Play interactive tourEdit tour
Windows Analysis Report kGSHiWbgq9.exe
Overview
General Information
Detection
GuLoader Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: GuLoader |
---|
{"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Yara detected Remcos RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Uses dynamic DNS services | Show sources |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Installs a global keyboard hook | Show sources |
Source: | Windows user hook set: |
E-Banking Fraud: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
Source: | Process Stats: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Data Obfuscation: |
---|
Yara detected GuLoader | Show sources |
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Contains functionality to detect hardware virtualization (CPUID execution measurement) | Show sources |
Source: | Code function: | ||
Source: | Code function: |
Detected RDTSC dummy instruction sequence (likely for instruction hammering) | Show sources |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Tries to detect Any.run | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Tries to detect virtualization through RDTSC time measurements | Show sources |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Source: | Code function: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Thread sleep count: | ||
Source: | Thread sleep time: |
Source: | Thread sleep count: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | System information queried: |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | ||
Source: | Thread information set: | ||
Source: | Thread information set: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information: |
---|
GuLoader behavior detected | Show sources |
Source: | Signature Results: |
Yara detected Remcos RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection12 | Masquerading1 | Input Capture11 | Security Software Discovery621 | Remote Services | Input Capture11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion23 | LSASS Memory | Virtualization/Sandbox Evasion23 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection12 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information2 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing1 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol212 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Information Discovery32 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
22% | Virustotal | Browse | ||
9% | ReversingLabs | Win32.Trojan.Vebzenpak | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
wealthyrem.ddns.net | 194.5.97.128 | true | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
194.5.97.128 | wealthyrem.ddns.net | Netherlands | 208476 | DANILENKODE | true | |
101.99.94.119 | unknown | Malaysia | 45839 | SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 457930 |
Start date: | 02.08.2021 |
Start time: | 15:15:06 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 12m 29s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | kGSHiWbgq9.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Suspected Instruction Hammering Hide Perf |
Number of analysed new started processes analysed: | 32 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@3/1@1/2 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
194.5.97.128 | Get hash | malicious | Browse | ||
101.99.94.119 | Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
wealthyrem.ddns.net | Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
DANILENKODE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\kGSHiWbgq9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 148 |
Entropy (8bit): | 3.3487110381392666 |
Encrypted: | false |
SSDEEP: | 3:rklKlmvNBlfOlTfab5JWRal2Jl+7R0DAlBG4LNQblovDl9il:IlKIL8Rab5YcIeeDAlybW/G |
MD5: | 76573E45A0665F7B4EA43FCFAC539A41 |
SHA1: | 4DD46EEC1D9DC9E981C0D4CF4248B1E98D1BFD90 |
SHA-256: | 386A19E3AA88261E634D5DCBCD189211762BDCBB6C33ED74E67B259F1214748E |
SHA-512: | 2D21A84DC0D0AF7C315A6A616A6CD5D53EC99F6FA8259408101169D995642B258976259B70B363591F8FEB65E107E75DA8D2FA6D84E0EFC23FEA3D8856BEBBBA |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.650522833717378 |
TrID: |
|
File name: | kGSHiWbgq9.exe |
File size: | 114688 |
MD5: | 27bf14807bc9d5cd2d823293f43c3a3a |
SHA1: | 08eeed11867aa351be0d6c48da283721ee6c0769 |
SHA256: | 55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a |
SHA512: | c2bcd733a0bfd1b9e56b630e4fae6a45951a843946a389f8987c48a3b047ca9b9f74a5a01afc7d7589f156691220e474553229f485b6de4f902db566a6a0d245 |
SSDEEP: | 1536:EAPGkc1ug6GUMu+Yg2WGI5XZ4QmiPYefCGk4H:X2bUMEWfXZiea |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......K.................@..........D........P....@................ |
File Icon |
---|
Icon Hash: | a5b595a595a5a5b5 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x401144 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x4B801CC3 [Sat Feb 20 17:32:51 2010 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 5565993a5a9f2bfb76f28ab304be6bc1 |
Entrypoint Preview |
---|
Instruction |
---|
push 00406B54h |
call 00007FB8B0E0BDD5h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
inc eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [edx-2D91E317h], bh |
sub eax, dword ptr [edx+312E8C4Dh] |
cmp dword ptr [ecx+00414DE0h], edi |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [ecx], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [ebx+4Fh], al |
inc ebx |
dec ebx |
dec esi |
inc ebp |
pop ecx |
inc ebp |
push edx |
dec esi |
inc ebp |
push ebx |
add byte ptr [ebp+73h], ch |
add byte ptr [eax], al |
add byte ptr [eax], al |
dec esp |
xor dword ptr [eax], eax |
pop es |
mov ebp, 63A526FFh |
pushfd |
inc edi |
test byte ptr [eax], ah |
arpl word ptr [edi-5FF889ACh], si |
adc eax, B00EF4E9h |
sbb edi, ecx |
inc ebx |
movsd |
cmp byte ptr [esi], bl |
insd |
pop ecx |
test byte ptr [eax-52B0C5E4h], 00000033h |
cdq |
iretw |
adc dword ptr [edi+00AA000Ch], esi |
pushad |
rcl dword ptr [ebx+00000000h], cl |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
pop ecx |
add byte ptr [eax], al |
cmp byte ptr [eax+00h], bl |
add byte ptr [eax], al |
or eax, dword ptr [eax] |
push edx |
inc ebp |
push esp |
dec ecx |
dec esi |
dec ecx |
push ebx |
push eax |
dec edi |
push edx |
inc ecx |
add byte ptr [53000F01h], cl |
push esp |
inc ebp |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14b74 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x17000 | 0x5b96 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x7c | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x13df4 | 0x14000 | False | 0.649157714844 | data | 7.07266809617 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x15000 | 0x115c | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x17000 | 0x5b96 | 0x6000 | False | 0.545694986979 | data | 6.03179178254 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x1bcee | 0xea8 | data | ||
RT_ICON | 0x1b446 | 0x8a8 | dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 1334943657, next used block 1336905122 | ||
