Windows Analysis Report uT9rwkGATJ.dll
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"RSA Public Key": "Wa0ptOHdbeWyaLju6Av14Mh7FDVECzYw3M++OWU/cFwf0ZjLctG17DYP/MFVk/hMExgeVHSsuIoKkcbpz57JUku89Z6sGfWSZvCVyvpfi1ZpEwDNNeNw5k5dpgwB3LsIS45sMaK472UpYahrOWaY66CWVjJyKzpo2y/tq1ZiFHe/iFygPyws634yVgV7rQhjAPiNPuq0SMLwHnadf5iTBRPHNZOfo4EV1JOy+KK7FD2JiBwbgL2xH8mvgvUrMN0gphdmog43p4QO6+T4499NqSdjKKJutU5bxT8XtJKvzMrbRLkRwTKw+5msPiKoZk2Mmt6I5yjyUlMUijuRPmFH+uUAMGA+NmgwHR/EoB9vyak=", "c2_domain": ["outlook.com", "zereunrtol.website", "xereunrtol.website"], "botnet": "2525", "server": "12", "serpent_key": "10218409ILPAQDIR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
Click to see the 29 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
Click to see the 15 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Encoded IEX | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: MSHTA Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag: |
Sigma detected: Mshta Spawning Windows Shell | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Suspicious Csc.exe Source File Folder | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Suspicious Rundll32 Activity | Show sources |
Source: | Author: juju4, Jonhnathan Ribeiro, oscd.community: |
Sigma detected: Non Interactive PowerShell | Show sources |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Sigma detected: T1086 PowerShell Execution | Show sources |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Data Obfuscation: |
---|
Sigma detected: Powershell run code from registry | Show sources |
Source: | Author: Joe Security: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Networking: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Network Connect: | ||
Source: | Domain query: | ||
Source: | Domain query: |
Uses ping.exe to check the status of other devices and networks | Show sources |
Source: | Process created: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Disables SPDY (HTTP compression, likely to perform web injects) | Show sources |
Source: | Registry key value created / modified: |
System Summary: |
---|
Writes or reads registry keys via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Key opened: | ||
Source: | Key opened: |
Source: | Section loaded: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Code function: |
Source: | Process created: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Window detected: |
Source: | File opened: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Data Obfuscation: |
---|
Suspicious powershell command line found | Show sources |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Hooks registry keys query functions (used to hide registry keys) | Show sources |
Source: | IAT, EAT, inline or SSDT hook detected: |
Modifies the prolog of user mode functions (user mode inline hooks) | Show sources |
Source: | User mode code has changed: |
Self deletion via cmd delete | Show sources |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Modifies the export address table of user mode modules (user mode EAT hooks) | Show sources |
Source: | IAT of a user mode module has changed: |
Modifies the import address table of user mode modules (user mode IAT hooks) | Show sources |
Source: | EAT of a user mode module has changed: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Uses ping.exe to sleep | Show sources |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Process information queried: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Network Connect: | ||
Source: | Domain query: | ||
Source: | Domain query: |
Maps a DLL or memory area into another process | Show sources |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: |
Changes memory attributes in foreign processes to executable or writable | Show sources |
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: |
Allocates memory in foreign processes | Show sources |
