Play interactive tourEdit tour
Windows Analysis Report 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe
Overview
General Information
Detection
AZORult
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Detected AZORult Info Stealer
Yara detected Azorult Info Stealer
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Yara signature match
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider
IP address seen in connection with other malware
Abnormal high CPU Usage
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Azorult |
---|
{"C2 url": "http://admin.svapofit.com/azs/index.php"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Azorult | Yara detected Azorult Info Stealer | Joe Security | ||
JoeSecurity_Azorult_1 | Yara detected Azorult | Joe Security | ||
Azorult_1 | Azorult Payload | kevoreilly |
| |
JoeSecurity_Azorult | Yara detected Azorult Info Stealer | Joe Security | ||
JoeSecurity_Azorult_1 | Yara detected Azorult | Joe Security | ||
Click to see the 4 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Azorult | Yara detected Azorult Info Stealer | Joe Security | ||
JoeSecurity_Azorult_1 | Yara detected Azorult | Joe Security | ||
Azorult_1 | Azorult Payload | kevoreilly |
| |
JoeSecurity_Azorult | Yara detected Azorult Info Stealer | Joe Security | ||
JoeSecurity_Azorult_1 | Yara detected Azorult | Joe Security | ||
Click to see the 13 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | ASN Name: |
Source: | IP Address: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | Code function: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Binary or memory string: |
System Summary: |
---|
Malicious sample detected (through community Yara rule) | Show sources |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process Stats: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Key value queried: |
Source: | Mutant created: |
Source: | Classification label: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Data Obfuscation: |
---|
Detected unpacking (changes PE section rights) | Show sources |
Source: | Unpacked PE file: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Malware Analysis System Evasion: |
---|
Tries to detect virtualization through RDTSC time measurements | Show sources |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information: |
---|
Yara detected Azorult | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Detected AZORult Info Stealer | Show sources |
Source: | Code function: | ||
Source: | Code function: |
Yara detected Azorult Info Stealer | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Found many strings related to Crypto-Wallets (likely being stolen) | Show sources |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Native API1 | Application Shimming1 | Application Shimming1 | Deobfuscate/Decode Files or Information1 | Input Capture1 | Security Software Discovery11 | Remote Services | Input Capture1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Obfuscated Files or Information2 | LSASS Memory | Account Discovery1 | Remote Desktop Protocol | Data from Local System1 | Exfiltration Over Bluetooth | Ingress Tool Transfer2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Software Packing1 | Security Account Manager | System Owner/User Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol3 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | Remote System Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol113 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | File and Directory Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Information Discovery114 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
69% | Virustotal | Browse | ||
75% | ReversingLabs | Win32.Infostealer.Coins | ||
100% | Avira | HEUR/AGEN.1125422 | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1108767 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1125422 | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
9% | Virustotal | Browse | ||
8% | Virustotal | Browse | ||
9% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | phishing | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
