9BD683262DBBEA67615407374 |
Malicious: | false |
IE Cache URL: | http://gtr.antoinfer.com/TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC5C/QMacbN7bi5gg4i/EPDpjwjNeqvxB8nx8goUN/7UScKdA3erCdyZnr/M1mYt7N44_2BCZB/z_2BQHKBZE3I76X4pk/LLUxigZ_2/FKtPJihoxkrQplteHpxJ/SQ5O5MOBE3EqfyedXsa/WMc6NwZF0braqCo_2FtHND/MeZCuTIpsRPeP/oRY2gUKx/_2BWnIG4Butzcab_2F67iqF/5L_2FfljiF/BmcXquDrczHDDG7sB/8E2Nz3hVUHpI/Iejf3l0Gse2/15LRCzp_2Bw/0DMy |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 258240 |
Entropy (8bit): | 5.999817357934779 |
Encrypted: | false |
SSDEEP: | 6144:i/d/ybCg2dciObr8mv4iQRV9JGAO/KZpAeXoIXQUkuySb39kC:i/3+UHiQyPKPPgZabtF |
MD5: | DFB6898B5C07756E927BC079F55B7EF7 |
SHA1: | 4972812015301D42C9E890801EA36BA4C7838AEB |
SHA-256: | 46BF96945DD89AD3C83CF46973B6CD50E48C2F7C004443C99A3AE81FA0722AA4 |
SHA-512: | F49798EACD58002F08F9056CB5B80D3FFFFCAB40F11914D64285603C0FB0D959898C46881C878D0B3DC8C60E4DBE017AAA50F2F0C9F92F7A216BED8D2D7241CF |
Malicious: | false |
IE Cache URL: | http://gtr.antoinfer.com/OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCeGanwp5x6mxFdtm_/2BQQ_2BZBXUS0UsE/so7pu77WVpSX0kE/e_2FC7i8m9HUadv_2F/jHuYwYKPu/BKlyw96_2B2HnlpmSd5G/KHfN8q_2FZUhddmueVc/VN22bVsSXOc1F2H2TTIYic/FU2T3AQj_2Bf0/Yc7WUnV_/2FNtnojv1lJnCN4_2B2aG1E/ZT_2F8RuAw/TC3tCpega8r1SAjDV/0ZScgJdMygUO/w95b0xrv2QT/DGrWX40QWt0tWT/QGDiJ9RLs/CJ |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 328564 |
Entropy (8bit): | 5.999819521741829 |
Encrypted: | false |
SSDEEP: | 6144:yZcMvk11XnvwsyToGLCwu0dpjRfCwzVPJAoDaqX7FWy+tpqx2:xMvk11XvwPToGLCQpjRKwJPJba8FW9tZ |
MD5: | D65D2161F47805CD422863ED419644B3 |
SHA1: | 3AC0BB2B2C0BAFC14E77C3566063BAE0F89019F0 |
SHA-256: | 8E542AD3CCF2E42E398B6F6CDE96009D2D04EC3FEC657D2914ABAAA089B52DC5 |
SHA-512: | 71B6E1D8FD7069DC3D87AFED992BB82752F2CA9F5FBCE804BBB31FDBA4FE3D9AF7C21FA1214781077A4399A95714CE322B4A93ACD63F66895B0B3487F532A643 |
Malicious: | false |
IE Cache URL: | http://gtr.antoinfer.com/HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrjvBKs_2BWTN1jd/cRVlgWa0o/p1MOk_2BLI89mWlaMirs/Gdw7n3bR8ORjIY_2Fx6/NYz_2BwvSm9u2x0DN_2BOH/Ni1nKLSa9JhBd/ZE9joS5j/ehlmvjX_2FlxlUw7sENHL6w/CDmAOpgIB5/uqJKH_2B5K5P34v5C/Q_2BbSOhpl7C/1na6SsW0l2M/cy_2FPqMdKquM4/T1TrxnsCco2huo0cd5MLY/0H3wDM7jB_2F837m/FO_2FMxSAhLyD6r/IIFbv4aVX2Mk_2FOSl/48WQx68DGUnQj/_2BFfob |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | modified |
Size (bytes): | 89 |
Entropy (8bit): | 4.412554678800314 |
Encrypted: | false |
SSDEEP: | 3:oVXU3KfGLJLFp498JOGXnE3KfGLJLFU7n:o9UaSwqEaSS7 |
MD5: | 8D36A22121E23FEE0C6FF967FABC7C9F |
SHA1: | 6AB24AD3A5B5A1C3297935FD884D16607D338AB2 |
SHA-256: | AC2BF550E697374F1FFF169091935EA0395783571E1111A06F56356FEBDAD232 |
SHA-512: | BE7BA4CC152B1A7774EDE9D9050BB3B250BCE6202B1B966CACE74069C15302958D9EE38852F7CECA9F231DF6165B172848BA3D13018C3AF525DF850E72E50278 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 40153 |
Entropy (8bit): | 0.6721295915726995 |
Encrypted: | false |
SSDEEP: | 96:kBqoxKAuvScS+mg6Tgphjpd76hjpdJhjpdq:kBqoxKAuqR+mg6Tgp1f61l12 |
MD5: | 3B12C53F64AA9AAE48FA99DD462323F8 |
SHA1: | CEF166B313DBD447B0308D56BFF0374D73F2597B |
SHA-256: | C2DE96C4F6609F6F923AB649EDF844F622041AEBE946955765ABE8CE01785973 |
SHA-512: | 089EDD5B67E551892DF6A8217EC6897D32607B525DF21758CF53D6C47EA2FF4289BEC2F7AB1BEF6DCE26A3ED4753D2D30D522496BDC002562AC6A384D3C21A20 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13413 |
Entropy (8bit): | 0.7018055925052197 |
Encrypted: | false |
SSDEEP: | 24:c9lLh9lLh9lIn9lIn9loV9lo19lWaXY2h2JiB2J+7X+5eD++5:kBqoIeAk6QF5 |
MD5: | 52553F46F1704934835C4DE6178D3F4F |
SHA1: | 43BFB35935B24475E8D4132F993216662BF9DE1E |
SHA-256: | EFBCB3C5FF7742544DE80FD9C5FFC2D1FFF227E66B3369A0BD08EC9B8A19F334 |
SHA-512: | 3C5C2D89C29F519ADB6CC8E16AD963919A6CF7ADFCE6C8B043D6A39EBEE2931738AE0E0E8F671408A100C7F011ECB5381B563653AD9D783A096CE2028613BE52 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 40105 |
Entropy (8bit): | 0.6629620622757341 |
Encrypted: | false |
SSDEEP: | 48:kBqoxKAuvScS+CkuHLIL5Rbh6gikRbh6gi3Rbh6giI:kBqoxKAuvScS+CkuH0dqtkqt3qtI |
MD5: | 8B952EFE3F14FC91C368F04033DC6004 |
SHA1: | 12EC1BCB176427B5917FDB39E5FF45D30353AADD |
SHA-256: | 72F0393157A67239BE9761E5AD53D75431586E85E49731F12B9E3FB7D426C8C7 |
SHA-512: | 24C94D2B87B327680B8689869CB28EA35F643E78D267A93D89D2DF7E691E5EF924CEDCA6DD2E9373E2EA1A8F70C8F3F366D437581E1CF68FFA139694F320F077 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 40217 |
Entropy (8bit): | 0.6834448918036513 |
Encrypted: | false |
SSDEEP: | 192:kBqoxKAuqR+rl3elc3z7cubL3z7cubU3z7cubx:kBqoxKAuqR+rl3elc3zwuf3zwuA3zwud |
MD5: | A141120014A3CB3DFECBD9C51AE5C4EB |
SHA1: | 2E4F94F1A901450679304FAF45771B82E93B199B |
