Play interactive tourEdit tour
Windows Analysis Report CI and PL of CMZBD-210090.exe
Overview
General Information
Detection
GuLoader AgentTesla
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
GuLoader behavior detected
Hides threads from debuggers
Installs a global keyboard hook
Writes to foreign memory regions
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Telegram RAT |
---|
{"C2 url": "https://api.telegram.org/bot1996953049:AAH2EyLl5sWiWWep1n_p6ZBPPY3UEsTqo0M/sendMessage"}
Threatname: Agenttesla |
---|
{"Exfil Mode": "Telegram", "Chat id": "1985758957", "Chat URL": "https://api.telegram.org/bot1996953049:AAH2EyLl5sWiWWep1n_p6ZBPPY3UEsTqo0M/sendDocument"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
Click to see the 1 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Networking: |
---|
Uses the Telegram API (likely for C&C communication) | Show sources |
Source: | DNS query: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Installs a global keyboard hook | Show sources |
Source: | Windows user hook set: |
Source: | Binary or memory string: |
Source: | Window created: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process Stats: | ||
Source: | Process Stats: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Section loaded: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Section loaded: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Classification label: |
Source: | Section loaded: |
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | File opened: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Tries to detect Any.run | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Tries to detect virtualization through RDTSC time measurements | Show sources |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Source: | Thread sleep time: |
Source: | Last function: |
Source: | Thread delayed: |
Source: | Window / User API: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Process information queried: |
Source: | Thread delayed: |
Source: | System information queried: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | ||
Source: | Thread information set: | ||
Source: | Thread information set: |
Source: | Process token adjusted: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: |
Source: | Memory allocated: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Writes to foreign memory regions | Show sources |
Source: | Memory written: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Key value queried: |
Stealing of Sensitive Information: |
---|
Yara detected Telegram RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: |
GuLoader behavior detected | Show sources |
Source: | Signature Results: |
Tries to harvest and steal ftp login credentials | Show sources |
Source: | File opened: | ||
Source: | File opened: |
Tries to steal Mail credentials (via file access) | Show sources |
Source: | File opened: | ||
Source: | File opened: |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | ||
Source: | File opened: |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Telegram RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | DLL Side-Loading1 | Process Injection112 | Disable or Modify Tools1 | OS Credential Dumping2 | Security Software Discovery521 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Web Service1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Virtualization/Sandbox Evasion341 | Input Capture111 | Process Discovery2 | Remote Desktop Protocol | Input Capture111 | Exfiltration Over Bluetooth | Encrypted Channel11 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection112 | Security Account Manager | Virtualization/Sandbox Evasion341 | SMB/Windows Admin Shares | Archive Collected Data1 | Automated Exfiltration | Ingress Tool Transfer1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information1 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Data from Local System2 | Scheduled Transfer | Non-Application Layer Protocol3 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing1 | LSA Secrets | Remote System Discovery1 | SSH | Clipboard Data1 | Data Transfer Size Limits | Application Layer Protocol14 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | DLL Side-Loading1 | Cached Domain Credentials | System Information Discovery214 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
12% | ReversingLabs | |||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Dropper.VB.Gen | Download File | ||
100% | Avira | TR/Dropper.VB.Gen | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
drive.google.com | 172.217.168.78 | true | false | high | |
api.telegram.org | 149.154.167.220 | true | false | high | |
googlehosted.l.googleusercontent.com | 172.217.168.65 | true | false | high | |
doc-0o-00-docs.googleusercontent.com | unknown | unknown | false | high |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
172.217.168.78 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
149.154.167.220 | api.telegram.org | United Kingdom | 62041 | TELEGRAMRU | false | |
172.217.168.65 | googlehosted.l.googleusercontent.com | United States | 15169 | GOOGLEUS | false |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 483265 |
Start date: | 14.09.2021 |