admin.svapofit.com | 63.141.242.43 | true | true |
| unknown |
survey-smiles.com | 5.79.68.108 | true | false |
| unknown |
12065.BODIS.com | 199.59.242.153 | true | false | high | |
ww1.survey-smiles.com | unknown | unknown | false |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
true |
| unknown | ||
true |
| unknown | ||
false |
| low | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
true |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
5.79.68.108 | survey-smiles.com | Netherlands | 60781 | LEASEWEB-NL-AMS-01NetherlandsNL | false | |
199.59.242.153 | 12065.BODIS.com | United States | 395082 | BODIS-NJUS | false | |
63.141.242.43 | admin.svapofit.com | United States | 33387 | NOCIXUS | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 491841 |
Start date: | 28.09.2021 |
Start time: | 00:48:25 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 23s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 26 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@1/0@3/3 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
5.79.68.108 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
199.59.242.153 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
survey-smiles.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
12065.BODIS.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
LEASEWEB-NL-AMS-01NetherlandsNL | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
NOCIXUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
BODIS-NJUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.398979169143917 |
TrID: |
|
File name: | 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
File size: | 208384 |
MD5: | 73bd76f0549cc1992d943ddfd92a9c4d |
SHA1: | 802e70b76c7c0860b3a4a257b1bc96fc3430ff01 |
SHA256: | 2f530a45e4acf58d16dad1b1e23b5b1419ba893c2f76f6625da3acb86933462f |
SHA512: | 4a524d1a552eb6d101f9ceb25c7dc608669eeca7dc99bc5ddc2b9d7d3c8f4ffd3cd8f12c3328b07d80888d6758aff970b3e6898f88c3451a058224b83007e521 |
SSDEEP: | 3072:ayzKqAOparE8YPbtMrxH5C000IS7IrfAgneF9RUQo6qHqn/PNAyv:nefOUGPbtMru00JD09RUQzqHOXN |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Y..{7..{7..{7..)...{7..)...{7..)...{7.Qtj..{7..{6..y7...Y..{7...K..{7..)...{7.Rich.{7.................PE..L.....][........... |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x40d563 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5B5D7FF4 [Sun Jul 29 08:51:00 2018 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 32bb5b6675247577e2dc1b39cb495d8f |
Entrypoint Preview |
---|
Instruction |
---|
call 00007FBD948785BBh |
jmp 00007FBD9487603Dh |
nop |
nop |
push ebp |
push esp |
pop ebp |
push esi |
push dword ptr [00430D48h] |
mov esi, dword ptr [00401434h] |
call esi |
or eax, eax |
je 00007FBD948761E3h |
mov eax, dword ptr [00430D44h] |
cmp eax, FFFFFFFFh |
je 00007FBD948761D9h |
push eax |
push dword ptr [00430D48h] |
call esi |
call eax |
or eax, eax |
je 00007FBD948761CAh |
mov eax, dword ptr [eax+000001F8h] |
jmp 00007FBD948761E9h |
mov esi, 00401970h |
push esi |
call dword ptr [00401650h] |
or eax, eax |
jne 00007FBD948761CDh |
push esi |
call 00007FBD948776A5h |
pop ecx |
or eax, eax |
je 00007FBD948761DAh |
push 00401960h |
push eax |
call dword ptr [00401544h] |
or eax, eax |
je 00007FBD948761CAh |
push dword ptr [ebp+08h] |
call eax |
mov dword ptr [ebp+08h], eax |
mov eax, dword ptr [ebp+08h] |
pop esi |
pop ebp |
ret |
push 00000000h |
call 00007FBD9487614Ch |
pop ecx |
ret |
pushfd |
popfd |
push ebp |
push esp |
pop ebp |
push esi |
push dword ptr [00430D48h] |
mov esi, dword ptr [00401434h] |
call esi |
or eax, eax |
je 00007FBD948761E3h |
mov eax, dword ptr [00430D44h] |
cmp eax, FFFFFFFFh |
je 00007FBD948761D9h |
push eax |
push dword ptr [00430D48h] |
call esi |
call eax |
or eax, eax |
je 00007FBD948761CAh |
mov eax, dword ptr [eax+000001FCh] |
jmp 00007FBD948761E9h |
mov esi, 00401970h |
push esi |
