Windows Analysis Report LRios3pM39
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for dropped file | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Binary string: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Code function: |
Source: | Dropped File: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Binary string: |
Source: | Code function: |
Source: | Code function: |
Persistence and Installation Behavior: |
---|
Creates processes via WMI | Show sources |
Source: | WMI Queries: |
Source: | File created: | Jump to dropped file |
Source: | Process information set: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread sleep time: |
Source: | Last function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Code function: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation11 | Path Interception | Process Injection11 | Virtualization/Sandbox Evasion1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection11 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information1 | Security Account Manager | File and Directory Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Information Discovery3 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
22% | Virustotal | Browse | ||
57% | ReversingLabs | Win32.Trojan.Wacatac |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
14% | Virustotal | Browse | ||
15% | ReversingLabs | Win32.Trojan.Generic |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
google.vrthcobj.com | 34.97.69.225 | true | true |
| unknown |
a.goatgame.co | 172.67.146.70 | true | false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
172.67.146.70 | a.goatgame.co | United States | 13335 | CLOUDFLARENETUS | false |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 458972 |
Start date: | 03.08.2021 |
Start time: | 23:29:15 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 53s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | LRios3pM39 (renamed file extension from none to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 23 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.winEXE@5/2@3/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
23:30:08 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
172.67.146.70 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
google.vrthcobj.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
a.goatgame.co | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ce5f3254611a8c095a3d821d44539877 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\LRios3pM39.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 578665 |
Entropy (8bit): | 7.9654565999316835 |
Encrypted: | false |
SSDEEP: | 12288:811ticqWIMMXa2ad3KNjU++VUYgokNxcg8aVg1gKtY7SQOO:YPeBaRKNjFklalbVygKtY7xx |
MD5: | 9C6F0C8D94B0B9761A327548F56F6256 |
SHA1: | E8BB880A2A8B8F40509CDE71F56F1D02CD58E03E |
SHA-256: | 4706A707EDEB1B676C1C396345729DCA100F1FBEAF660DAAEA442C69403DB0D3 |
SHA-512: | 47E2A5BD6D8866CD86A0F5E38C913601092C28D0FB9CBF564C4D16C25918818E96CC303651EA7D3511716567B3E4785942FB567ACD7DB766975A53587F2DCCEE |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\LRios3pM39.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 81408 |
Entropy (8bit): | 6.295064838876099 |
Encrypted: | false |
SSDEEP: | 1536:jkOh0YR+kfbE+2AJk64OceTbkS9Co5sWzcdSzEdY+wJpxpbcNop//:jkcjHY+fJhPN9H2SIdY+wJpxpQ8// |
MD5: | 05250AA12AD3C6A86DAB6DAB708D17FF |
SHA1: | E41AD72C9A43070BB11FD7411800F71DDDF6BDD8 |
SHA-256: | 7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD |
SHA-512: | A56DF11AF5243150753154E1CBA74E3CDD0CDECF09269B88A3944AC12B73DE59909CE6DBBBD3B1B6DA691D144FAC2599645B2017F66BAC64A106437168EC38C8 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: | |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 4.579085192120164 |
TrID: |
|
File name: | LRios3pM39.exe |
File size: | 57344 |
MD5: | bbd9c29060936aa812c2b8aefb14258c |
SHA1: | 6fea71fbb8f46179942b99101c5b66e6801d43e6 |
SHA256: | 469e5cd00ef10c7cdc37c647e0beca77e233ed11a5f34df087277a7ff3584a72 |
SHA512: | 80d101a71f3d074be3053420158ed0d100dde722e77c6cfbbe0e462e1e5b6038e31efdb304d749b393e45de0e87dae957e39179acb9becdc609f7e0a23977ee3 |
SSDEEP: | 768:PQR+JJlY3yGJxNojkTnJI6TWzzejkZy/xbD9BxufhqXKCljb9:TAoITdT0Zy5bZXYmljb9 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../Q..N?..N?..N?.CF`..N?..l4..N?.NR1..N?..h4..N?..h5..N?.NFb..N?..N>..N?..m...N?.Rich.N?.........PE..L....E.a.................p. |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x40267e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x610745F4 [Mon Aug 2 01:10:12 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 2cdeda7a0aa27475a825e9c41d4d95f0 |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
push FFFFFFFFh |
push 00408150h |
push 00403E38h |
mov eax, dword ptr fs:[00000000h] |
push eax |
mov dword ptr fs:[00000000h], esp |
sub esp, 10h |
push ebx |
push esi |
push edi |
mov dword ptr [ebp-18h], esp |
call dword ptr [00408050h] |
xor edx, edx |
mov dl, ah |
mov dword ptr [0040CF70h], edx |
mov ecx, eax |
and ecx, 000000FFh |
mov dword ptr [0040CF6Ch], ecx |
shl ecx, 08h |
add ecx, edx |
mov dword ptr [0040CF68h], ecx |
shr eax, 10h |
mov dword ptr [0040CF64h], eax |
push 00000001h |
call 00007F7EE483BFCBh |
pop ecx |
test eax, eax |
jne 00007F7EE483A8DAh |
push 0000001Ch |
call 00007F7EE483A980h |
pop ecx |
call 00007F7EE483B433h |
test eax, eax |
jne 00007F7EE483A8DAh |
push 00000010h |
call 00007F7EE483A96Fh |
pop ecx |
and dword ptr [ebp-04h], 00000000h |
call 00007F7EE483BC73h |
call dword ptr [0040804Ch] |
mov dword ptr [0040D658h], eax |
call 00007F7EE483BB31h |
mov dword ptr [0040CF54h], eax |
call 00007F7EE483B8DAh |
call 00007F7EE483B81Ch |
call 00007F7EE483B57Fh |
mov eax, dword ptr [0040CF80h] |
mov dword ptr [0040CF84h], eax |
push eax |
push dword ptr [0040CF78h] |
push dword ptr [0040CF74h] |
call 00007F7EE483A3A2h |
add esp, 0Ch |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8af0 | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xe000 | 0x3d4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x150 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6ba7 | 0x7000 | False | 0.592808314732 | data | 6.44090698985 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x1186 | 0x2000 | False | 0.27001953125 | data | 3.62785728692 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x365c | 0x3000 | False | 0.0802408854167 | data | 0.841200769543 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0xe000 | 0x1000 | 0x1000 | False | 0.111083984375 | data | 1.09363315293 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0xe058 | 0x37c | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetProcAddress, LoadLibraryA, lstrlenW, InterlockedDecrement, CloseHandle, WriteFile, CreateFileW, lstrcatW, GetModuleFileNameW, RaiseException, LocalFree, lstrlenA, InterlockedIncrement, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, RtlUnwind, GetCommandLineA, GetVersion, ExitProcess, HeapFree, HeapAlloc, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetLastError, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetCPInfo, GetACP, GetOEMCP, HeapSize |
