Windows Analysis Report 3fVvJyTvQU
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for dropped file | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Binary string: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Code function: |
Source: | Dropped File: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Binary string: |
Source: | Code function: |
Source: | Code function: |
Persistence and Installation Behavior: |
---|
Creates processes via WMI | Show sources |
Source: | WMI Queries: |
Source: | File created: | Jump to dropped file |
Source: | Process information set: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Code function: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation11 | Path Interception | Process Injection11 | Virtualization/Sandbox Evasion1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection11 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information1 | Security Account Manager | File and Directory Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Information Discovery3 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
32% | Virustotal | Browse | ||
48% | ReversingLabs | Win32.Trojan.Sabsik |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
14% | Virustotal | Browse | ||
15% | ReversingLabs | Win32.Trojan.Generic |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
google.vrthcobj.com | 34.97.69.225 | true | true |
| unknown |
a.goatgame.co | 172.67.146.70 | true | false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
172.67.146.70 | a.goatgame.co | United States | 13335 | CLOUDFLARENETUS | false |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 458975 |
Start date: | 03.08.2021 |
Start time: | 23:41:18 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 59s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 3fVvJyTvQU (renamed file extension from none to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 24 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.winEXE@5/2@3/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
23:42:11 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
172.67.146.70 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
google.vrthcobj.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
a.goatgame.co | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ce5f3254611a8c095a3d821d44539877 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\3fVvJyTvQU.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 578665 |
Entropy (8bit): | 7.9654519561375405 |
Encrypted: | false |
SSDEEP: | 12288:811ticqWIMMXa2ad3KNj8++VUYgokNxcg8aVg1gKtY7SQ0O:YPeBaRKNjdklalbVygKtY7xX |
MD5: | 9AB1B7EC387DAE76B10ADE9CEE9F7E16 |
SHA1: | C88CE8EF04C2A34890F91D2A908053C56FE49349 |
SHA-256: | 90C8B4423A96315412C7B28E242F8A83B2F805DE631B4F852621EA73BA11C42E |
SHA-512: | 8EAF5E21F3150884101636B04DA11DCDD1009B321D0E858B382012362F538B8D43FC56AC7EF06CA40B44DA809E7D294C1812200A3FB7231AE1ED07494E6E6A8A |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\3fVvJyTvQU.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 81408 |
Entropy (8bit): | 6.295064838876099 |
Encrypted: | false |
SSDEEP: | 1536:jkOh0YR+kfbE+2AJk64OceTbkS9Co5sWzcdSzEdY+wJpxpbcNop//:jkcjHY+fJhPN9H2SIdY+wJpxpQ8// |
MD5: | 05250AA12AD3C6A86DAB6DAB708D17FF |
SHA1: | E41AD72C9A43070BB11FD7411800F71DDDF6BDD8 |
SHA-256: | 7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD |
SHA-512: | A56DF11AF5243150753154E1CBA74E3CDD0CDECF09269B88A3944AC12B73DE59909CE6DBBBD3B1B6DA691D144FAC2599645B2017F66BAC64A106437168EC38C8 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: | |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 4.57901861732841 |
TrID: |
|
File name: | 3fVvJyTvQU.exe |
File size: | 57344 |
MD5: | 4003498f5c38cf05a71125d4e8745791 |
SHA1: | 5bf2e49a13c64f3f65c0b8ef8a61f8202cde5359 |
SHA256: | ad5711a5bdcd7c6334389a2ed722e16e774d8f55737e85f57c71ec3e1767c63b |
SHA512: | e603139a756496abbd867c619ad31a7bed73e8b6f789982d5d4d8fc3a444d3dbd6dd6a6b2aa109f6e1d3ceb6ecc1546987f4379f5ca36f71f360a793c4eb4ff1 |
SSDEEP: | 768:zQR+JJlY3yGJxNojkTnJI6TWzzejkZy/xbD9BxufhqXKCl3G9:nAoITdT0Zy5bZXYml3G9 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../Q..N?..N?..N?.CF`..N?..l4..N?.NR1..N?..h4..N?..h5..N?.NFb..N?..N>..N?..m...N?.Rich.N?.........PE..L....E.a.................p. |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x40267e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x610745D0 [Mon Aug 2 01:09:36 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 2cdeda7a0aa27475a825e9c41d4d95f0 |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
push FFFFFFFFh |
push 00408150h |
push 00403E38h |
mov eax, dword ptr fs:[00000000h] |
push eax |
mov dword ptr fs:[00000000h], esp |
sub esp, 10h |
push ebx |
push esi |
push edi |
mov dword ptr [ebp-18h], esp |
call dword ptr [00408050h] |
xor edx, edx |
mov dl, ah |
mov dword ptr [0040CF70h], edx |
mov ecx, eax |
and ecx, 000000FFh |
mov dword ptr [0040CF6Ch], ecx |
shl ecx, 08h |
add ecx, edx |
mov dword ptr [0040CF68h], ecx |
shr eax, 10h |
mov dword ptr [0040CF64h], eax |
push 00000001h |
call 00007FA9F0C4619Bh |
pop ecx |
test eax, eax |
jne 00007FA9F0C44AAAh |
push 0000001Ch |
call 00007FA9F0C44B50h |
pop ecx |
call 00007FA9F0C45603h |
test eax, eax |
jne 00007FA9F0C44AAAh |
push 00000010h |
call 00007FA9F0C44B3Fh |
pop ecx |
and dword ptr [ebp-04h], 00000000h |
call 00007FA9F0C45E43h |
call dword ptr [0040804Ch] |
mov dword ptr [0040D658h], eax |
call 00007FA9F0C45D01h |
mov dword ptr [0040CF54h], eax |
call 00007FA9F0C45AAAh |
call 00007FA9F0C459ECh |
call 00007FA9F0C4574Fh |
mov eax, dword ptr [0040CF80h] |
mov dword ptr [0040CF84h], eax |
push eax |
push dword ptr [0040CF78h] |
push dword ptr [0040CF74h] |
call 00007FA9F0C44572h |
add esp, 0Ch |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8af0 | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xe000 | 0x3d4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x150 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6ba7 | 0x7000 | False | 0.592808314732 | data | 6.44090698985 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x1186 | 0x2000 | False | 0.27001953125 | data | 3.62785728692 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x365c | 0x3000 | False | 0.0795084635417 | data | 0.841262202445 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0xe000 | 0x1000 | 0x1000 | False | 0.111083984375 | data | 1.09363315293 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0xe058 | 0x37c | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetProcAddress, LoadLibraryA, lstrlenW, InterlockedDecrement, CloseHandle, WriteFile, CreateFileW, lstrcatW, GetModuleFileNameW, RaiseException, LocalFree, lstrlenA, InterlockedIncrement, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, RtlUnwind, GetCommandLineA, GetVersion, ExitProcess, HeapFree, HeapAlloc, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetLastError, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetCPInfo, GetACP, GetOEMCP, HeapSize |