call dword ptr [00001650h] |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14030 | 0xb4 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x47000 | 0x2dc0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2aa8 | 0x40 | .text |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x930 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x161e8 | 0x16200 | False | 0.515724311441 | data | 6.44383361512 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x18000 | 0x2e57c | 0x19a00 | False | 0.732269435976 | data | 6.10591438138 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x47000 | 0x2dc0 | 0x2e00 | False | 0.323029891304 | data | 4.01557616695 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_DIALOG | 0x473d0 | 0x27e | data | ||
RT_DIALOG | 0x47650 | 0x5a0 | data | ||
RT_DIALOG | 0x47bf0 | 0x472 | data | ||
RT_DIALOG | 0x48068 | 0x394 | data | ||
RT_DIALOG | 0x48400 | 0x21e | data | ||
RT_DIALOG | 0x48620 | 0xe0 | data | ||
RT_DIALOG | 0x48700 | 0x234 | data | ||
RT_DIALOG | 0x48938 | 0x192 | data | ||
RT_DIALOG | 0x48ad0 | 0xe8 | data | ||
RT_DIALOG | 0x48bb8 | 0x34 | data | ||
RT_STRING | 0x48bf0 | 0xc4 | data | ||
RT_STRING | 0x48cb8 | 0xcc | data | ||
RT_STRING | 0x48d88 | 0x174 | data | ||
RT_STRING | 0x48f00 | 0x39c | data | ||
RT_STRING | 0x492a0 | 0x34c | data | ||
RT_STRING | 0x495f0 | 0x294 | data | ||
RT_VERSION | 0x49888 | 0x348 | data | ||
RT_MANIFEST | 0x49bd0 | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
---|
DLL | Import |
---|---|
USER32.dll | GetWindow, DialogBoxIndirectParamW, CallNextHookEx, LoadImageW, LoadIconW, EnableMenuItem, GetSystemMenu, wvsprintfW, CharUpperW, GetForegroundWindow, GetIconInfo, DrawIconEx, SetRectEmpty, DrawFocusRect, WindowFromPoint, GetMenuDefaultItem, CreatePopupMenu, MessageBeep, GetNextDlgGroupItem, IsRectEmpty, SetRect, InvalidateRgn, CopyAcceleratorTableW, CharNextW, DestroyIcon, DeleteMenu, GetDialogBaseUnits, SystemParametersInfoW, GetMenuItemInfoW, DestroyMenu, RealChildWindowFromPoint, InflateRect, UnregisterClassW, GetSysColorBrush, KillTimer, SetTimer, WaitMessage, MapDialogRect, SetWindowContextHelpId, RegisterClipboardFormatW, ShowOwnedPopups, PostQuitMessage, TranslateMessage, MapVirtualKeyW, GetKeyNameTextW, LoadMenuW, SendDlgItemMessageA, GetActiveWindow, GetNextDlgTabItem, CreateDialogIndirectParamW, IsDialogMessageW, ScrollWindowEx, UnhookWindowsHookEx, SetWindowsHookExW, PtInRect, OffsetRect, FillRect, GetSysColor, GetCursorPos, AdjustWindowRectEx, GetWindowTextLengthW, GetWindowTextW, RemovePropW, SetPropW, InvalidateRect, GetUpdateRect, EndPaint, BeginPaint, GetWindowDC, SetForegroundWindow, MessageBoxA, SetActiveWindow, DrawTextW, GetMenu, IsWindowEnabled, SetCapture, IsZoomed, IsWindowVisible, SetWindowPlacement, GetWindowPlacement, SetWindowPos, DestroyWindow, CreateWindowExW, GetClassInfoExW, RegisterClassExW, RegisterClassW, CallWindowProcW, GetClassNameW, EnumWindows, MapWindowPoints, IsWindow, SendNotifyMessageW, SendMessageTimeoutW, CharLowerW, DrawIcon, GetSystemMetrics, IsIconic, LoadStringW, RegisterWindowMessageW, EnableScrollBar, HideCaret, InvertRect, NotifyWinEvent, DrawStateW, DefWindowProcW, GetWindowWord, SetWindowWord, GetClientRect, LoadCursorW, GetLastActivePopup, ShowWindow, PostMessageW, SendMessageW, EnableWindow, DialogBoxParamW, SetDlgItemTextW, EndDialog, GetWindowRect, OemToCharA, GetWindowLongW, SetWindowLongW, GetKeyState, PeekMessageW, DispatchMessageW, SetCursor, GetParent, SendDlgItemMessageW, GetDlgItem, UpdateWindow, MessageBoxW, SetWindowTextW, GetDlgItemTextW, ReleaseDC, CopyImage, ScreenToClient, GetMessageW, wsprintfW, GetClassNameA, wsprintfA, SetFocus, GetDC, ClientToScreen |
SHELL32.dll | SHGetSpecialFolderLocation, SHFileOperationW, SHGetFileInfoW, SHGetPathFromIDListW, SHBrowseForFolderW, ShellExecuteExW, SHGetMalloc, ShellExecuteW, SHGetFolderPathW, SHGetSpecialFolderPathW |
ole32.dll | OleUninitialize, CoCreateInstance, CoTaskMemFree, OleInitialize, CoInitialize |
ADVAPI32.dll | RegDeleteKeyW, AllocateAndInitializeSid, FreeSid, RegCloseKey, RegCreateKeyExW, RegQueryValueW, RegSetValueW, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyW, RegEnumValueW, RegEnumKeyW, RegDeleteValueW, ReportEventA, RegEnumKeyExW, RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, CheckTokenMembership |
