Play interactive tourEdit tour
Windows Analysis Report Fec9qUX4at.exe
Overview
General Information
Detection
GuLoader Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates autostart registry keys with suspicious values (likely registry only malware)
Deletes itself after installation
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: GuLoader |
---|
{"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Suspicious Script Execution From Temp Folder | Show sources |
Source: | Author: Florian Roth, Max Altgelt: |
Sigma detected: WScript or CScript Dropper | Show sources |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Uses dynamic DNS services | Show sources |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Installs a global keyboard hook | Show sources |
Source: | Windows user hook set: |
Source: | Binary or memory string: |
E-Banking Fraud: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: |
System Summary: |
---|
Source: | Process Stats: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Process created: |
Source: | Static PE information: |
Source: | Section loaded: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Data Obfuscation: |
---|
Yara detected GuLoader | Show sources |
Source: | File source: |
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Creates autostart registry keys with suspicious values (likely registry only malware) | Show sources |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection: |
---|
Deletes itself after installation | Show sources |
Source: | File deleted: | Jump to behavior |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Contains functionality to detect hardware virtualization (CPUID execution measurement) | Show sources |
Source: | Code function: |
Detected RDTSC dummy instruction sequence (likely for instruction hammering) | Show sources |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Tries to detect Any.run | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Tries to detect virtualization through RDTSC time measurements | Show sources |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Source: | Code function: |
Source: | Window found: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | System information queried: |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | ||
Source: | Thread information set: | ||
Source: | Thread information set: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Key value queried: |
Stealing of Sensitive Information: |
---|
GuLoader behavior detected | Show sources |
Source: | Signature Results: |
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting11 | Registry Run Keys / Startup Folder11 | Process Injection12 | Masquerading1 | Input Capture111 | Query Registry1 | Remote Services | Input Capture111 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Registry Run Keys / Startup Folder11 | Virtualization/Sandbox Evasion21 | LSASS Memory | Security Software Discovery721 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection12 | Security Account Manager | Virtualization/Sandbox Evasion21 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Scripting11 | NTDS | Process Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information2 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol212 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing1 | Cached Domain Credentials | File and Directory Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | File Deletion1 | DCSync | System Information Discovery33 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
29% | Virustotal | Browse | ||
13% | ReversingLabs | Win32.Trojan.Vebzenpak | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
29% | Virustotal | Browse | ||
13% | ReversingLabs | Win32.Trojan.Vebzenpak |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
wealthyrem.ddns.net | 194.5.97.128 | true | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
194.5.97.128 | wealthyrem.ddns.net | Netherlands | 208476 | DANILENKODE | true | |
101.99.94.119 | unknown | Malaysia | 45839 | SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 458355 |
Start date: | 03.08.2021 |
Start time: | 09:49:14 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 13m 0s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | Fec9qUX4at.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Suspected Instruction Hammering Hide Perf |
Number of analysed new started processes analysed: | 41 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@5/4@1/2 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
09:51:07 | Autostart | |
09:51:16 | Autostart |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
194.5.97.128 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
101.99.94.119 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
wealthyrem.ddns.net | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
DANILENKODE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\Fec9qUX4at.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 114688 |
Entropy (8bit): | 6.638949072783339 |
Encrypted: | false |
SSDEEP: | 1536:BUS3/zw2m3c39SYeXvmgU2sIMflWub4cL51tY4SQmiPYElZ943ckw2mUS3/:BT/zM3c3bcBsIMfQuDaSZS3ckYT/ |
MD5: | 2046B941817392E3815535FCCB1F39DC |
SHA1: | 843D243A71131BAF9FBE0FCF4BA129F51EE74C8F |
SHA-256: | C0D3DA1CEFD1A979C8B8CE102FD5D3FF090779F72F4D1098EB383CBBB3480BEE |
SHA-512: | ECF0B711C41619DCF9073F1CD4C769CC106B04AAEC40881FC11CBF8686989DA512A9C2EE2683A90B99DDDB1F4A762CF4DF512663519BC9035BBC6D0FD90F9571 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\Fec9qUX4at.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 119 |
Entropy (8bit): | 5.094609879657231 |
Encrypted: | false |
SSDEEP: | 3:jfF+m8nhvF3mRDWXp5cViE2J5xAIzkiw9igECHM:jFqhv9IWXp+N23ffiijl |
MD5: | 1198AD996993F1C8082084F3CD83DD3C |
SHA1: | A841D5A9CA764F8C58EC10FF368C6BD1637E8929 |
SHA-256: | 59227CBFDE96895E1D019A879F7155EF36FE091AB03BEA825C51D9A8A625D6F2 |
SHA-512: | AB29D0F0FEB1D196E2218958495B39A327CBA2F921EFAB0EA2C09C8E2D42EF2692021A282EC2987E3998369C1876A083933C37FDC50B3C4A0C769513953FAF13 |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\Fec9qUX4at.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 468 |
Entropy (8bit): | 3.5093499207031558 |
Encrypted: | false |
SSDEEP: | 12:xQ4lA2++ugypjBQMPURF3Sbx34Q3Dk3Sbx349Hz/0aimi:7a2+SDTzQTkz9Aait |
MD5: | 903888A33CC9516D5548F046C7D902EC |
SHA1: | D654ADD97768AB9E06A2AC428090BE3E2F0512F6 |
