Play interactive tourEdit tour
Windows Analysis Report DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Overview
General Information
Detection
GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Source: | Static PE information: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
Uses dynamic DNS services | Show sources |
Source: | DNS query: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
System Summary: |
---|
Potential malicious icon found | Show sources |
Source: | Icon embedded in PE file: |
Source: | Static PE information: |
Source: | Code function: | 2_2_00403DD6 | |
Source: | Code function: | 2_2_0040415B | |
Source: | Code function: | 2_2_023018E5 | |
Source: | Code function: | 2_2_0230C119 | |
Source: | Code function: | 2_2_0230E165 | |
Source: | Code function: | 2_2_0230303C | |
Source: | Code function: | 2_2_02304419 | |
Source: | Code function: | 2_2_02304245 | |
Source: | Code function: | 2_2_023042B5 | |
Source: | Code function: | 2_2_02304484 | |
Source: | Code function: | 2_2_0230CED6 | |
Source: | Code function: | 2_2_023036D9 | |
Source: | Code function: | 2_2_0230452C | |
Source: | Code function: | 2_2_02303700 | |
Source: | Code function: | 2_2_02304358 | |
Source: | Code function: | 2_2_02303BBC | |
Source: | Code function: | 2_2_02303BBE | |
Source: | Code function: | 2_2_02302F90 | |
Source: | Code function: | 2_2_02304195 | |
Source: | Code function: | 2_2_02302F9B | |
Source: | Code function: | 2_2_02304184 |
Source: | Code function: | 2_2_0230DC5F | |
Source: | Code function: | 2_2_0230C119 | |
Source: | Code function: | 2_2_02307B69 | |
Source: | Code function: | 2_2_02307BAC | |
Source: | Code function: | 6_2_030CED4E | |
Source: | Code function: | 6_2_030CEC4F | |
Source: | Code function: | 6_2_030CECBD | |
Source: | Code function: | 6_2_030CED49 | |
Source: | Code function: | 6_2_030CED5C | |
Source: | Code function: | 6_2_030CEDB8 | |
Source: | Code function: | 6_2_030CEE3A |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Section loaded: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Mutant created: |
Data Obfuscation: |
---|
Yara detected GuLoader | Show sources |
Source: | File source: |
Source: | Code function: | 2_2_00409456 | |
Source: | Code function: | 2_2_00407E32 | |
Source: | Code function: | 2_2_004072C2 | |
Source: | Code function: | 2_2_00406297 | |
Source: | Code function: | 2_2_00406D76 | |
Source: | Code function: | 2_2_004099F2 | |
Source: | Code function: | 2_2_00407C53 | |
Source: | Code function: | 2_2_02300383 | |
Source: | Code function: | 2_2_02307F93 | |
Source: | Code function: | 2_2_02304F87 |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Tries to detect Any.run | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread sleep count: | Jump to behavior |
Source: | Code function: | 2_2_02303B3F |
Source: | Window / User API: | Jump to behavior |
Source: | System information queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | Jump to behavior | ||
Source: | Thread information set: | Jump to behavior |
Source: | Code function: | 2_2_02303B3F |
Source: | Code function: | 2_2_02305833 | |
Source: | Code function: | 2_2_02305859 | |
Source: | Code function: | 2_2_023088B5 | |
Source: | Code function: | 2_2_023058BF | |
Source: | Code function: | 2_2_0230CED6 | |
Source: | Code function: | 2_2_0230599C | |
Source: | Code function: | 2_2_0230BDCB |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 2_2_02308A19 |
Source: | Code function: | 2_2_0230E165 |
HIPS / PFW / Operating System Protection Evasion: |
---|
Writes to foreign memory regions | Show sources |
Source: | Memory written: | Jump to behavior |
Source: | Code function: | 2_2_0230CED6 |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts1 | Windows Management Instrumentation | Valid Accounts1 | Valid Accounts1 | Valid Accounts1 | OS Credential Dumping | Security Software Discovery321 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Registry Run Keys / Startup Folder1 | Access Token Manipulation1 | Access Token Manipulation1 | LSASS Memory | Virtualization/Sandbox Evasion23 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | DLL Side-Loading1 | Process Injection112 | Virtualization/Sandbox Evasion23 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Registry Run Keys / Startup Folder1 | Process Injection112 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | DLL Side-Loading1 | Obfuscated Files or Information1 | LSA Secrets | System Information Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol112 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | DLL Side-Loading1 | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
32% | Virustotal | Browse | ||
18% | ReversingLabs | Win32.Trojan.Mucc | ||
100% | Avira | HEUR/AGEN.1141869 |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1141869 | Download File | ||
100% | Avira | HEUR/AGEN.1141869 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
septnet.duckdns.org | 193.104.197.28 | true | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
193.104.197.28 | septnet.duckdns.org | unknown | 1299 | TELIANETTeliaCarrierEU | true | |
178.32.63.50 | unknown | France | 16276 | OVHFR | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 1360 |
Start date: | 27.09.2021 |
Start time: | 12:51:29 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 13m 5s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Run name: | Suspected Instruction Hammering |
Number of analysed new started processes analysed: | 13 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.rans.troj.evad.winEXE@3/1@1/2 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
12:54:11 | Autostart | |
12:54:19 | Autostart |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
178.32.63.50 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
OVHFR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
TELIANETTeliaCarrierEU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 98305 |
Entropy (8bit): | 5.8045067757228095 |
Encrypted: | false |
SSDEEP: | 768:I7nneTCCOKskAtEcDpHR0QWNTsO85zCoLi/0Fqt1fgg9ZPxt/ZbwKbdU5p0y:MnWAT4sO87LFIl3Ph2cy |
MD5: | DA500D43204B3E3DFEA43798760ED75D |
SHA1: | 206EE6A976EC8582810DB1EF8C6ED81599F24355 |
SHA-256: | 7B5C4219B3D03A3F8FF154FBAE97DA72A5E640AE13E7A414B2746804DBF2B8F8 |
SHA-512: | 2AA6347B81287C525262059C1B36CD1892603EC4BEF1A1CB1F112BEB83B67029C0EC4EEC61E22B834B591EF866480384164279FC3BDA8532D5828A040DB6AFB5 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 5.804544485598051 |
TrID: |
|
File name: | DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
File size: | 98304 |
MD5: | 8e2b177d2ab29c95f067559a029cf5e8 |
SHA1: | f347fa229d51836344ab5bf89fa531e19aa5e324 |
SHA256: | b9fdde7d748e27a130c509a589a2c8b92aad279604d3e4ee7ac28187fc5660be |
SHA512: | 29493bc83ab2348c5f3f707079e968302e03256acd3801d9c5e47c13a87cb9ec70145208bb25a4127e30cbe2cd7edca1a6cd82a23ca7a5e5a8a0bb0a19e1aa00 |
SSDEEP: | 768:37nneTCCOKskAtEcDpHR0QWNTsO85zCoLi/0Fqt1fgg9ZPxt/ZbwKbdU5p0:TnWAT4sO87LFIl3Ph2c |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..SM..SM..SM...Q..RM...o..uM..ek..RM..RichSM..................PE..L......I.................P...@...............`....@........ |