Start time: | 18:36:06 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 13m 3s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | CI and PL of CMZBD-210090.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Suspected Instruction Hammering Hide Perf |
Number of analysed new started processes analysed: | 26 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@4/1@3/3 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
18:41:30 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
149.154.167.220 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
api.telegram.org | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
TELEGRAMRU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 30 |
Entropy (8bit): | 3.964735178725505 |
Encrypted: | false |
SSDEEP: | 3:IBVFBWAGRHneyy:ITqAGRHner |
MD5: | 9F754B47B351EF0FC32527B541420595 |
SHA1: | 006C66220B33E98C725B73495FE97B3291CE14D9 |
SHA-256: | 0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591 |
SHA-512: | C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 5.999486188270087 |
TrID: |
|
File name: | CI and PL of CMZBD-210090.exe |
File size: | 126976 |
MD5: | 1f9b03378d7dc859a1c6e13a5832582e |
SHA1: | 670bf2c5dbc7f6f8d9d1ec4b8d6c527a5eefdb8b |
SHA256: | ce8385347104cf190b23811bb67ba8edac9186073d6953ca23720f1e92af7eb3 |
SHA512: | 40b070c01703ae37541b1b6d079144771bc0db0284ebbd45f715889b6b5a959f4f2bad5b3e38c882e95240f55249b0e332b7e318b3c450743c15b7b66f5403df |
SSDEEP: | 1536:bW30on+jXsoPTna24R4xoTI2l41yjEmxJjQ1CkZrik3QKRv93snKLH:lbrwGxeX+sEPCUek3QKRFl |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i...d...i.Rich..i.................PE..L.....wX..........................................@........................ |
File Icon |
---|
Icon Hash: | eca24dd23ca5cce8 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x401114 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x5877ECB2 [Thu Jan 12 20:53:06 2017 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 82687acae94d2aed1f61dd47940dabd7 |
Entrypoint Preview |
---|
Instruction |
---|
push 00401944h |
call 00007F25711D4FA3h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
inc eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax+7Dh], dh |
jl 00007F25711D4FF4h |
inc eax |
in eax, 48h |
xchg eax, edi |
adc eax, ED999408h |
mov ah, 58h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add dword ptr [eax], eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
outsd |
jbe 00007F25711D5017h |
jc 00007F25711D501Ah |
popad |
imul ebp, dword ptr [edi+ebp*2+76h], 00000000h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
dec esp |
xor dword ptr [eax], eax |
sub eax, A1070C29h |
jnp 00007F25711D500Bh |
aam 40h |
cdq |
mov byte ptr [ebx-38h], ah |
pop eax |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x18be4 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1b000 | 0x5a4c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x220 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x70 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x17d0c | 0x18000 | False | 0.522064208984 | data | 6.30520790061 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x19000 | 0x1938 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x1b000 | 0x5a4c | 0x6000 | False | 0.357218424479 | data | 5.10422339689 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
CUSTOM | 0x2074e | 0x2fe | MS Windows icon resource - 1 icon, 32x32, 16 colors | English | United States |
CUSTOM | 0x20450 | 0x2fe | MS Windows icon resource - 1 icon, 32x32, 16 colors | English | United States |
CUSTOM | 0x1fb92 | 0x8be | MS Windows icon resource - 1 icon, 32x32, 8 bits/pixel | English | United States |
RT_ICON | 0x1fa6a | 0x128 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x1f502 | 0x568 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x1f21a | 0x2e8 | data | ||
RT_ICON | 0x1e972 | 0x8a8 | data | ||
RT_ICON | 0x1e60a | 0x368 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x1dec2 | 0x748 | data | ||
RT_ICON | 0x1d21a | 0xca8 | data | ||
RT_ICON | 0x1b572 | 0x1ca8 | data | ||
RT_GROUP_ICON | 0x1b4fc | 0x76 | data | ||
RT_VERSION | 0x1b2f0 | 0x20c | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
MSVBVM60.DLL | MethCallEngine, EVENT_SINK_AddRef, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0409 0x04b0 |
InternalName | meta |
FileVersion | 1.00 |
CompanyName | Cellular |
ProductName | overhailov |
ProductVersion | 1.00 |
OriginalFilename | meta.exe |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 14, 2021 18:41:15.645840883 CEST | 49838 | 443 | 192.168.2.4 | 172.217.168.78 |
Sep 14, 2021 18:41:15.645905018 CEST | 443 | 49838 | 172.217.168.78 | 192.168.2.4 |
Sep 14, 2021 18:41:15.646064997 CEST | 49838 | 443 | 192.168.2.4 | 172.217.168.78 |
Sep 14, 2021 18:41:15.673167944 CEST | 49838 | 443 | 192.168.2.4 | 172.217.168.78 |
Sep 14, 2021 18:41:15.673242092 CEST | 443 | 49838 | 172.217.168.78 | 192.168.2.4 |
Sep 14, 2021 18:41:15.760016918 CEST | 443 | 49838 | 172.217.168.78 | 192.168.2.4 |
Sep 14, 2021 18:41:15.760169983 CEST | 49838 | 443 | 192.168.2.4 | 172.217.168.78 |
Sep 14, 2021 18:41:15.760277987 CEST | 443 | 49838 | 172.217.168.78 | 192.168.2.4 |
Sep 14, 2021 18:41:15.760365009 CEST | 49838 | 443 | 192.168.2.4 | 172.217.168.78 |
Sep 14, 2021 18:41:16.038130999 CEST | 49838 | 443 | 192.168.2.4 | 172.217.168.78 |
Sep 14, 2021 18:41:16.038193941 CEST | 443 | 49838 | 172.217.168.78 | 192.168.2.4 |