GDI32.dll | SelectClipRgn, SetDIBits, SetDIBitsToDevice, StretchDIBits, SetStretchBltMode, SetBrushOrgEx, SetICMMode, GetColorSpace, GetLogColorSpaceW, SetTextCharacterExtra, SetTextAlign, SetTextJustification, PlayMetaFileRecord, EnumMetaFile, SetWorldTransform, ModifyWorldTransform, SetColorAdjustment, StartDocW, ArcTo, PolyDraw, SelectClipPath, SetArcDirection, ExtCreatePen, MoveToEx, TextOutW, ExtTextOutW, PolyBezierTo, PolylineTo, SetViewportExtEx, SaveDC, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, PatBlt, CombineRgn, GetMapMode, SetRectRgn, DPtoLP, GetBkColor, GetRgnBox, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, GetDIBits, RealizePalette, CreateDIBitmap, EnumFontFamiliesW, GetTextCharsetInfo, SetPixel, StretchBlt, SetDIBColorTable, CreateEllipticRgn, Ellipse, CreatePolygonRgn, Polygon, Polyline, Rectangle, EnumFontFamiliesExW, OffsetRgn, GetCurrentObject, CreateFontW, GetCharWidthW, RoundRect, FrameRgn, PtInRegion, SetPixelV, ExtFloodFill, SetPaletteEntries, FillRgn, GetBoundsRect, GetWindowOrgEx, LPtoDP, GetViewportOrgEx, EndDoc, StartPage, EndPage, AbortDoc, SetAbortProc, GetROP2, GetBkMode, GetNearestColor, GetPolyFillMode, GetStretchBltMode, GetTextAlign, GetTextFaceW, CloseMetaFile, CreateMetaFileW, DeleteMetaFile, RestoreDC, RectVisible, PtVisible, PlayMetaFile, CreateCompatibleBitmap, SetROP2, SetPolyFillMode, GetLayout, SetLayout, SetMapMode, SetGraphicsMode, SetMapperFlags, SelectPalette, ExtSelectClipRgn, GetTextColor, GdiFlush, SetViewportOrgEx, CreateDCA, GetBitmapBits, GetObjectA, CreateDIBSection, SetTextColor, SetBkMode, GetTextExtentPoint32W, GetStockObject, GetPixel, DeleteDC, CreateSolidBrush, CreateCompatibleDC, BitBlt, AddFontResourceW, SelectObject, DeleteObject, GetObjectW, GetDeviceCaps, GetSystemPaletteEntries, CreateFontIndirectW, OffsetClipRgn, LineTo, IntersectClipRect, GetWindowExtEx, GetViewportExtEx, GetObjectType, GetCurrentPositionEx, GetClipRgn, GetClipBox, ExcludeClipRect, Escape, CreatePatternBrush, CreatePen, CreateHatchBrush, CreateDIBPatternBrushPt, CreateBitmap, CreateDCW, CopyMetaFileW, GetTextMetricsW, SetBkColor, CreateRoundRectRgn, CreateRectRgn, CreateRectRgnIndirect, CreateBrushIndirect |
COMCTL32.dll | ImageList_Create, ImageList_Destroy, ImageList_AddMasked |
VERSION.dll | GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW |
KERNEL32.dll | InitializeCriticalSectionAndSpinCount, RtlUnwind, IsDebuggerPresent, InterlockedDecrement, InterlockedIncrement, LockFile, UnlockFile, DuplicateHandle, lstrcmpiW, MoveFileW, GetStringTypeExW, GetFileAttributesExW, GetFileTime, LocalFileTimeToFileTime, SetFileTime, lstrcpyW, SetErrorMode, VerSetConditionMask, VerifyVersionInfoW, GetTempFileNameW, _lclose, _llseek, LoadLibraryW, LoadLibraryExW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, GetSystemDirectoryW, GetTempPathW, GetWindowsDirectoryW, RemoveDirectoryW, SetFileAttributesW, DeleteFileW, FindFirstFileW, FindNextFileW, CopyFileA, CopyFileW, MoveFileExW, GetSystemDefaultLCID, GetUserDefaultLCID, TerminateThread, SetLastError, SetEvent, ResetEvent, GetSystemTimeAsFileTime, CreateEventW, GlobalLock, GlobalUnlock, MultiByteToWideChar, CompareStringW, GetFullPathNameW, GetShortPathNameW, GetExitCodeProcess, GetFileSizeEx, SetHandleInformation, CreatePipe, CreateProcessW, GetDiskFreeSpaceExW, GetCurrentThreadId, GetCurrentThread, GetSystemInfo, WaitForMultipleObjects, GetTickCount, WritePrivateProfileStringW, GetStringTypeW, SetThreadPriority, ResumeThread, GetSystemTime, GetLocalTime, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, SystemTimeToFileTime, GetVolumeInformationW, FileTimeToSystemTime, ExitProcess, lstrlenA, GlobalSize, FormatMessageW, OutputDebugStringA, EncodePointer, DecodePointer, GetVersion, GetModuleHandleA, GlobalDeleteAtom, lstrcmpW, LoadLibraryA, GlobalAddAtomW, GlobalFindAtomW, SuspendThread, lstrcmpA, CompareStringA, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GlobalReAlloc, GlobalHandle, LocalReAlloc, GlobalGetAtomNameW, GetAtomNameW, GetThreadLocale, GlobalFlags, GetLocaleInfoW, GetSystemDefaultUILanguage, SetEnvironmentVariableA, GetFullPathNameA, EnumSystemLocalesW, IsValidLocale, LCMapStringW, GetTimeFormatW, GetDateFormatW, OutputDebugStringW, SetConsoleCtrlHandler, FatalAppExitA, SetCurrentDirectoryW, PeekNamedPipe, GetFileInformationByHandle, WriteConsoleW, SetFilePointerEx, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetStartupInfoW, GetStdHandle, GetFileType, SetStdHandle, VirtualQuery, VirtualAlloc, AreFileApisANSI, IsProcessorFeaturePresent, HeapQueryInformation, HeapSize, GetDriveTypeW, ExitThread, CreateThread, ReadConsoleW, GetProcessHeap, HeapAlloc, GetConsoleMode, GetConsoleCP, FindNextFileA, HeapReAlloc, HeapFree, RaiseException, LocalUnlock, LocalLock, GetDiskFreeSpaceW, GetUserDefaultUILanguage, SearchPathW, GetProfileIntW, _lwrite, _lread, OpenFile, lstrlenW, GetProcAddress, GetExitCodeThread, FindResourceExA, GlobalMemoryStatusEx, SetThreadLocale, GetQueuedCompletionStatus, CreateIoCompletionPort, SetProcessWorkingSetSize, IsBadReadPtr, SetEnvironmentVariableW, lstrcpynA, lstrcpyA, lstrcatW, lstrcmpiA, lstrcpynW, CompareFileTime, HeapCreate, GetStartupInfoA, SetHandleCount, GetCommandLineA, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, VirtualFree, GetLocaleInfoA, GetStringTypeA, GetConsoleOutputCP, WriteConsoleA, CreateFileA, DosDateTimeToFileTime, LCMapStringA, VirtualProtect, SetConsoleMode, ReadConsoleInputA, PeekConsoleInputA, GlobalMemoryStatus, GetVersionExA, FindFirstFileA, HeapDestroy, GetCurrentDirectoryW, FileTimeToLocalFileTime, FlushFileBuffers, LockResource, LoadResource, SizeofResource, FindResourceW, CloseHandle, MulDiv, CreateSemaphoreW, OpenSemaphoreW, GetModuleFileNameW, GetFileAttributesW, GetLastError, Sleep, GetCommandLineW, GetVersionExW, GetSystemDefaultLangID, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, FreeResource, GetFileSize, WriteFile, ReadFile, SetEndOfFile, SetFilePointer, GetModuleHandleW, GetPrivateProfileIntW, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, CreateDirectoryW, CreateFileW, WideCharToMultiByte, FindResourceExW, LocalAlloc, LocalFree, FreeLibrary, GlobalAlloc, GlobalFree, OpenProcess, GetCurrentProcess, GetCurrentProcessId, TerminateProcess, WaitForSingleObject, FindClose |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Blood Accepting Center Donate |
FileVersion | 6.4.0.0 |
CompanyName | Blood Accepting Center Donate |
Comments | Blood Accepting Center Donate |
ProductName | Blood Accepting Center Donate |
ProductVersion | 6.4.0.0 |
FileDescription | Blood Accepting Center Donate |
Translation | 0x0000 0x04b0 |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
09/28/21-00:51:21.739100 | TCP | 2029465 | ET TROJAN Win32/AZORult V3.2 Client Checkin M15 | 49862 | 80 | 192.168.2.3 | 63.141.242.43 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 28, 2021 00:51:21.601078987 CEST | 49862 | 80 | 192.168.2.3 | 63.141.242.43 |
Sep 28, 2021 00:51:21.738073111 CEST | 80 | 49862 | 63.141.242.43 | 192.168.2.3 |
Sep 28, 2021 00:51:21.738209009 CEST | 49862 | 80 | 192.168.2.3 | 63.141.242.43 |
Sep 28, 2021 00:51:21.739099979 CEST | 49862 | 80 | 192.168.2.3 | 63.141.242.43 |
Sep 28, 2021 00:51:21.874546051 CEST | 80 | 49862 | 63.141.242.43 | 192.168.2.3 |
Sep 28, 2021 00:51:21.887695074 CEST | 80 | 49862 | 63.141.242.43 | 192.168.2.3 |
Sep 28, 2021 00:51:21.887880087 CEST | 49862 | 80 | 192.168.2.3 | 63.141.242.43 |
Sep 28, 2021 00:51:21.887952089 CEST | 80 | 49862 | 63.141.242.43 | 192.168.2.3 |
Sep 28, 2021 00:51:21.888048887 CEST | 49862 | 80 | 192.168.2.3 | 63.141.242.43 |
Sep 28, 2021 00:51:21.912318945 CEST | 49862 | 80 | 192.168.2.3 | 63.141.242.43 |
Sep 28, 2021 00:51:21.947171926 CEST | 49863 | 80 | 192.168.2.3 | 5.79.68.108 |
Sep 28, 2021 00:51:21.972378016 CEST | 80 | 49863 | 5.79.68.108 | 192.168.2.3 |
Sep 28, 2021 00:51:21.972542048 CEST | 49863 | 80 | 192.168.2.3 | 5.79.68.108 |
Sep 28, 2021 00:51:21.973798990 CEST | 49863 | 80 | 192.168.2.3 | 5.79.68.108 |
Sep 28, 2021 00:51:21.998682022 CEST | 80 | 49863 | 5.79.68.108 | 192.168.2.3 |
Sep 28, 2021 00:51:22.030646086 CEST | 80 | 49863 | 5.79.68.108 | 192.168.2.3 |
Sep 28, 2021 00:51:22.030772924 CEST | 49863 | 80 | 192.168.2.3 | 5.79.68.108 |