SHA-256: | 5642AF0321783222BB59495161A237C5ECD2A5DDAE5BA20B863355949166DC46 |
SHA-512: | 173B0BBCDB8F135401BBCB3168A1A49CA80FDED3D6C7870584AC49F947B43B1B6F130A99E6BFB535AE4D7F2137D75564112AB98C5E6964600DC8BF92C6363D12 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 978 |
Entropy (8bit): | 5.470798394117449 |
Encrypted: | false |
SSDEEP: | 24:BxSAEDvBBSx2DOXUWOLCHGIYBtBCWAHjeTKKjX4CIym1ZJXaOLCHGIYBtBW:BZgv/SoORFeVAqDYB1ZkFeW |
MD5: | 9C17BF4AA0CD21F8D4434FBE9C6F00E9 |
SHA1: | A1489267FD0728C1392D6A9ACD41AE0DFBE2ACC8 |
SHA-256: | 1622DCA0170692A643AD3B4CDBED0747FD041A2DED958E5ABB17A9EEF86B7100 |
SHA-512: | 137F9F29206E2A35C8FE80E05C5ACF6F58FEE1AE0E136212DEABC99A288AA36BE0D009B3F15F1C3610936E2A22D375B3ADFE507EFC886BEEC3DFD2F4707BDDC1 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.7442139076304946 |
TrID: |
|
File name: | 3a94.dll |
File size: | 621568 |
MD5: | 3a943173c6de419b7078e88c20997838 |
SHA1: | 56567824c6b5c62112a74daa7a1a66e2ec0505d3 |
SHA256: | af98c908f45b6b7893b8cc3121517488c94a93d015af71cd86f8269a971a8836 |
SHA512: | 801f8f86158c23a44499fc8c5364cb6353a44fba09015d118341e1bd07a568fe4c2fe4b93ca691bb45b41b5f6ee2a6f73d7ffbfde3eb9cd7293295ffc530693c |
SSDEEP: | 12288:DDq7QuHqfYJvHfikOqXr/nQKDEaKVOjTHCmjem/s9IoxAZgv6Hqip969aqnugCSh:/evfijqLvDEfYTiOem/i6lH69/2e6c |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{..\..H\..H\..H.r.IW..H.r.I...H.r.IN..H.k.IS..H.k.IO..H.k.I}..HUbIHM..H\..H...H.h.I]..H.h.I]..H.h%H]..H.h.I]..HRich\..H....... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x104dfd0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x1000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x60CB68D7 [Thu Jun 17 15:23:03 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 3618a66a29eac020b8f3ecc6a1cb392b |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007F7060AE2B57h |
call 00007F7060AE2EE8h |
push dword ptr [ebp+10h] |
push dword ptr [ebp+0Ch] |
push dword ptr [ebp+08h] |
call 00007F7060AE29FAh |
add esp, 0Ch |
pop ebp |
retn 000Ch |
push ebp |
mov ebp, esp |
push 00000000h |
call dword ptr [01122160h] |
push dword ptr [ebp+08h] |
call dword ptr [0112215Ch] |
push C0000409h |
call dword ptr [01122164h] |
push eax |
call dword ptr [01122168h] |
pop ebp |
ret |
push ebp |
mov ebp, esp |
sub esp, 00000324h |
push 00000017h |
call 00007F7060B1BD9Ch |
test eax, eax |
je 00007F7060AE2B57h |
push 00000002h |
pop ecx |
int 29h |
mov dword ptr [0108C920h], eax |
mov dword ptr [0108C91Ch], ecx |
mov dword ptr [0108C918h], edx |
mov dword ptr [0108C914h], ebx |
mov dword ptr [0108C910h], esi |
mov dword ptr [0108C90Ch], edi |
mov word ptr [0108C938h], ss |
mov word ptr [0108C92Ch], cs |
mov word ptr [0108C908h], ds |
mov word ptr [0108C904h], es |
mov word ptr [0108C900h], fs |
mov word ptr [0108C8FCh], gs |
pushfd |
pop dword ptr [0108C930h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [0108C924h], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [0108C928h], eax |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x8abd0 | 0x7e | .text |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1222a4 | 0xb4 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x12c000 | 0xe68 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x12d000 | 0x2af4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x91d4 | 0x54 | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x9228 | 0x40 | .text |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x122000 | 0x29c | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x89c4e | 0x89e00 | False | 0.646935913418 | data | 6.66432444049 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x8b000 | 0x96854 | 0x1a00 | False | 0.563551682692 | data | 5.65671037078 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.idata | 0x122000 | 0x1108 | 0x1200 | False | 0.428602430556 | data | 5.38081725829 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.gfids | 0x124000 | 0x71f7 | 0x7200 | False | 0.745922423246 | data | 5.77791689152 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x12c000 | 0xe68 | 0x1000 | False | 0.340087890625 | data | 3.21593318356 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x12d000 | 0x2af4 | 0x2c00 | False | 0.792702414773 | data | 6.66891196238 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_DIALOG | 0x12c250 | 0xf0 | data | English | United States |
RT_DIALOG | 0x12c340 | 0xe8 | data | English | United States |
RT_DIALOG | 0x12c428 | 0xcc | data | English | United States |
RT_DIALOG | 0x12c4f8 | 0xc4 | data | English | United States |
RT_DIALOG | 0x12c5c0 | 0x140 | data | English | United States |
RT_DIALOG | 0x12c700 | 0xec | data | English | United States |