Source: | Memory allocated: |
Injects code into the Windows Explorer (explorer.exe) | Show sources |
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: |
Modifies the context of a thread in another process (thread injection) | Show sources |
Source: | Thread register set: | ||
Source: | Thread register set: | ||
Source: | Thread register set: | ||
Source: | Thread register set: | ||
Source: | Thread register set: |
Creates a thread in another existing process (thread injection) | Show sources |
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation2 | DLL Side-Loading1 | DLL Side-Loading1 | Obfuscated Files or Information1 | Credential API Hooking3 | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Ingress Tool Transfer3 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Process Injection813 | DLL Side-Loading1 | LSASS Memory | Account Discovery1 | Remote Desktop Protocol | Email Collection1 | Exfiltration Over Bluetooth | Encrypted Channel11 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Command and Scripting Interpreter1 | Logon Script (Windows) | Logon Script (Windows) | File Deletion1 | Security Account Manager | File and Directory Discovery3 | SMB/Windows Admin Shares | Credential API Hooking3 | Automated Exfiltration | Non-Application Layer Protocol3 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | PowerShell1 | Logon Script (Mac) | Logon Script (Mac) | Rootkit4 | NTDS | System Information Discovery25 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol14 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading1 | LSA Secrets | Security Software Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion21 | Cached Domain Credentials | Virtualization/Sandbox Evasion21 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection813 | DCSync | Process Discovery3 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Rundll321 | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | System Owner/User Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | Remote System Discovery11 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact | ||
Compromise Software Dependencies and Development Tools | Windows Command Shell | Cron | Cron | Right-to-Left Override | Input Capture | System Network Configuration Discovery1 | Replication Through Removable Media | Remote Data Staging | Exfiltration Over Physical Medium | Mail Protocols | Service Stop |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1108168 | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
outlook.com | 40.97.156.114 | true | false | high | |
HHN-efz.ms-acdc.office.com | 52.97.151.18 | true | false | high | |
FRA-efz.ms-acdc.office.com | 52.98.208.114 | true | false | high | |
xereunrtol.website | 193.29.104.83 | true | false | high | |
www.outlook.com | unknown | unknown | false | high | |
zereunrtol.website | unknown | unknown | false | high | |
outlook.office365.com | unknown | unknown | false | high |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
false | high | ||
false | high | ||
true |
| unknown | |
false | high | ||
false | high | ||
true |
| unknown | |
false | high | ||
true |
| unknown | |
false | high |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
40.97.156.114 | outlook.com | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
52.97.178.98 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | true | |
193.29.104.83 | xereunrtol.website | Romania | 9009 | M247GB | false | |
52.97.151.18 | HHN-efz.ms-acdc.office.com | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
40.97.160.2 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | true | |
40.101.9.178 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | true | |
52.98.208.114 | FRA-efz.ms-acdc.office.com | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
Private |
---|
IP |
---|
192.168.2.1 |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 499264 |