Sep 28, 2021 00:51:22.030849934 CEST | 80 | 49863 | 5.79.68.108 | 192.168.2.3 |
Sep 28, 2021 00:51:22.030930042 CEST | 49863 | 80 | 192.168.2.3 | 5.79.68.108 |
Sep 28, 2021 00:51:22.034970999 CEST | 49863 | 80 | 192.168.2.3 | 5.79.68.108 |
Sep 28, 2021 00:51:22.053751945 CEST | 80 | 49862 | 63.141.242.43 | 192.168.2.3 |
Sep 28, 2021 00:51:22.060743093 CEST | 80 | 49863 | 5.79.68.108 | 192.168.2.3 |
Sep 28, 2021 00:51:22.065116882 CEST | 49864 | 80 | 192.168.2.3 | 199.59.242.153 |
Sep 28, 2021 00:51:22.165390015 CEST | 80 | 49864 | 199.59.242.153 | 192.168.2.3 |
Sep 28, 2021 00:51:22.165517092 CEST | 49864 | 80 | 192.168.2.3 | 199.59.242.153 |
Sep 28, 2021 00:51:22.166258097 CEST | 49864 | 80 | 192.168.2.3 | 199.59.242.153 |
Sep 28, 2021 00:51:22.269443989 CEST | 80 | 49864 | 199.59.242.153 | 192.168.2.3 |
Sep 28, 2021 00:51:22.269495964 CEST | 80 | 49864 | 199.59.242.153 | 192.168.2.3 |
Sep 28, 2021 00:51:22.269531965 CEST | 80 | 49864 | 199.59.242.153 | 192.168.2.3 |
Sep 28, 2021 00:51:22.269548893 CEST | 80 | 49864 | 199.59.242.153 | 192.168.2.3 |
Sep 28, 2021 00:51:22.269675970 CEST | 49864 | 80 | 192.168.2.3 | 199.59.242.153 |
Sep 28, 2021 00:51:22.624212980 CEST | 49864 | 80 | 192.168.2.3 | 199.59.242.153 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 28, 2021 00:49:13.195946932 CEST | 57875 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:49:13.217205048 CEST | 53 | 57875 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:49:38.690270901 CEST | 54154 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:49:38.717736006 CEST | 53 | 54154 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:49:59.441868067 CEST | 52806 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:49:59.475826025 CEST | 53 | 52806 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:00.595307112 CEST | 53910 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:00.643851995 CEST | 53 | 53910 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:01.142472982 CEST | 64021 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:01.178021908 CEST | 53 | 64021 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:01.506490946 CEST | 60784 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:01.523854971 CEST | 53 | 60784 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:01.960875988 CEST | 51143 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:01.986246109 CEST | 53 | 51143 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:02.680742979 CEST | 56009 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:02.702230930 CEST | 53 | 56009 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:02.824556112 CEST | 59026 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:02.860742092 CEST | 53 | 59026 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:03.319825888 CEST | 49572 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:03.340208054 CEST | 53 | 49572 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:04.165034056 CEST | 60823 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:04.202244997 CEST | 53 | 60823 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:05.208450079 CEST | 52130 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:05.228010893 CEST | 53 | 52130 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:05.770684958 CEST | 55102 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:05.790070057 CEST | 53 | 55102 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:07.334913015 CEST | 56236 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:07.353903055 CEST | 53 | 56236 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:07.428095102 CEST | 56527 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:07.450180054 CEST | 53 | 56527 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:07.740792990 CEST | 49559 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:07.759613991 CEST | 53 | 49559 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:08.511379957 CEST | 52650 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:08.531145096 CEST | 53 | 52650 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:17.272458076 