RT_DIALOG | 0x12c7f0 | 0x142 | data | English | United States |
RT_DIALOG | 0x12c938 | 0x120 | data | English | United States |
RT_DIALOG | 0x12ca58 | 0x144 | data | English | United States |
RT_DIALOG | 0x12cba0 | 0x144 | data | English | United States |
RT_MANIFEST | 0x12cce8 | 0x17d | XML 1.0 document text | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetStdHandle, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, ReadFile, ReadConsoleW, GetFileType, CreateFileW, CloseHandle, WriteConsoleW, GetSystemTimeAsFileTime, GetWindowsDirectoryA, GetSystemDirectoryA, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetStringTypeW, GetProcessHeap, GetTempPathA, VirtualProtect, GetCurrentDirectoryA, SetSystemPowerState, OutputDebugStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, RaiseException, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, GetCurrentThread, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, DecodePointer |
USER32.dll | LoadBitmapA, GetWindowLongA, DrawTextA, IsDialogMessageA, GetClassInfoExA, SetWindowTextA, GetIconInfo, SendMessageTimeoutA, DefWindowProcA, CheckDlgButton, ReleaseDC, CallNextHookEx, EnumWindows |
GDI32.dll | SetRectRgn, CreateFontA, AbortDoc, EndDoc, GetStockObject, PtVisible, SetAbortProc, GetPixel, CreateRectRgn, SelectClipRgn, GetTextMetricsA, CombineRgn |
ole32.dll | CoRegisterClassObject, CoRegisterSurrogate, CoUninitialize, CoInitialize |
ADVAPI32.dll | RegOpenKeyExA, OpenServiceA, OpenThreadToken, InitializeSecurityDescriptor, FreeSid, SetSecurityDescriptorDacl, SetEntriesInAclA, RegEnumKeyA, RegCloseKey, StartServiceCtrlDispatcherA, RegOpenKeyA, QueryServiceStatus, RegDeleteKeyA, RegQueryValueExA, AllocateAndInitializeSid, LookupPrivilegeValueA, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenSCManagerA, RegCreateKeyExA, DeleteService, RegSetValueExA, OpenProcessToken, GetTokenInformation |
WS2_32.dll | WSACleanup, recv, htonl, htons, recvfrom, getservbyname, ntohs, socket, send, getservbyport, WSAStartup, getprotobynumber, setsockopt |
COMDLG32.dll | GetSaveFileNameA, GetOpenFileNameA |
COMCTL32.dll | ImageList_DragEnter, ImageList_DragShowNolock, ImageList_ReplaceIcon, ImageList_DragMove |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
Seasonthing | 1 | 0x104cc20 |
Seatforce | 2 | 0x104c3b0 |
Spaceclose | 3 | 0x104cad0 |
Time | 4 | 0x104c9d0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
07/05/21-16:52:45.440840 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
07/05/21-16:52:45.440840 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
07/05/21-16:52:49.870626 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49720 | 80 | 192.168.2.5 | 165.232.183.49 |
07/05/21-16:52:49.870626 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49720 | 80 | 192.168.2.5 | 165.232.183.49 |
07/05/21-16:52:56.212973 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49722 | 80 | 192.168.2.5 | 165.232.183.49 |
07/05/21-16:52:56.212973 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49722 | 80 | 192.168.2.5 | 165.232.183.49 |
07/05/21-16:53:33.216042 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49730 | 80 | 192.168.2.5 | 165.232.183.49 |
07/05/21-16:53:33.216042 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49730 | 80 | 192.168.2.5 | 165.232.183.49 |
07/05/21-16:53:35.638649 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49734 | 80 | 192.168.2.5 | 165.232.183.49 |
07/05/21-16:53:35.638649 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49734 | 80 | 192.168.2.5 | 165.232.183.49 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 5, 2021 16:52:45.222950935 CEST | 49718 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:45.222971916 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:45.417839050 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:45.417974949 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:45.421730995 CEST | 80 | 49718 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:45.422086000 CEST | 49718 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:45.440840006 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:45.681216002 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.348056078 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.348079920 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.348092079 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.348104000 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.348114967 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.348126888 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.348334074 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.349365950 