File Icon |
---|
Icon Hash: | 20047c7c70f0e004 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4012f0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x49E892D2 [Fri Apr 17 14:31:46 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 508f324e8f3f3b33e0170cdca30d1edb |
Entrypoint Preview |
---|
Instruction |
---|
push 00401E1Ch |
call 00007F98A8D959C5h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
dec eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [edi], dh |
fistp word ptr [eax+7B83299Ch] |
dec ebx |
mov ah, 62h |
or bh, ch |
movsd |
xor al, cl |
inc edx |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add dword ptr [eax], eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add al, 00h |
add byte ptr [eax], al |
inc edx |
jnc 00007F98A8D95A3Eh |
jns 00007F98A8D95A46h |
je 00007F98A8D95A37h |
insb |
jnc 00007F98A8D95A37h |
jnc 00007F98A8D95A41h |
bound ebp, dword ptr [edx+65h] |
imul esi, dword ptr [ebp+72h], 73h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add bh, bh |
int3 |
xor dword ptr [eax], eax |
add eax, CFE82B41h |
inc esi |
inc ebx |
sub byte ptr [ebp-44h], al |
in al, dx |
push ecx |
hlt |
imul ecx, eax, 24h |
cld |
and dh, FFFFFF8Eh |
jmp 00007F98A8D95A36h |
fcmovnb st(0), st(1) |
inc ebx |
mov byte ptr [edx+56BAFCB5h], al |
aam 89h |
cmp cl, byte ptr [edi-53h] |
xor ebx, dword ptr [ecx-48EE309Ah] |
or al, 00h |
stosb |
add byte ptr [eax-2Dh], ah |
xchg eax, ebx |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
inc eax |
add dword ptr [eax], eax |
add byte ptr [eax+eax+00h], dl |
add byte ptr [eax], al |
adc al, 00h |
push ebx |
insb |
popad |
je 00007F98A8D95A38h |
imul esi, dword ptr [esi+67h], 73h |
insd |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14d54 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x19000 | 0x8e4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x230 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x104 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x141f0 | 0x15000 | False | 0.50043015253 | data | 6.21499607809 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x16000 | 0x205c | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x19000 | 0x8e4 | 0x1000 | False | 0.169921875 | data | 1.92865182643 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x197b4 | 0x130 | data | ||
RT_ICON | 0x194cc | 0x2e8 | data | ||
RT_ICON | 0x193a4 | 0x128 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x19374 | 0x30 | data | ||
RT_VERSION | 0x19150 | 0x224 | data | Chinese | Taiwan |
Imports |
---|
DLL | Import |
---|---|
MSVBVM60.DLL | _CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0404 0x04b0 |
InternalName | VOLDFRELSERS |
FileVersion | 1.00 |
CompanyName | Seismic |
ProductName | Barkerne8 |
ProductVersion | 1.00 |
OriginalFilename | VOLDFRELSERS.exe |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | Taiwan |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
09/27/21-12:54:11.229766 | TCP | 2018752 | ET TROJAN Generic .bin download from Dotted Quad | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
09/27/21-12:54:15.667402 | UDP | 254 | DNS SPOOF query response with TTL of 1 min. and no authority | 53 | 54150 | 1.1.1.1 | 192.168.11.20 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2021 12:54:11.211550951 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.229293108 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.229574919 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.229765892 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.300846100 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.300967932 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.301052094 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.301079035 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.301104069 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.301424026 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.318528891 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.318638086 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.318690062 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.318840027 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.318875074 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.318901062 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.318952084 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.319000006 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.319046021 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.319233894 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.336420059 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336574078 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336679935 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.336698055 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336751938 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336813927 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336863995 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336921930 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336942911 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.336976051 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.337025881 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.337073088 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.337160110 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.337172985 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.337207079 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.337296009 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.337423086 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.354671955 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.354825974 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.354952097 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.354952097 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355000019 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355063915 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355142117 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355148077 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355211973 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355259895 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355303049 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355307102 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355343103 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355377913 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355453968 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355460882 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355531931 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355583906 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355616093 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355624914 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355648041 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355700016 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355741978 