Start date: | 08.10.2021 |
Start time: | 06:42:36 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 15m 41s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | uT9rwkGATJ.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 48 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.bank.troj.evad.winDLL@54/38@14/8 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
06:45:09 | API Interceptor | |
06:45:14 | API Interceptor | |
06:46:19 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
outlook.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
No context |
---|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11606 |
Entropy (8bit): | 4.883977562702998 |
Encrypted: | false |
SSDEEP: | 192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr |
MD5: | 1F1446CE05A385817C3EF20CBD8B6E6A |
SHA1: | 1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D |
SHA-256: | 2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE |
SHA-512: | 252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 64 |
Entropy (8bit): | 0.9260988789684415 |
Encrypted: | false |
SSDEEP: | 3:Nlllulb/lj:NllUb/l |
MD5: | 13AF6BE1CB30E2FB779EA728EE0A6D67 |
SHA1: | F33581AC2C60B1F02C978D14DC220DCE57CC9562 |
SHA-256: | 168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F |
SHA-512: | 1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.0940225424877514 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryZuak7Ynqq6vPN5Dlq5J:+RI+ycuZhNjuakS6vPNnqX |
MD5: | 5E54597013E64C33C8BFB30E0F312D5B |
SHA1: | A15A7BB374BA4B520E406DF2C5E9E4A888707FC4 |
SHA-256: | 3765016012262EEAFE2A1A9D362FAC604A8CAC6D816C4AFA039B8F5510175461 |
SHA-512: | A469B1BE8D588B224433E04D067CC740BE971F293FC1B0A74C2C9F511602C6409B63476BB94B98314265093309CA5F3AB7127E6AA4EF3CD8798E96F61E86A083 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.087002864921187 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryagCM/qak7YnqqvgCM/bPN5Dlq5J:+RI+ycuZhN8HM/qakSvHM/bPNnqX |
MD5: | 0715FC9E2573623F149A5EE75C23C19B |
SHA1: | 2CB92F2B64924BB21D69453A6017780D1F016230 |
SHA-256: | 996161F8FFE0C987715BFBA1A7CB32C4B36800CE92A97CC24BF1797720D827AA |
SHA-512: | 09F78A6A99B359A78FC673E12A2FED9C99D1CE7ACC0FCE909FC98A5F578153ABB29BA9510BF20DD20C6B6EB3BE011CE17C9CCE2662A91C7B7C057697906B4696 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.088300623958703 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygYfGak7YnqqhYfXPN5Dlq5J:+RI+ycuZhNuY+akShYfPNnqX |
MD5: | 45ACEB27BF09B9A372DF76C41EA25CBC |
SHA1: | A5F6283D5F24B18AF5F4206A57A442688BCFA221 |
SHA-256: | BB5D61468F93620A5CA74F3CAD2B6B935CFB41E627AC05505BF5BFD18DDD23EC |
SHA-512: | 5EE60D2C82347F5761DACE5C8B13919D8D18F57539C2D42C211D91E21AE5F95CB586D22E94C2978CE83C41970714800F68B6E12019A0B6B4D6B4075838F9DBF9 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.1159679552735917 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryyak7YnqqgPN5Dlq5J:+RI+ycuZhNUakSgPNnqX |
MD5: | B6F8FAC514A8F5183DB815BD950B9D1F |
SHA1: | 9C5CEE4507522F07CB4BDE73F8DA9AF0418573F7 |
SHA-256: | 3D4151340E53DE7F388B865E8A54A8D9574D29C30C776ED7A345E691A60C6838 |
SHA-512: | E50EE4A00FB61B00D3A7EA58F550CAB0BCC6066B38781974586B485DB1FB940A468B3FA2A59503AAD90FC863884E9BB1524CDDCDC9CCB657A972109CCC0690DD |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2176 |
Entropy (8bit): | 2.6912424772889194 |
Encrypted: | false |
SSDEEP: | 24:43bTkhHNFhKdNNI+ycuZhNjuakS6vPNnq9hgpUnW9s:43ngdKd31uljua36tq9Z5 |
MD5: | B38B49F3A10F7649430F13A4283FAE5F |
SHA1: | 3EE4FB0BAD3FB1643752BAF1C6B1A425DFBC8EE8 |
SHA-256: | 1F1E88E61F746EAF0AF0B432B619ACE9F1AE1991A74D8D0675C946B005AD98EE |
SHA-512: | 4580B5BCB69EC48797925D171C6EE8106C7722F837280D010F6DBFD34193FDB8E2BF3140AC74E06A7E3795FDD146CDD20A81094EC9EC6798A624CD4A45F75DF6 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2176 |
Entropy (8bit): | 2.6914814281046717 |
Encrypted: | false |