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.349381924 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.349400043 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.349416971 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.349562883 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.542063951 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.542104959 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.542124033 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.542146921 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.542170048 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.542191029 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.542217016 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.542232037 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.542246103 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.542265892 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.542278051 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.542285919 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.542308092 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.542326927 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.542329073 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.542366028 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.542402029 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.543889999 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.543920994 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.543945074 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.543966055 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.543992996 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.544050932 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.679311037 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.679361105 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.679398060 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.679399014 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.679438114 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.679438114 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.679445028 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.679542065 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.738343000 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.738400936 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.738439083 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.738477945 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.738497019 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.738527060 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.738540888 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.738563061 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.738575935 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.738584995 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.738617897 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.738656044 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.738686085 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.738692999 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.738707066 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.738732100 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.738746881 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.738769054 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.738796949 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.738816023 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.738817930 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.738847971 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.738867998 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.738897085 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.845165968 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845199108 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845217943 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845235109 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845262051 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845279932 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.845283985 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845304966 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845312119 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.845326900 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845333099 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.845350981 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845357895 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.845371962 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845379114 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.845393896 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845396042 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.845418930 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.845432997 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845454931 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845475912 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.845477104 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845496893 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
Jul 5, 2021 16:52:46.845504999 CEST | 49717 | 80 | 192.168.2.5 | 165.232.183.49 |
Jul 5, 2021 16:52:46.845518112 CEST | 80 | 49717 | 165.232.183.49 | 192.168.2.5 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 5, 2021 16:51:01.270546913 CEST | 54302 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:01.331867933 CEST | 53 | 54302 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:01.667979956 CEST | 53784 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:01.699053049 CEST | 65307 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:01.714598894 CEST | 53 | 53784 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:01.771838903 CEST | 53 | 65307 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:01.874958038 CEST | 64344 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:01.924457073 CEST | 53 | 64344 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:02.543602943 CEST | 62060 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:02.590671062 CEST | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:02.913222075 CEST | 61805 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:02.968780041 CEST | 53 | 61805 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:03.848957062 CEST | 54795 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:03.908797026 CEST | 53 | 54795 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:04.064733982 CEST | 49557 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:04.112849951 CEST | 53 | 49557 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:05.693032026 CEST | 61733 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:05.743191957 CEST | 53 | 61733 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:07.313222885 CEST | 65447 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:07.363517046 CEST | 53 | 65447 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:08.972419024 CEST | 52441 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:09.018774033 CEST | 53 | 52441 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:46.663105965 CEST | 62176 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:46.734730959 CEST | 53 | 62176 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:47.465989113 CEST | 59736 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:47.466183901 CEST | 51058 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:47.466260910 CEST | 52636 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:51:47.517407894 CEST | 53 | 51058 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:47.522593021 CEST | 53 | 52636 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:51:47.522607088 CEST | 53 | 59736 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:52:17.521701097 CEST | 59596 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:52:17.585300922 CEST | 53 | 59596 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:52:18.815195084 CEST | 65296 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:52:18.870431900 CEST | 53 | 65296 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:52:18.996411085 CEST | 63183 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:52:19.051346064 CEST | 53 | 63183 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:52:20.333875895 CEST | 60151 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:52:20.383717060 CEST | 53 | 60151 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:52:21.265124083 CEST | 56969 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:52:21.312719107 CEST | 53 | 56969 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:52:22.149463892 CEST | 55161 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:52:22.195453882 CEST | 53 | 55161 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:52:43.393448114 CEST | 54757 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:52:43.450041056 CEST | 53 | 54757 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:52:44.827162027 CEST | 49992 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:52:45.206682920 