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355778933 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355851889 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355895996 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355902910 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355937004 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355951071 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355998993 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.356004000 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.356045008 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.356086969 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.356091976 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.356138945 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.356184959 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.356185913 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.356240034 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.356321096 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.356401920 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.373742104 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.373841047 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374006987 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374023914 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374058008 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374072075 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374104977 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374150991 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374193907 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374233007 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374345064 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374365091 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374392986 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374439955 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374485970 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374531984 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374531984 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374578953 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374624968 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374670029 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374680042 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374716043 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374718904 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374762058 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374785900 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374808073 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374852896 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374856949 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374903917 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374948978 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374960899 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374994993 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375015020 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.375041962 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375087976 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375096083 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.375133991 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375175953 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.375180006 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375226974 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375267029 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.375272989 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375319958 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375319958 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.375370026 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375411034 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.375449896 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375483036 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.375528097 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375598907 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.375621080 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375680923 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.375699997 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375761032 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.375781059 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375865936 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375924110 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.375952005 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.375972033 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.376034975 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.376050949 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.376120090 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.376130104 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.376199961 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.376238108 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.376281977 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.376292944 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.376342058 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.376374006 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.376390934 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.376437902 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.376446962 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.376508951 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.376543999 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.376607895 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.376697063 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.393996000 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.394205093 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.394321918 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.394380093 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.394448996 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.394525051 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.394586086 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.394604921 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.394675970 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.394725084 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.394731045 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.394773006 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.394979954 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.402370930 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.402595997 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.402683973 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.402750015 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.402750969 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.402797937 