Sep 14, 2021 18:41:16.038741112 CEST | 443 | 49838 | 172.217.168.78 | 192.168.2.4 |
Sep 14, 2021 18:41:16.038841009 CEST | 49838 | 443 | 192.168.2.4 | 172.217.168.78 |
Sep 14, 2021 18:41:16.041814089 CEST | 49838 | 443 | 192.168.2.4 | 172.217.168.78 |
Sep 14, 2021 18:41:16.083163023 CEST | 443 | 49838 | 172.217.168.78 | 192.168.2.4 |
Sep 14, 2021 18:41:16.541322947 CEST | 443 | 49838 | 172.217.168.78 | 192.168.2.4 |
Sep 14, 2021 18:41:16.541496038 CEST | 443 | 49838 | 172.217.168.78 | 192.168.2.4 |
Sep 14, 2021 18:41:16.541862011 CEST | 49838 | 443 | 192.168.2.4 | 172.217.168.78 |
Sep 14, 2021 18:41:16.587311983 CEST | 49838 | 443 | 192.168.2.4 | 172.217.168.78 |
Sep 14, 2021 18:41:16.587497950 CEST | 443 | 49838 | 172.217.168.78 | 192.168.2.4 |
Sep 14, 2021 18:41:16.587594032 CEST | 49838 | 443 | 192.168.2.4 | 172.217.168.78 |
Sep 14, 2021 18:41:16.661668062 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:16.661709070 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:16.661797047 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:16.662507057 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:16.662540913 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:16.743624926 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:16.743841887 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:16.743875027 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:16.743911028 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:16.743932009 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:16.743999004 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:16.768923998 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:16.768955946 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:16.769349098 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:16.769406080 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:16.769979000 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:16.811131001 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.137495995 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.137615919 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.137634039 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.139986992 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.140114069 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.141711950 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.141803980 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.145296097 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.145354033 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.145394087 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.145428896 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.145450115 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.145483971 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.149041891 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.149315119 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.149518967 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.149589062 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.164463043 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.164599895 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.164611101 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.164664984 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.165122032 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.165189981 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.165200949 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.165242910 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.166873932 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.166956902 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.166970015 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.167023897 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.168713093 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.168783903 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.168795109 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.168845892 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.170516968 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.170587063 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.170597076 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.170644045 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.172247887 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.172324896 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.172334909 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.172393084 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.174025059 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.174093962 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.174103975 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.174150944 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.175852060 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.175924063 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.175932884 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.175981998 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.177625895 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.177702904 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.177716970 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.177769899 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.179415941 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.179481983 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.179498911 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.179560900 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.181159973 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.181231022 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.181247950 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