USER32.dll | wsprintfW |
ole32.dll | CoInitializeSecurity, CoUninitialize, CoInitialize, CoCreateInstance, CoSetProxyBlanket |
OLEAUT32.dll | VariantInit, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayAccessData, SafeArrayUnaccessData, SysStringLen, SysAllocStringLen, SysAllocString, VariantClear, SysFreeString, GetErrorInfo |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright (C) 1995-2018 VanDyke Software, Inc. |
InternalName | License Helper |
FileVersion | 8.5.0.1740 |
CompanyName | VanDyke Software, Inc. |
Comments | \$Revision: 122570 \$ |
ProductName | License Helper |
ProductVersion | 8.5.0.1740 |
FileDescription | License Helper |
OriginalFilename | LicenseHelper.exe |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
08/03/21-23:42:27.324731 | UDP | 1948 | DNS zone transfer UDP | 57569 | 53 | 192.168.2.3 | 34.97.69.225 |
08/03/21-23:42:33.315221 | UDP | 1948 | DNS zone transfer UDP | 57569 | 53 | 192.168.2.3 | 34.97.69.225 |
08/03/21-23:42:43.654284 | UDP | 1948 | DNS zone transfer UDP | 57569 | 53 | 192.168.2.3 | 34.97.69.225 |
08/03/21-23:42:55.609356 | UDP | 1948 | DNS zone transfer UDP | 57569 | 53 | 192.168.2.3 | 34.97.69.225 |
08/03/21-23:43:04.923912 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.3 | 34.97.69.225 | ||
08/03/21-23:43:05.644246 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.3 | 34.97.69.225 | ||
08/03/21-23:43:06.843778 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.3 | 34.97.69.225 | ||
08/03/21-23:43:07.564120 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.3 | 34.97.69.225 | ||
08/03/21-23:43:09.426405 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.3 | 34.97.69.225 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 3, 2021 23:42:08.264192104 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:08.281058073 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.281203985 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:08.287096024 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:08.303870916 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.307393074 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.307447910 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.307477951 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.307560921 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:08.318670988 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:08.335412979 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.335603952 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.378514051 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:08.385346889 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:08.403290987 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.921807051 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.921857119 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.921886921 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.921914101 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.921951056 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.921989918 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.922009945 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.922108889 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:08.922177076 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.922216892 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.922245026 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.922297001 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:08.922307014 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:08.922348976 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:08.922486067 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.922534943 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.922575951 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.922605991 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.922712088 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:08.923085928 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.923157930 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:08.923270941 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.175451994 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.175498962 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.175534010 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.175575972 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.175605059 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.175611973 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.175653934 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.175673962 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.175688028 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.175703049 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.175932884 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.175975084 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.176001072 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.176013947 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.176049948 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.176105022 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.176722050 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.176764011 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.176800013 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.176834106 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.176837921 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.176873922 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.177556992 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.177594900 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.177649021 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.177679062 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.177679062 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.177722931 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.178124905 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.178167105 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.178204060 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.178239107 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.178250074 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.178320885 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.178942919 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.178983927 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.179012060 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.179105043 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.179135084 