CEST | 53 | 49992 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:52:49.596513987 CEST | 60075 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:52:49.654650927 CEST | 53 | 60075 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:52:55.675700903 CEST | 55016 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:52:56.007304907 CEST | 53 | 55016 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:53:00.252906084 CEST | 64345 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:53:00.311598063 CEST | 53 | 64345 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:53:07.856597900 CEST | 57128 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:53:07.915098906 CEST | 53 | 57128 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:53:13.344187021 CEST | 54791 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:53:13.398883104 CEST | 53 | 54791 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:53:14.337613106 CEST | 54791 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:53:14.386691093 CEST | 53 | 54791 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:53:15.353210926 CEST | 54791 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:53:15.408344984 CEST | 53 | 54791 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:53:17.372457981 CEST | 54791 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:53:17.421937943 CEST | 53 | 54791 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:53:21.384587049 CEST | 54791 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:53:21.431808949 CEST | 53 | 54791 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:53:32.439990997 CEST | 50463 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:53:32.490406990 CEST | 53 | 50463 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:53:32.693692923 CEST | 50394 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:53:33.031008959 CEST | 53 | 50394 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:53:33.528201103 CEST | 58530 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:53:33.600061893 CEST | 53 | 58530 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:53:34.146548986 CEST | 53813 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:53:34.205434084 CEST | 53 | 53813 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:53:34.465586901 CEST | 63732 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:53:34.538265944 CEST | 53 | 63732 | 8.8.8.8 | 192.168.2.5 |
Jul 5, 2021 16:53:35.383435965 CEST | 57344 | 53 | 192.168.2.5 | 8.8.8.8 |
Jul 5, 2021 16:53:35.439306021 CEST | 53 | 57344 | 8.8.8.8 | 192.168.2.5 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jul 5, 2021 16:52:44.827162027 CEST | 192.168.2.5 | 8.8.8.8 | 0xf2f9 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 5, 2021 16:52:49.596513987 CEST | 192.168.2.5 | 8.8.8.8 | 0xdae5 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 5, 2021 16:52:55.675700903 CEST | 192.168.2.5 | 8.8.8.8 | 0x76c2 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 5, 2021 16:53:32.439990997 CEST | 192.168.2.5 | 8.8.8.8 | 0xd2c6 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 5, 2021 16:53:32.693692923 CEST | 192.168.2.5 | 8.8.8.8 | 0x43c5 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 5, 2021 16:53:34.146548986 CEST | 192.168.2.5 | 8.8.8.8 | 0x7a98 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 5, 2021 16:53:35.383435965 CEST | 192.168.2.5 | 8.8.8.8 | 0x1cc4 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jul 5, 2021 16:52:45.206682920 CEST | 8.8.8.8 | 192.168.2.5 | 0xf2f9 | No error (0) | 165.232.183.49 | A (IP address) | IN (0x0001) | ||
Jul 5, 2021 16:52:49.654650927 CEST | 8.8.8.8 | 192.168.2.5 | 0xdae5 | No error (0) | 165.232.183.49 | A (IP address) | IN (0x0001) | ||
Jul 5, 2021 16:52:56.007304907 CEST | 8.8.8.8 | 192.168.2.5 | 0x76c2 | No error (0) | 165.232.183.49 | A (IP address) | IN (0x0001) | ||
Jul 5, 2021 16:53:32.490406990 CEST | 8.8.8.8 | 192.168.2.5 | 0xd2c6 | No error (0) | 208.67.222.222 | A (IP address) | IN (0x0001) | ||
Jul 5, 2021 16:53:33.031008959 CEST | 8.8.8.8 | 192.168.2.5 | 0x43c5 | No error (0) | 165.232.183.49 | A (IP address) | IN (0x0001) | ||
Jul 5, 2021 16:53:34.205434084 CEST | 8.8.8.8 | 192.168.2.5 | 0x7a98 | No error (0) | 165.232.183.49 | A (IP address) | IN (0x0001) | ||
Jul 5, 2021 16:53:35.439306021 CEST | 8.8.8.8 | 192.168.2.5 | 0x1cc4 | No error (0) | 165.232.183.49 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.5 | 49717 | 165.232.183.49 | 80 | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jul 5, 2021 16:52:45.440840006 CEST | 1627 | OUT | |
Jul 5, 2021 16:52:46.348056078 CEST | 1628 | IN |