SHA-256: | 75E4262158D66A77E7496606D466EA6CF1333BCE20D429F1E066A2935FD77F0A |
SHA-512: | B6BED5DEF33123948A338F1AA65D5D69505487FEF121524C575708894699B0D17A1AA4D3F7C6D1F89CB9730A28C9F20292A5E714F3F2CE2E9D515EB763B45751 |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\Fec9qUX4at.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 148 |
Entropy (8bit): | 3.353136862680169 |
Encrypted: | false |
SSDEEP: | 3:rklKlmuHlKfUFqlDl5JWRal2Jl+7R0DAlBG4LNQblovDl9il:IlKIuFK8Fql55YcIeeDAlybW/G |
MD5: | 23B5A5F0892EDE3E544D530B672DB71C |
SHA1: | 675F67E5EF80E1868950B6362B54BF367DDA258E |
SHA-256: | 64A5071CE344184BECC0650D8D6432E0CB0271BAF633BDA82E337D736B13EB01 |
SHA-512: | 03369524C6F224DEA70E9CDEE92DFD71214E6C3B99EC4FE0B09A7F3D69A4F30D67CC6FB2DA9ECA4ED4A4C7572B8E96131321B9B73AE767491BDE4F4CB045C46F |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.638949072783339 |
TrID: |
|
File name: | Fec9qUX4at.exe |
File size: | 114688 |
MD5: | 2046b941817392e3815535fccb1f39dc |
SHA1: | 843d243a71131baf9fbe0fcf4ba129f51ee74c8f |
SHA256: | c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee |
SHA512: | ecf0b711c41619dcf9073f1cd4c769cc106b04aaec40881fc11cbf8686989da512a9c2ee2683a90b99dddb1f4a762cf4df512663519bc9035bbc6d0fd90f9571 |
SSDEEP: | 1536:BUS3/zw2m3c39SYeXvmgU2sIMflWub4cL51tY4SQmiPYElZ943ckw2mUS3/:BT/zM3c3bcBsIMfQuDaSZS3ckYT/ |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....(.U.................@..........D........P....@................ |
File Icon |
---|
Icon Hash: | d5d5959595959595 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x401144 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x558D28E4 [Fri Jun 26 10:26:44 2015 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 5565993a5a9f2bfb76f28ab304be6bc1 |
Entrypoint Preview |
---|
Instruction |
---|
push 00406B44h |
call 00007F9040EB35D5h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
inc eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add ch, dh |
pop ss |
clc |
pop edx |
push B944FDC7h |
mov ebx, 52105E67h |
cmp edx, dword ptr [eax] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add dword ptr [eax], eax |
add byte ptr [eax], al |
inc edx |
add byte ptr [esi], al |
push eax |
add dword ptr [ecx], 53h |
inc ebp |
inc ebx |
inc ebp |
push ebx |
push ebx |
dec ecx |
dec edi |
dec esi |
inc ecx |
dec esp |
dec ecx |
push ebx |
push esp |
add byte ptr [ebx], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
dec esp |
xor dword ptr [eax], eax |
pop es |
jo 00007F9040EB3614h |
inc edx |
sub cl, ah |
imul eax, dword ptr [eax+41h], 81h |
or bl, byte ptr [ebx-03CA9598h] |
mov esi, 05B7FAFFh |
or dl, byte ptr [ebp-48h] |
inc esi |
mov cl, 74h |
and dword ptr [ecx], ecx |
jbe 00007F9040EB356Ah |
jnle 00007F9040EB35F1h |
cmp cl, byte ptr [edi-53h] |
xor ebx, dword ptr [ecx-48EE309Ah] |
or al, 00h |
stosb |
add byte ptr [eax-2Dh], ah |
xchg eax, ebx |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
push esp |
pop ecx |
add byte ptr [eax], al |
sub al, 58h |
add byte ptr [eax], al |
add byte ptr [ecx], dl |
add byte ptr [ebx+4Bh], dl |
push edx |
dec ebp |
dec ecx |
dec esi |
inc esp |
inc esp |
inc ebp |
dec esp |
dec ecx |
dec esi |
inc edi |
inc ebp |
push edx |
dec esi |
inc ebp |
add byte ptr [00000001h], cl |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14b64 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x17000 | 0x5b92 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x7c | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x13de4 | 0x14000 | False | 0.648803710938 | data | 7.05513425915 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x15000 | 0x115c | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x17000 | 0x5b92 | 0x6000 | False | 0.545776367188 | data | 6.0293757353 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x1bcea | 0xea8 | data | ||
RT_ICON | 0x1b442 | 0x8a8 | dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 532795385, next used block 536862194 | ||
RT_ICON | 0x1aeda | 0x568 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x18932 | 0x25a8 | data | ||
RT_ICON | 0x1788a | 0x10a8 | data | ||
RT_ICON | 0x17422 | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x173c8 | 0x5a | data | ||
RT_VERSION | 0x171e0 | 0x1e8 | data | Chinese | Taiwan |
Imports |
---|
DLL | Import |
---|---|
MSVBVM60.DLL | _CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0404 0x04b0 |
ProductVersion | 1.00 |
InternalName | CLUBWOMAN |
FileVersion | 1.00 |
OriginalFilename | CLUBWOMAN.exe |
ProductName | REFOUNDING |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | Taiwan |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 3, 2021 09:52:02.509993076 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.554785967 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.554905891 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.599960089 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.600111008 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.647567034 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.647619009 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.647640944 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.647659063 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.647680044 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.647818089 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.694133997 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.694166899 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.694184065 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.694204092 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.694253922 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.694274902 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.694294930 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.694318056 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.694372892 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.694441080 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.743522882 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743558884 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743583918 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743613005 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743634939 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743655920 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743676901 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743699074 