CEST | 63297 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:17.290194988 CEST | 53 | 63297 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:20.041127920 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:20.062921047 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:35.589652061 CEST | 53615 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:35.610187054 CEST | 53 | 53615 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:45.434261084 CEST | 50728 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:45.464673996 CEST | 53 | 50728 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:50:47.098167896 CEST | 53777 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:50:47.127352953 CEST | 53 | 53777 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:51:01.078258038 CEST | 57106 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:51:01.116170883 CEST | 53 | 57106 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:51:09.692076921 CEST | 60352 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:51:09.719302893 CEST | 53 | 60352 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:51:21.565736055 CEST | 56773 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:51:21.585149050 CEST | 53 | 56773 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:51:21.925509930 CEST | 60982 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:51:21.944746017 CEST | 53 | 60982 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:51:22.043229103 CEST | 58058 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:51:22.062781096 CEST | 53 | 58058 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:51:29.277057886 CEST | 64367 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:51:29.298317909 CEST | 53 | 64367 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:51:42.556973934 CEST | 51539 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:51:42.585114956 CEST | 53 | 51539 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:51:58.267992020 CEST | 55393 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:51:58.295708895 CEST | 53 | 55393 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:52:09.014669895 CEST | 50585 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:52:09.045800924 CEST | 53 | 50585 | 8.8.8.8 | 192.168.2.3 |
Sep 28, 2021 00:52:37.089941025 CEST | 63456 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 28, 2021 00:52:37.110119104 CEST | 53 | 63456 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Sep 28, 2021 00:51:21.565736055 CEST | 192.168.2.3 | 8.8.8.8 | 0xfa02 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 28, 2021 00:51:21.925509930 CEST | 192.168.2.3 | 8.8.8.8 | 0x442 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 28, 2021 00:51:22.043229103 CEST | 192.168.2.3 | 8.8.8.8 | 0x1066 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Sep 28, 2021 00:51:21.585149050 CEST | 8.8.8.8 | 192.168.2.3 | 0xfa02 | No error (0) | 63.141.242.43 | A (IP address) | IN (0x0001) | ||
Sep 28, 2021 00:51:21.944746017 CEST | 8.8.8.8 | 192.168.2.3 | 0x442 | No error (0) | 5.79.68.108 | A (IP address) | IN (0x0001) | ||
Sep 28, 2021 00:51:22.062781096 CEST | 8.8.8.8 | 192.168.2.3 | 0x1066 | No error (0) | 12065.BODIS.com | CNAME (Canonical name) | IN (0x0001) | ||
Sep 28, 2021 00:51:22.062781096 CEST | 8.8.8.8 | 192.168.2.3 | 0x1066 | No error (0) | 199.59.242.153 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49862 | 63.141.242.43 | 80 | C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Sep 28, 2021 00:51:21.739099979 CEST | 5919 | OUT | |
Sep 28, 2021 00:51:21.887695074 CEST | 5919 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49863 | 5.79.68.108 | 80 | C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Sep 28, 2021 00:51:21.973798990 CEST | 5920 | OUT | |
Sep 28, 2021 00:51:22.030646086 CEST | 5920 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.3 | 49864 | 199.59.242.153 | 80 | C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Sep 28, 2021 00:51:22.166258097 CEST | 5921 | OUT | |
Sep 28, 2021 00:51:22.269495964 CEST | 5923 | IN |