SSDEEP: | 24:43LghHEhKdNNI+ycuZhN8HM/qakSvHM/bPNnq9hgpGnW9s:43L82Kd31uleMia3vMJq9j5 |
MD5: | DC6B839F34BBA6D3CB05082BB9F87D49 |
SHA1: | 26A506559EFEE4F82ECF9E17ADC9118433F3363D |
SHA-256: | 1E3CA6ECAA1C7ECC75DEF865367AF0CB1C8C2A3086E14E09EDBE716C6BE9859D |
SHA-512: | 6D56FDA4A24300A016A039D006EDB39ADEF3DD286D20F4B7DEDBA1D761935A4C843C5D42431C6E0867B5CC5FAA913BE51112712E523910A8B6FBD1A40F02B7ED |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2176 |
Entropy (8bit): | 2.71260515918407 |
Encrypted: | false |
SSDEEP: | 24:jAy9ZhHXQhKdNNI+ycuZhNUakSgPNnq9hgpNnW9s:jAIiKd31ulUa34q9i5 |
MD5: | 10BE416BDF4B44C72317119FC15E943B |
SHA1: | 219915B9631AE2493E7C87CE7BFFD2B85793D9AB |
SHA-256: | FCC50836A5C55FB1A052AA25E56A75AF065A056DBA700F6FE8FD81CFFCE2C6AD |
SHA-512: | CD98E69BDB55C2FE5C40FBEB7C6A0003776096463F8762EC93BFE2D5EDAED17B88FEA47DB33CA1F7BCC4B17FC158F73202B911814F0651B50E4501E43B0B4F02 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2176 |
Entropy (8bit): | 2.6881321375655713 |
Encrypted: | false |
SSDEEP: | 24:jiCvhHEhhKdNNI+ycuZhNuY+akShYfPNnq9hgpRnW9s:jdpkvKd31ult+a3q9q9+5 |
MD5: | 3B53B806CC04C1B8A2A5209336D02D18 |
SHA1: | E31FF9610D2E472330F330792EC99A5FF8DAA6C6 |
SHA-256: | 0EC24924884C9D3DA340E5F26F6D16876A632A7A27C26EE8F92F52690BB3A377 |
SHA-512: | 9E07B4871C941C90D9758F5D0D987BB543DEA42313AFF23F77D76EE34639ADC74C77095EFC77CC233967297D9301E0967DC6B96548F605121E9FE4FC6682C3A6 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 405 |
Entropy (8bit): | 4.989686390677173 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJZMRSRa+eNMjSSRrIdOLaSRHq1rywQeNVaMny:V/DTLDfuP9eg5rIglurywhNUMny |
MD5: | 5210AC8610DA2A55F963FF2C951D0DC3 |
SHA1: | A4F391F9661A57D4A40896F31158BB5E445B4269 |
SHA-256: | 53CE49B3F1728B3ABDCE3ECEBC468947EC3C89460B721456CD7BFD297888F877 |
SHA-512: | 9B02B21D978580967C6812DF158124973A6D1A147EFD2CF842F421FD1A44D8525DFD38270C1F500F7010436F41FC1771C983A59C3C3FFBAA18ED8B072DB18870 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 351 |
Entropy (8bit): | 5.224886261087632 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23flVUzxs7+AEszIWXp+N23flP:p37Lvkmb6KH9qWZE89P |
MD5: | 704312AA80E7E080EFE947DB843E3C91 |
SHA1: | 1B2258967D5728A67A8171DB6FBB7A33C3D6BD8D |
SHA-256: | 7B76F9EDD919A4F5F405A47347635685736FECBB35ACF9C08DE86434BBE8C675 |
SHA-512: | DCA51BA33C8ACD6FEF4E6E7F5D742A19D9E4C7DA42102533E1175A4834780900490A1593BF520FB5CD86069F5C2D8F4A153776471F1BBB0AAD91F201024493F2 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.6114615630922198 |
Encrypted: | false |
SSDEEP: | 24:etGSz8+mEej8MTHtmCFxcdWptkZf+lBm0hEdI+ycuZhNuY+akShYfPNnq:6xLjMTwCFxuWkJ446Ed1ult+a3q9q |
MD5: | 0447C5B78E665D1A2761B0469D0D1E62 |
SHA1: | 29EA6B23A4FA3F7132D75162C50A080D1C57E835 |
SHA-256: | B2A76D43F563B84066B554A64CAC6CCB0A065CCE55C5563F4945534042DCAFA5 |
SHA-512: | CAEB0D48B51F0F241097B934B027408C53D4A9CDBC6788F21B4110B28FB7A635DD3C75D7CB628D64FD40533A49496DBC00A9F84BCA50A319AA111EFC805F916B |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | modified |
Size (bytes): | 412 |
Entropy (8bit): | 4.871364761010112 |
Encrypted: | false |
SSDEEP: | 12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH |
MD5: | 83B3C9D9190CE2C57B83EEE13A9719DF |
SHA1: | ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E |
SHA-256: | B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA |
SHA-512: | 0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 415 |
Entropy (8bit): | 5.038565598056225 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJ0mMRSR7a18lpP6tkSRa+rVSSRnA/fl81N4IkgsOFQy:V/DTLDfuCMLh6tv9rV5nA/61N43gszy |
MD5: | 820D67D86E4D2F141C62A2F02F457875 |
SHA1: | 0F597E389BE20591567742E9333D19419947B3CD |
SHA-256: | 0DECFD511470CAB8EF7D4A45A891B8D3C8A7ABA782190C2777E2A2048F82A3CD |
SHA-512: | B05C022573C3EA6D9BC39C6E6E38DD33EC63D55F9793E6F5367E1EBA8493C33FFA28EB5989881EC82EE898F117D616FD1FE2A68E7FBF345209E8A61CBBFCCB61 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 351 |
