Play interactive tourEdit tour
Windows Analysis Report LzbZ4T1iV8.exe
Overview
General Information
Detection
GuLoader Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: GuLoader |
---|
{"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin^"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Uses dynamic DNS services | Show sources |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Installs a global keyboard hook | Show sources |
Source: | Windows user hook set: |
E-Banking Fraud: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Source: | Process Stats: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Data Obfuscation: |
---|
Yara detected GuLoader | Show sources |
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Contains functionality to detect hardware virtualization (CPUID execution measurement) | Show sources |
Source: | Code function: | ||
Source: | Code function: |
Detected RDTSC dummy instruction sequence (likely for instruction hammering) | Show sources |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Tries to detect Any.run | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Tries to detect virtualization through RDTSC time measurements | Show sources |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Source: | Code function: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Thread sleep count: | ||
Source: | Thread sleep time: |
Source: | Thread sleep count: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | System information queried: |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | ||
Source: | Thread information set: | ||
Source: | Thread information set: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Stealing of Sensitive Information: |
---|
GuLoader behavior detected | Show sources |
Source: | Signature Results: |
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection12 | Masquerading1 | Input Capture11 | Security Software Discovery621 | Remote Services | Input Capture11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion23 | LSASS Memory | Virtualization/Sandbox Evasion23 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection12 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information2 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing1 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol212 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Information Discovery312 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
18% | Virustotal | Browse | ||
18% | ReversingLabs | Win32.Trojan.Vebzenpak | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
wealthyrem.ddns.net | 194.5.97.128 | true | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
194.5.97.128 | wealthyrem.ddns.net | Netherlands | 208476 | DANILENKODE | true | |
101.99.94.119 | unknown | Malaysia | 45839 | SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 458125 |
Start date: | 02.08.2021 |
Start time: | 21:16:24 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 11m 17s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | LzbZ4T1iV8.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Suspected Instruction Hammering Hide Perf |
Number of analysed new started processes analysed: | 29 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@3/1@1/2 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
194.5.97.128 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
101.99.94.119 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
wealthyrem.ddns.net | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
DANILENKODE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\LzbZ4T1iV8.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 148 |
Entropy (8bit): | 3.3453987070874214 |
Encrypted: | false |
SSDEEP: | 3:rklKlmvNcWKlRNU5JWRal2Jl+7R0DAlBG4LNQblovDl9il:IlKIazlbU5YcIeeDAlybW/G |
MD5: | 526F50323013D504471A1ACE38B89693 |
SHA1: | 1D2CB4B5DADA7C1036CDBB57F350F2F318E5DBDF |
SHA-256: | ACD440D4CB49505D3F6479A3BA54F12C5D5071D28F38A5038A98EBEFC7F1C987 |
SHA-512: | 6F97E249C67F013EEF04E73C5A46E99EAD1FF8231E8FB2337E7CEFFD386BE4AE21DFEBC13C7CDF2680A884E431E08DF43621B1F51D9ACAD7A9CBCAA3946877E0 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.659892921422715 |
TrID: |
|
File name: | LzbZ4T1iV8.exe |
File size: | 114688 |
MD5: | 41e1bc9de5f3b61639fb88143e933ff8 |
SHA1: | 432531c5a0f7f82b8ec10e7f3fde1b51ebd3d0e8 |
SHA256: | d32cf33f8f64824f799ca44e9988ddc517e88db1235f93792d3ed2ddaa48e35f |
SHA512: | 75135a1977450f914d77247938987ee40b45443ebb187ff7b7a2b1c83f9b1f32744b0ccdefecc7df20ec4be01543bac216fc56de8fbf18448625140c1b4264fe |
SSDEEP: | 1536:rI3BiEocy06WRx+Hfzae+8S6JxdQC+gz6DN1QmiPYlmcy06W++eI3B:rEvBD2C6byC+g6NzlVB++ |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....TU.................@..........D........P....@................ |
File Icon |
---|
Icon Hash: | 352d25253517a525 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x401144 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x555407E7 [Thu May 14 02:26:47 2015 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 5565993a5a9f2bfb76f28ab304be6bc1 |
Entrypoint Preview |
---|
Instruction |
---|
push 00406B40h |
call 00007F7AFCA82725h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
inc eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [ecx], ah |
or dword ptr [edi+512C9312h], ebx |
inc edx |
test eax, FF47123Eh |
add dl, byte ptr [ebx-07h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add dword ptr [eax], eax |
add byte ptr [eax], al |
inc edx |
add byte ptr [esi], al |
push eax |
add dword ptr [ecx], 53h |
push ebp |
inc edx |
dec ecx |
dec esi |
inc esi |
inc ebp |
push ebp |
inc esp |
inc ecx |
push esp |
inc ebp |
add byte ptr [eax], ch |
or eax, dword ptr [ebx] |
add byte ptr [eax], al |
add byte ptr [eax], al |
dec esp |
xor dword ptr [eax], eax |
pop es |
pop edi |
push ecx |
xchg eax, edx |
add ebp, esp |
inc ebp |
fiadd dword ptr [ecx-78h] |
jp 00007F7AFCA826D5h |
arpl word ptr [esi-5Dh], bx |
daa |
push 0000005Fh |
adc al, 07h |
pop ds |
enter 7288h, 4Dh |
stosb |
ret |
jp 00007F7AFCA82776h |
fdivr qword ptr [edi+4F3AAE67h] |
lodsd |
xor ebx, dword ptr [ecx-48EE309Ah] |
or al, 00h |
stosb |
add byte ptr [eax-2Dh], ah |
xchg eax, ebx |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
push edx |
pop ecx |
add byte ptr [eax], al |
sub byte ptr [eax+00h], bl |
add byte ptr [eax], al |
or eax, dword ptr [eax] |
push eax |
inc ecx |
dec esp |
dec esp |
inc edx |
inc ebp |
inc ecx |
push edx |
inc ebp |
push edx |
push ebx |
add byte ptr [43000701h], cl |
inc ebp |
dec ebp |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14b74 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x17000 | 0x5b9e | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x7c | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x13df4 | 0x14000 | False | 0.652099609375 | data | 7.08169017725 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x15000 | 0x115c | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x17000 | 0x5b9e | 0x6000 | False | 0.545817057292 | data | 6.02928789817 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x1bcf6 | 0xea8 | data | ||