USER32.dll | wsprintfW |
ole32.dll | CoInitializeSecurity, CoUninitialize, CoInitialize, CoCreateInstance, CoSetProxyBlanket |
OLEAUT32.dll | VariantInit, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayAccessData, SafeArrayUnaccessData, SysStringLen, SysAllocStringLen, SysAllocString, VariantClear, SysFreeString, GetErrorInfo |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright (C) 1995-2018 VanDyke Software, Inc. |
InternalName | License Helper |
FileVersion | 8.5.0.1740 |
CompanyName | VanDyke Software, Inc. |
Comments | \$Revision: 122570 \$ |
ProductName | License Helper |
ProductVersion | 8.5.0.1740 |
FileDescription | License Helper |
OriginalFilename | LicenseHelper.exe |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
08/03/21-23:30:25.906443 | UDP | 1948 | DNS zone transfer UDP | 61523 | 53 | 192.168.2.4 | 34.97.69.225 |
08/03/21-23:30:32.336214 | UDP | 1948 | DNS zone transfer UDP | 61523 | 53 | 192.168.2.4 | 34.97.69.225 |
08/03/21-23:30:45.138738 | UDP | 1948 | DNS zone transfer UDP | 61523 | 53 | 192.168.2.4 | 34.97.69.225 |
08/03/21-23:30:52.389943 | UDP | 1948 | DNS zone transfer UDP | 61523 | 53 | 192.168.2.4 | 34.97.69.225 |
08/03/21-23:30:58.627455 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.4 | 34.97.69.225 | ||
08/03/21-23:30:59.347406 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.4 | 34.97.69.225 | ||
08/03/21-23:31:00.428363 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.4 | 34.97.69.225 | ||
08/03/21-23:31:02.050949 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.4 | 34.97.69.225 | ||
08/03/21-23:31:03.007850 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.4 | 34.97.69.225 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 3, 2021 23:30:05.307374001 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:05.324290037 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.324474096 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:05.328849077 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:05.345643997 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.349910975 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.349936008 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.349947929 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.350028992 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:05.357999086 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:05.374893904 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.376185894 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.426561117 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:05.440557003 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:05.457418919 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.991862059 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.991976023 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.992001057 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.992023945 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.992038965 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.992060900 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.992082119 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.992108107 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.992130995 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.992340088 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:05.993311882 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.993371964 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.993395090 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.993412971 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.993432999 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:05.993781090 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.248852968 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.248888969 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.248912096 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.248923063 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.248992920 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.249017954 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.249033928 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.249066114 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.249093056 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.249475956 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.249505997 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.249528885 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.249551058 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.249566078 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.249712944 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.250284910 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.250382900 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.250983953 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.251009941 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.251044035 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.251059055 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.251091003 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.251127958 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.251254082 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.251276970 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.251291037 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.251358986 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.251729965 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.251754999 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.251775026 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.251796007 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.251820087 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.251868963 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.252494097 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.252566099 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.252583027 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.252636909 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.252655983 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.252774000 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.252796888 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.252819061 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.252834082 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.252882957 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.252896070 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.253429890 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.301661968 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.504026890 