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.179177046 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.179208994 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.179280043 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.427622080 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.427695036 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.427738905 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.427767038 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.427803993 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.427833080 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.427968025 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.428467035 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.428498983 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.428536892 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.428572893 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.428653002 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.428764105 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.428802013 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.428848982 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.428889990 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.428935051 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.429013014 CEST | 49712 | 443 | 192.168.2.3 | 172.67.146.70 |
Aug 3, 2021 23:42:09.429570913 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.429613113 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
Aug 3, 2021 23:42:09.429649115 CEST | 443 | 49712 | 172.67.146.70 | 192.168.2.3 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 3, 2021 23:41:59.158646107 CEST | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:41:59.184545994 CEST | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:41:59.938543081 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:41:59.963732958 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:00.741821051 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:00.766784906 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:01.671165943 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:01.698786974 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:02.675854921 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:02.708280087 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:03.780181885 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:03.805951118 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:04.752377033 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:04.776922941 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:05.417403936 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:05.449994087 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:06.845972061 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:06.873339891 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:07.835000038 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:07.867800951 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:08.197936058 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:08.233841896 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:08.555628061 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:08.580760002 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:09.380799055 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:09.417661905 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:10.217458010 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:10.244851112 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:10.861213923 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:10.888822079 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:11.512830973 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:11.540487051 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:12.335515976 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:12.361551046 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:13.635502100 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:13.660516024 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:16.394717932 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:16.395879984 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Aug 3, 2021 23:42:16.422513962 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Aug 3, 2021 23:42:16.431968927 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Aug 3, 2021 23:42:08.197936058 CEST | 192.168.2.3 | 8.8.8.8 | 0x293 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 3, 2021 23:42:16.394717932 CEST | 192.168.2.3 | 8.8.8.8 | 0x7c06 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 3, 2021 23:42:16.395879984 CEST | 192.168.2.3 | 8.8.8.8 | 0xbcfd | Standard query (0) | 28 | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Aug 3, 2021 23:42:08.233841896 CEST | 8.8.8.8 | 192.168.2.3 | 0x293 | No error (0) | 172.67.146.70 | A (IP address) | IN (0x0001) | ||
Aug 3, 2021 23:42:08.233841896 CEST | 8.8.8.8 | 192.168.2.3 | 0x293 | No error (0) | 104.21.79.144 | A (IP address) | IN (0x0001) | ||
Aug 3, 2021 23:42:16.422513962 CEST | 8.8.8.8 | 192.168.2.3 | 0x7c06 | No error (0) | 34.97.69.225 | A (IP address) | IN (0x0001) |
HTTPS Packets |
---|
Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
---|---|---|---|---|---|---|---|---|---|---|
Aug 3, 2021 23:42:08.307447910 CEST | 172.67.146.70 | 443 | 192.168.2.3 | 49712 | CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US | CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE | Sun Jul 18 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020 | Mon Jul 18 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025 | 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0 | ce5f3254611a8c095a3d821d44539877 |
CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US | CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE | Mon Jan 27 13:48:08 CET 2020 | Wed Jan 01 00:59:59 CET 2025 |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 23:42:04 |
Start date: | 03/08/2021 |
Path: | C:\Users\user\Desktop\3fVvJyTvQU.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 57344 bytes |
MD5 hash: | 4003498F5C38CF05A71125D4E8745791 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 23:42:05 |
Start date: | 03/08/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b2800000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 23:42:06 |
Start date: | 03/08/2021 |
Path: | C:\Users\user\Desktop\3fVvJyTvQU.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 57344 bytes |
MD5 hash: | 4003498F5C38CF05A71125D4E8745791 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 23:42:06 |
Start date: | 03/08/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b2800000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|