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.402848005 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.402894974 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.402940989 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.402987003 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403033018 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403079033 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403100014 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.403135061 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403212070 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403240919 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.403291941 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403321028 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.403374910 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403392076 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.403460026 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403526068 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.403546095 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403609037 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.403629065 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403685093 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403732061 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403752089 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.403778076 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403825045 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403871059 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403897047 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.403918982 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.403935909 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.403954983 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.404052973 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.404092073 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.404175043 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:15.672219992 CEST | 49807 | 6577 | 192.168.11.20 | 193.104.197.28 |
Sep 27, 2021 12:54:15.733942032 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 12:54:15.734190941 CEST | 49807 | 6577 | 192.168.11.20 | 193.104.197.28 |
Sep 27, 2021 12:54:15.734563112 CEST | 49807 | 6577 | 192.168.11.20 | 193.104.197.28 |
Sep 27, 2021 12:54:15.835287094 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 12:54:15.867204905 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 12:54:15.870044947 CEST | 49807 | 6577 | 192.168.11.20 | 193.104.197.28 |
Sep 27, 2021 12:54:15.975159883 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 12:54:16.802190065 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:16.802454948 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:55:10.188525915 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 12:55:10.190002918 CEST | 49807 | 6577 | 192.168.11.20 | 193.104.197.28 |
Sep 27, 2021 12:55:10.306442976 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 12:56:01.144946098 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:56:01.457412004 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:56:02.066647053 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:56:03.269531012 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:56:05.675313950 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:56:10.486638069 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:56:10.537024975 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 12:56:10.538548946 CEST | 49807 | 6577 | 192.168.11.20 | 193.104.197.28 |
Sep 27, 2021 12:56:10.641530037 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 12:56:20.093795061 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:57:10.909358025 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 12:57:10.911664009 CEST | 49807 | 6577 | 192.168.11.20 | 193.104.197.28 |
Sep 27, 2021 12:57:11.007210016 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 12:58:11.222590923 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 12:58:11.224039078 CEST | 49807 | 6577 | 192.168.11.20 | 193.104.197.28 |
Sep 27, 2021 12:58:11.315082073 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 12:59:11.541935921 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 12:59:11.543469906 CEST | 49807 | 6577 | 192.168.11.20 | 193.104.197.28 |
Sep 27, 2021 12:59:11.635679960 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 13:00:11.864240885 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 13:00:11.865643978 CEST | 49807 | 6577 | 192.168.11.20 | 193.104.197.28 |
Sep 27, 2021 13:00:11.970252037 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 13:01:12.182972908 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
Sep 27, 2021 13:01:12.184376955 CEST | 49807 | 6577 | 192.168.11.20 | 193.104.197.28 |
Sep 27, 2021 13:01:12.282124996 CEST | 6577 | 49807 | 193.104.197.28 | 192.168.11.20 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2021 12:53:18.719424009 CEST | 58185 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:53:18.728887081 CEST | 53 | 58185 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:53:18.894464016 CEST | 62287 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:53:18.903879881 CEST | 53 | 62287 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:54:07.946261883 CEST | 62957 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:54:07.954547882 CEST | 53 | 62957 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:54:09.241504908 CEST | 49676 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:54:09.249978065 CEST | 53 | 49676 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:54:15.565355062 CEST | 54150 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:54:15.667402029 CEST | 53 | 54150 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:54:19.062755108 CEST | 62465 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:54:19.071634054 CEST | 53 | 62465 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:54:42.318491936 CEST | 64086 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:54:42.328056097 CEST | 53 | 64086 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:54:42.489351034 CEST | 59044 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:54:42.498477936 CEST | 53 | 59044 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 13:00:19.081100941 CEST | 65106 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 13:00:19.089767933 CEST | 53 | 65106 | 1.1.1.1 | 192.168.11.20 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Sep 27, 2021 12:54:15.565355062 CEST | 192.168.11.20 | 1.1.1.1 | 0x387d | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Sep 27, 2021 12:54:15.667402029 CEST | 1.1.1.1 | 192.168.11.20 | 0x387d | No error (0) | 193.104.197.28 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.11.20 | 49806 | 178.32.63.50 | 80 | C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2021 12:54:11.229765892 CEST | 127 | OUT | |
Sep 27, 2021 12:54:11.300846100 CEST | 128 | IN |