RT_ICON | 0x1aede | 0x568 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x18936 | 0x25a8 | data | ||
RT_ICON | 0x1788e | 0x10a8 | data | ||
RT_ICON | 0x17426 | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x173cc | 0x5a | data | ||
RT_VERSION | 0x171e0 | 0x1ec | data | Chinese | Taiwan |
Imports |
---|
DLL | Import |
---|---|
MSVBVM60.DLL | _CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0404 0x04b0 |
ProductVersion | 1.00 |
InternalName | PAAKLDENDE |
FileVersion | 1.00 |
OriginalFilename | PAAKLDENDE.exe |
ProductName | CAMPHOUR |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | Taiwan |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 2, 2021 15:17:47.154978991 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.206289053 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.206465006 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.258721113 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.258838892 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.311050892 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.311081886 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.311098099 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.311132908 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.311139107 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.311167002 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.311192036 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.362611055 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.362638950 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.362657070 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.362673998 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.362695932 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.362715006 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.362715006 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.362735033 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.362737894 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.362752914 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.362787008 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.414144039 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414241076 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414274931 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414307117 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414343119 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414372921 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414402008 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414433002 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414464951 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414465904 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.414496899 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414524078 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.414535999 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414570093 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414591074 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.414603949 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414633036 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.414633989 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414664030 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414683104 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.414696932 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.414722919 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.414853096 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.466387987 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466418982 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466440916 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466463089 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466510057 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466531038 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466553926 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466576099 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466625929 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466671944 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466692924 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466715097 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466736078 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466757059 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466798067 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466814041 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.466820002 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466846943 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466870070 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466912985 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466962099 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.466984034 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.467005014 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.467030048 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.467039108 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.467081070 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.467103004 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.467133999 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.467169046 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.467180967 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.467226982 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.467247963 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.467257023 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.467293978 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.467317104 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.467318058 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.467403889 CEST | 49758 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 15:17:47.520016909 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520051956 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520076990 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520100117 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520123005 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520144939 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520170927 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520195007 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520216942 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520240068 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520262957 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520283937 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520308018 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520329952 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520355940 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520379066 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 15:17:47.520397902 CEST | 80 | 49758 | 101.99.94.119 | 192.168.2.4 