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743721008 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743742943 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743767977 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743789911 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743813038 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743833065 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743854046 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.743875980 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.745096922 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.790580988 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790736914 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790760040 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790779114 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790800095 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790815115 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790817976 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.790831089 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790852070 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790873051 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790884018 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.790891886 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790911913 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790936947 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790947914 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.790960073 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790982008 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.790997028 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.791003942 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.791019917 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.791030884 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.791043997 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.791065931 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.791078091 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.791088104 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.791102886 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.791110992 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.791138887 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.791165113 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.839260101 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839301109 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839318037 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839340925 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839361906 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839384079 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839407921 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839432001 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839456081 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839478970 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839503050 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839524031 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839545965 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839570045 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839596033 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839618921 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839639902 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839663982 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839685917 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839709044 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839730978 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839752913 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839778900 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839802980 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839827061 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839850903 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839874029 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839896917 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.839917898 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.841974020 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
Aug 3, 2021 09:52:02.842142105 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.842166901 CEST | 49732 | 80 | 192.168.2.3 | 101.99.94.119 |
Aug 3, 2021 09:52:02.842551947 CEST | 80 | 49732 | 101.99.94.119 | 192.168.2.3 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 3, 2021 09:50:02.068259001 CEST | 49199 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:02.100552082 CEST | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:02.103404999 CEST | 53 | 49199 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:02.135581970 CEST | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:03.751369953 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:03.779362917 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:04.804028034 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:04.829040051 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:05.845832109 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:05.873245955 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:07.138077021 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:07.162651062 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:08.450983047 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:08.484448910 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:09.460745096 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:09.493299961 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:10.580183983 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:10.605452061 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:11.391868114 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:11.425403118 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:12.533147097 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:12.558248997 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:13.693217039 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:13.721752882 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:16.217385054 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:16.243992090 