RT_ICON | 0x1b44e | 0x8a8 | dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 3457162792, next used block 3459124259 | ||
RT_ICON | 0x1aee6 | 0x568 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x1893e | 0x25a8 | data | ||
RT_ICON | 0x17896 | 0x10a8 | data | ||
RT_ICON | 0x1742e | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x173d4 | 0x5a | data | ||
RT_VERSION | 0x171e0 | 0x1f4 | data | Chinese | Taiwan |
Imports |
---|
DLL | Import |
---|---|
MSVBVM60.DLL | _CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0404 0x04b0 |
ProductVersion | 1.00 |
InternalName | GYMNOSPERMAE |
FileVersion | 1.00 |
OriginalFilename | GYMNOSPERMAE.exe |
ProductName | COMANAGE |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | Taiwan |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 2, 2021 21:20:11.784956932 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:11.833715916 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.833933115 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:11.882823944 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.882945061 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:11.932694912 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.932858944 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.932898045 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.932940960 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:11.932944059 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.932969093 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:11.933052063 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:11.982657909 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.982708931 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.982744932 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.982781887 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.982825994 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.982825041 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:11.982887030 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.982904911 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:11.982945919 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.982996941 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:11.983000994 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:11.983074903 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:11.983122110 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.031961918 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032012939 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032052040 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032087088 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032133102 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032175064 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032187939 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.032213926 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032252073 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032286882 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.032289028 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032325029 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032330036 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.032361984 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032397985 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032399893 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.032444954 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032464027 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.032486916 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032524109 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032557011 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.032562971 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.032624006 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.032658100 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.081442118 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.081500053 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.081535101 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.081583023 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.081641912 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.081681013 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.081718922 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.081748009 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.081794024 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.081836939 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.081873894 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.081877947 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.081912994 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.081940889 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.081974983 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.081983089 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.082003117 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082041025 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082042933 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.082077026 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082120895 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082134008 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.082158089 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082212925 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082220078 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.082268000 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082281113 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.082305908 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082351923 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082366943 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.082396030 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082431078 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082448959 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.082468033 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082504034 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082519054 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.082537889 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082575083 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082577944 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.082609892 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082634926 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.082655907 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082696915 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082730055 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.082731962 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.082849026 CEST | 49766 | 80 | 192.168.2.4 | 101.99.94.119 |
Aug 2, 2021 21:20:12.131598949 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.131665945 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.131710052 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.131747961 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