Sep 14, 2021 18:41:17.181302071 CEST | 49839 | 443 | 192.168.2.4 | 172.217.168.65 |
Sep 14, 2021 18:41:17.182876110 CEST | 443 | 49839 | 172.217.168.65 | 192.168.2.4 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 14, 2021 18:36:53.400593042 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:36:53.431893110 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:37:26.172319889 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:37:26.218472958 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:37:42.836487055 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:37:42.863136053 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:37:46.252813101 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:37:46.322527885 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:37:47.049464941 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:37:47.082562923 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:37:47.536254883 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:37:47.569142103 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:37:47.893361092 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:37:47.934828043 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:37:48.378473997 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:37:48.408154011 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:37:49.031199932 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:37:49.076150894 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:37:49.172090054 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:37:49.211971045 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:37:49.470839977 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:37:49.499596119 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:37:50.183506012 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:37:50.208632946 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:37:51.264286995 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:37:51.290956974 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:37:51.990253925 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:37:52.031847954 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:38:04.459747076 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:38:04.488055944 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:38:30.179734945 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:38:30.223356962 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:41:15.583697081 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:41:15.628441095 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:41:16.621764898 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:41:16.657521963 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:42:56.229713917 CEST | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:42:56.256963015 CEST | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:44:06.179713011 CEST | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:44:06.218039989 CEST | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
Sep 14, 2021 18:44:07.245057106 CEST | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 14, 2021 18:44:07.294460058 CEST | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Sep 14, 2021 18:41:15.583697081 CEST | 192.168.2.4 | 8.8.8.8 | 0xa9a7 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 14, 2021 18:41:16.621764898 CEST | 192.168.2.4 | 8.8.8.8 | 0x44bd | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 14, 2021 18:42:56.229713917 CEST | 192.168.2.4 | 8.8.8.8 | 0x4b72 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Sep 14, 2021 18:41:15.628441095 CEST | 8.8.8.8 | 192.168.2.4 | 0xa9a7 | No error (0) | 172.217.168.78 | A (IP address) | IN (0x0001) | ||
Sep 14, 2021 18:41:16.657521963 CEST | 8.8.8.8 | 192.168.2.4 | 0x44bd | No error (0) | googlehosted.l.googleusercontent.com | CNAME (Canonical name) | IN (0x0001) | ||
Sep 14, 2021 18:41:16.657521963 CEST | 8.8.8.8 | 192.168.2.4 | 0x44bd | No error (0) | 172.217.168.65 | A (IP address) | IN (0x0001) | ||
Sep 14, 2021 18:42:56.256963015 CEST | 8.8.8.8 | 192.168.2.4 | 0x4b72 | No error (0) | 149.154.167.220 | A (IP address) | IN (0x0001) | ||
Sep 14, 2021 18:44:06.218039989 CEST | 8.8.8.8 | 192.168.2.4 | 0xae99 | No error (0) | www.tm.a.prd.aadg.akadns.net | CNAME (Canonical name) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTPS Proxied Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49838 | 172.217.168.78 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-09-14 16:41:16 UTC | 0 | OUT | |
2021-09-14 16:41:16 UTC | 0 | IN | |
2021-09-14 16:41:16 UTC | 1 | IN | |
2021-09-14 16:41:16 UTC | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.4 | 49839 | 172.217.168.65 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-09-14 16:41:16 UTC | 2 | OUT | |
2021-09-14 16:41:17 UTC | 2 | IN |