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.504053116 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.504065037 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.504071951 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.504200935 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.504245043 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.504261971 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.504272938 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.504334927 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.504657984 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.504673958 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.504744053 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.504981995 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.504996061 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.505039930 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.505115032 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.505132914 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.505148888 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.505165100 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.505214930 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.505250931 CEST | 49739 | 443 | 192.168.2.4 | 172.67.146.70 |
Aug 3, 2021 23:30:06.505769014 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
Aug 3, 2021 23:30:06.505808115 CEST | 443 | 49739 | 172.67.146.70 | 192.168.2.4 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 3, 2021 23:29:55.561557055 CEST | 58028 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:29:55.590217113 CEST | 53 | 58028 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:29:56.562306881 CEST | 53097 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:29:56.594803095 CEST | 53 | 53097 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:29:57.433166981 CEST | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:29:57.468291998 CEST | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:29:58.369524002 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:29:58.403479099 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:29:59.030754089 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:29:59.055938005 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:00.170743942 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:00.206274033 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:00.866367102 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:00.901896000 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:01.905112028 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:01.933101892 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:02.607628107 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:02.632546902 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:03.644952059 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:03.675741911 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:04.500962973 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:04.533834934 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:05.245203018 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:05.253396034 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:05.280611992 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:05.290131092 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:06.291057110 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:06.316445112 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:07.023241043 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:07.055711985 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:08.034720898 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:08.070385933 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:08.872760057 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:08.907968044 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:09.665730953 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:09.698440075 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:10.310719013 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:10.346422911 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:13.649374962 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:13.650245905 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
Aug 3, 2021 23:30:13.678105116 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
Aug 3, 2021 23:30:13.681931973 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Aug 3, 2021 23:30:05.253396034 CEST | 192.168.2.4 | 8.8.8.8 | 0x2608 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 3, 2021 23:30:13.649374962 CEST | 192.168.2.4 | 8.8.8.8 | 0x59c6 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 3, 2021 23:30:13.650245905 CEST | 192.168.2.4 | 8.8.8.8 | 0x7714 | Standard query (0) | 28 | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Aug 3, 2021 23:30:05.290131092 CEST | 8.8.8.8 | 192.168.2.4 | 0x2608 | No error (0) | 172.67.146.70 | A (IP address) | IN (0x0001) | ||
Aug 3, 2021 23:30:05.290131092 CEST | 8.8.8.8 | 192.168.2.4 | 0x2608 | No error (0) | 104.21.79.144 | A (IP address) | IN (0x0001) | ||
Aug 3, 2021 23:30:13.681931973 CEST | 8.8.8.8 | 192.168.2.4 | 0x59c6 | No error (0) | 34.97.69.225 | A (IP address) | IN (0x0001) |
HTTPS Packets |
---|
Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
---|---|---|---|---|---|---|---|---|---|---|
Aug 3, 2021 23:30:05.349936008 CEST | 172.67.146.70 | 443 | 192.168.2.4 | 49739 | CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US | CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE | Sun Jul 18 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020 | Mon Jul 18 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025 | 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0 | ce5f3254611a8c095a3d821d44539877 |
CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US | CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE | Mon Jan 27 13:48:08 CET 2020 | Wed Jan 01 00:59:59 CET 2025 |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 23:30:01 |
Start date: | 03/08/2021 |
Path: | C:\Users\user\Desktop\LRios3pM39.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 57344 bytes |
MD5 hash: | BBD9C29060936AA812C2B8AEFB14258C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 23:30:02 |
Start date: | 03/08/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff724c50000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 23:30:03 |
Start date: | 03/08/2021 |
Path: | C:\Users\user\Desktop\LRios3pM39.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 57344 bytes |
MD5 hash: | BBD9C29060936AA812C2B8AEFB14258C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 23:30:04 |
Start date: | 03/08/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff724c50000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|