Aug 2, 2021 21:20:12.131787062 CEST | 80 | 49766 | 101.99.94.119 | 192.168.2.4 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 2, 2021 21:17:01.393048048 CEST | 49714 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:01.420507908 CEST | 53 | 49714 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:02.722836018 CEST | 58028 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:02.750277042 CEST | 53 | 58028 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:04.696264982 CEST | 53097 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:04.720990896 CEST | 53 | 53097 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:05.761957884 CEST | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:05.789669991 CEST | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:06.840415955 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:06.866498947 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:08.514224052 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:08.546753883 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:09.595941067 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:09.623547077 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:10.547267914 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:10.574770927 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:11.647775888 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:11.675528049 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:12.845449924 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:12.878277063 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:13.870208979 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:13.904135942 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:14.987005949 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:15.019890070 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:16.020144939 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:16.047681093 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:17.078398943 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:17.111186981 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:18.109400988 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:18.141968012 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:19.095261097 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:19.120047092 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:20.116214991 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:20.151633024 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:21.170927048 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:21.206410885 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:31.180922031 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:31.222162962 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:45.923132896 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:45.982989073 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:46.522591114 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:46.555643082 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:47.145872116 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:47.181860924 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:47.704446077 CEST | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:47.746491909 CEST | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:48.197175026 CEST | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:48.231225967 CEST | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:48.602571011 CEST | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:48.630182981 CEST | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:48.787736893 CEST | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:48.829253912 CEST | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:49.046789885 CEST | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:49.079457045 CEST | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:49.693171978 CEST | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:49.725912094 CEST | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:50.854691029 CEST | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:50.887387037 CEST | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:17:51.457587004 CEST | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:17:51.492850065 CEST | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:18:06.299632072 CEST | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:18:06.332312107 CEST | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:18:06.416522026 CEST | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:18:06.462497950 CEST | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:18:12.731527090 CEST | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:18:12.772198915 CEST | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:18:41.353856087 CEST | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:18:41.389388084 CEST | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:18:43.933024883 CEST | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:18:43.965635061 CEST | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:20:14.137607098 CEST | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:20:14.180700064 CEST | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:21:56.173140049 CEST | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:21:56.208565950 CEST | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:21:56.346127033 CEST | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:21:56.371498108 CEST | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:21:56.724428892 CEST | 60542 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:21:56.757277012 CEST | 53 | 60542 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:21:59.849406958 CEST | 60689 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:21:59.884716034 CEST | 53 | 60689 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:22:02.763622046 CEST | 64206 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:22:02.810947895 CEST | 53 | 64206 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:22:03.106690884 CEST | 50904 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:22:03.159214020 CEST | 53 | 50904 | 8.8.8.8 | 192.168.2.4 |
Aug 2, 2021 21:24:13.843344927 CEST | 57525 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 2, 2021 21:24:13.894480944 CEST | 53 | 57525 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Aug 2, 2021 21:20:14.137607098 CEST | 192.168.2.4 | 8.8.8.8 | 0xacf | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Aug 2, 2021 21:20:14.180700064 CEST | 8.8.8.8 | 192.168.2.4 | 0xacf | No error (0) | 194.5.97.128 | A (IP address) | IN (0x0001) | ||
Aug 2, 2021 21:21:56.208565950 CEST | 8.8.8.8 | 192.168.2.4 | 0xdf4d | No error (0) | www.tm.a.prd.aadg.akadns.net | CNAME (Canonical name) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49766 | 101.99.94.119 | 80 | C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Aug 2, 2021 21:20:11.882945061 CEST | 6581 | OUT | |
Aug 2, 2021 21:20:11.932694912 CEST | 6582 | IN |