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 2, 2021 15:15:48.615036011 CEST | 49714 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:15:48.642694950 CEST | 53 | 49714 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:15:49.469579935 CEST | 58028 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:15:49.506714106 CEST | 53 | 58028 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:15:49.614150047 CEST | 53097 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:15:49.638915062 CEST | 53 | 53097 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:15:50.817020893 CEST | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:15:50.852533102 CEST | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:15:51.977631092 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:15:52.003667116 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:15:53.560806990 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:15:53.585360050 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:15:54.237910032 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:15:54.273222923 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:00.731826067 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:00.760391951 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:01.466253996 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:01.494025946 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:02.502438068 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:02.530064106 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:05.477528095 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:05.503992081 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:06.188730001 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:06.213670015 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:07.164069891 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:07.191531897 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:08.279195070 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:08.307786942 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:09.184331894 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:09.209460020 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:14.136224031 CEST | 53157 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:14.163957119 CEST | 53 | 53157 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:15.007100105 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:15.039376974 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:16.033565044 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:16.060931921 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:18.747334957 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:18.774888039 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:21.603003025 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:21.644934893 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:41.079384089 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:41.116955996 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:47.369030952 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:47.409276009 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:48.311381102 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:48.449517012 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:49.167481899 CEST | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:49.195369959 CEST | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:49.488337994 CEST | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:49.522317886 CEST | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:49.966597080 CEST | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:50.001882076 CEST | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:50.460689068 CEST | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:50.494363070 CEST | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:50.686021090 CEST | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:50.726197958 CEST | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:50.950455904 CEST | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:50.983105898 CEST | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:51.757920027 CEST | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:51.782411098 CEST | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:52.497798920 CEST | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:52.534377098 CEST | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:16:53.086787939 CEST | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:16:53.119651079 CEST | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:17:10.970607996 CEST | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:17:11.005824089 CEST | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:17:15.650224924 CEST | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:17:15.685762882 CEST | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:17:19.217799902 CEST | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:17:19.263786077 CEST | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:17:48.299998045 CEST | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:17:48.334119081 CEST | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:20:41.980040073 CEST | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:20:42.004930019 CEST | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:20:42.479918957 CEST | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:20:42.524019957 CEST | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:20:46.058964968 CEST | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:20:46.099714041 CEST | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:20:50.367840052 CEST | 60542 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:20:50.417256117 CEST | 53 | 60542 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:20:51.634783030 CEST | 60689 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:20:51.690402985 CEST | 53 | 60689 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 15:22:49.935353041 CEST | 64206 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 15:22:49.975924969 CEST | 53 | 64206 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Aug 2, 2021 15:17:48.299998045 CEST | 192.168.2.4 | 8.8.8.8 | 0xe5e6 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Aug 2, 2021 15:16:14.163957119 CEST | 8.8.8.8 | 192.168.2.4 | 0x52b2 | No error (0) | a-0019.standard.a-msedge.net | CNAME (Canonical name) | IN (0x0001) | ||
Aug 2, 2021 15:17:48.334119081 CEST | 8.8.8.8 | 192.168.2.4 | 0xe5e6 | No error (0) | 194.5.97.128 | A (IP address) | IN (0x0001) | ||
Aug 2, 2021 15:20:42.004930019 CEST | 8.8.8.8 | 192.168.2.4 | 0x2953 | No error (0) | www.tm.a.prd.aadg.trafficmanager.net | CNAME (Canonical name) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49758 | 101.99.94.119 | 80 | C:\Users\user\Desktop\kGSHiWbgq9.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Aug 2, 2021 15:17:47.258838892 CEST | 8762 | OUT | |
Aug 2, 2021 15:17:47.311050892 CEST | 8763 | IN |