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:16.909429073 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:16.936829090 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:17.741444111 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:17.772319078 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:18.457809925 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:18.485790014 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:19.433485031 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:19.462393999 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:32.419984102 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:32.456270933 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:37.631396055 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:37.673178911 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:53.027306080 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:53.056313038 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:54.184706926 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:54.212661028 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:50:54.829355955 CEST | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:50:54.865000963 CEST | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:51:06.332206964 CEST | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:51:06.374577045 CEST | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:51:08.099805117 CEST | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:51:08.132152081 CEST | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:51:19.998214006 CEST | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:51:20.048595905 CEST | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:51:26.368093014 CEST | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:51:26.406167984 CEST | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:51:54.770961046 CEST | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:51:54.819643021 CEST | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:51:58.437495947 CEST | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:51:58.479460001 CEST | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:52:03.800883055 CEST | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:52:03.835515976 CEST | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:52:55.178214073 CEST | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:52:55.246586084 CEST | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:52:55.928847075 CEST | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:52:55.966856003 CEST | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:52:56.515408993 CEST | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:52:56.555078983 CEST | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:52:56.991461039 CEST | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:52:57.026705980 CEST | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:52:57.575887918 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:52:57.608617067 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:52:58.152482986 CEST | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:52:58.190172911 CEST | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:52:58.831623077 CEST | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:52:58.865165949 CEST | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:52:59.994276047 CEST | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:53:00.027309895 CEST | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:53:00.936120987 CEST | 56130 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:53:00.971250057 CEST | 53 | 56130 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:53:01.997314930 CEST | 56338 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:53:02.031568050 CEST | 53 | 56338 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:54:54.472569942 CEST | 59420 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:54:54.508253098 CEST | 53 | 59420 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:54:54.953653097 CEST | 58784 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:54:54.986418009 CEST | 53 | 58784 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:54:59.222904921 CEST | 63978 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:54:59.255475998 CEST | 53 | 63978 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:55:03.005989075 CEST | 62938 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:55:03.039793015 CEST | 53 | 62938 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:55:03.251657009 CEST | 55708 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:55:03.295259953 CEST | 53 | 55708 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:57:24.651887894 CEST | 56803 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:57:24.652589083 CEST | 57145 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:57:24.687371016 CEST | 53 | 56803 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:57:24.688313007 CEST | 53 | 57145 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:57:25.117799997 CEST | 55359 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:57:25.151722908 CEST | 53 | 55359 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:57:25.615422964 CEST | 58306 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:57:25.683232069 CEST | 53 | 58306 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 09:57:58.535772085 CEST | 64124 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 09:57:58.584244967 CEST | 53 | 64124 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Aug 3, 2021 09:52:03.800883055 CEST | 192.168.2.3 | 8.8.8.8 | 0xdf97 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Aug 3, 2021 09:52:03.835515976 CEST | 8.8.8.8 | 192.168.2.3 | 0xdf97 | No error (0) | 194.5.97.128 | A (IP address) | IN (0x0001) | ||
Aug 3, 2021 09:54:54.508253098 CEST | 8.8.8.8 | 192.168.2.3 | 0xf46a | No error (0) | www.tm.a.prd.aadg.akadns.net | CNAME (Canonical name) | IN (0x0001) | ||
Aug 3, 2021 09:57:25.151722908 CEST | 8.8.8.8 | 192.168.2.3 | 0xd836 | No error (0) | www.tm.a.prd.aadg.akadns.net | CNAME (Canonical name) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49732 | 101.99.94.119 | 80 | C:\Users\user\Desktop\Fec9qUX4at.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Aug 3, 2021 09:52:02.600111008 CEST | 7678 | OUT | |
Aug 3, 2021 09:52:02.647567034 CEST | 7679 | IN |