Entropy (8bit): | 5.241901715088777 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fYTzxs7+AEszIWXp+N23fY6x:p37Lvkmb6KHgTWZE8gO |
MD5: | 69A778C5C4BA5BD5D74607FCA057A349 |
SHA1: | C40A97992D33C9F9E0A4D7FCD0F2D679C7A03CF8 |
SHA-256: | 44A5FC032575EE6A2B6A2E78B1AAC2A33E587462CF1C3AAE902423ED6930154D |
SHA-512: | 45804C00134BEC8852E78E4A9E59CBB80D4F1E667CA5D2EC24321FC0D13B13F912DBE017311BB1A79BB260A7B9D8822F9EB2FE998F0AAA2673B17BCB3C113D91 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.632611212353435 |
Encrypted: | false |
SSDEEP: | 48:6jm65J7+ikL31uu0SJguaqgX1uleMia3vMJq:r65J7yL3PAIkvKv |
MD5: | 0186F4FD170148B6038818513C1E0433 |
SHA1: | B00BE66DE2852FB11DD967F554CE2BB3031DE47B |
SHA-256: | 5F2170918D15A7A7EA12A6AFF2A7138E938C5FB80FC8D18CBC7B5B67F0446B82 |
SHA-512: | 8C97E2B4F7765112905CB26CC284CD09EC9866EBA082069EDBE9ABF17AACD9E25FC90495644CFCF8478838F549AC9A2C0C09A57860B52F9709C0B2B0E15C4B7A |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | modified |
Size (bytes): | 412 |
Entropy (8bit): | 4.871364761010112 |
Encrypted: | false |
SSDEEP: | 12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH |
MD5: | 83B3C9D9190CE2C57B83EEE13A9719DF |
SHA1: | ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E |
SHA-256: | B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA |
SHA-512: | 0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 405 |
Entropy (8bit): | 4.989686390677173 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJZMRSRa+eNMjSSRrIdOLaSRHq1rywQeNVaMny:V/DTLDfuP9eg5rIglurywhNUMny |
MD5: | 5210AC8610DA2A55F963FF2C951D0DC3 |
SHA1: | A4F391F9661A57D4A40896F31158BB5E445B4269 |
SHA-256: | 53CE49B3F1728B3ABDCE3ECEBC468947EC3C89460B721456CD7BFD297888F877 |
SHA-512: | 9B02B21D978580967C6812DF158124973A6D1A147EFD2CF842F421FD1A44D8525DFD38270C1F500F7010436F41FC1771C983A59C3C3FFBAA18ED8B072DB18870 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 351 |
Entropy (8bit): | 5.301069111144844 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fX8Vzxs7+AEszIWXp+N23fX8Qn:p37Lvkmb6KHP8VWZE8P8Q |
MD5: | 0B98006696980210E9096059C632C9B8 |
SHA1: | BA33540895DF323BB1D30D55441736656F52DD5A |
SHA-256: | 3E717303B58E2B14894912390DE05081D1807884B29A6C570C69FE8F34AC8FB0 |
SHA-512: | 986EE52DEF241BA94C9D44E5D1CE8DED5DEF73E1CFB6E02841BF15884B1391CDB7E222F8D4178ECCD224787064F6FCD6DE3ECC96AF33A2D09C66975483A2080A |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.6196876679200796 |
Encrypted: | false |
SSDEEP: | 24:etGSN8+mEej8MTHtmCFxidWptkZfOBvPat60hEdI+ycuZhNUakSgPNnq:6DLjMTwCFxcWkJOlSt66Ed1ulUa34q |
MD5: | AB4597E9782631B17D2198E76172A529 |
SHA1: | F1A1CEB3F77BC49D50D7D19C1BCB735D371F42A4 |
SHA-256: | 4B834FFE906C310F0F47401E4533440FABEE3F0CEC9B9226E8DF0CFAFCC0972A |
SHA-512: | A3E2C980FF718E6028215F79235A9C69CBDA0817163F1C98E32F79A6303A28C1A2C434A19F1DB94A5E46D4CC377173D96806A49B728E1C62D2344BB04D9368A6 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | modified |
Size (bytes): | 412 |
Entropy (8bit): | 4.871364761010112 |
Encrypted: | false |
SSDEEP: | 12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH |
MD5: | 83B3C9D9190CE2C57B83EEE13A9719DF |
SHA1: | ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E |
SHA-256: | B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA |
SHA-512: | 0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 415 |
Entropy (8bit): | 5.038565598056225 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJ0mMRSR7a18lpP6tkSRa+rVSSRnA/fl81N4IkgsOFQy:V/DTLDfuCMLh6tv9rV5nA/61N43gszy |
MD5: | 820D67D86E4D2F141C62A2F02F457875 |
SHA1: | 0F597E389BE20591567742E9333D19419947B3CD |
SHA-256: | 0DECFD511470CAB8EF7D4A45A891B8D3C8A7ABA782190C2777E2A2048F82A3CD |
SHA-512: | B05C022573C3EA6D9BC39C6E6E38DD33EC63D55F9793E6F5367E1EBA8493C33FFA28EB5989881EC82EE898F117D616FD1FE2A68E7FBF345209E8A61CBBFCCB61 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 351 |
Entropy (8bit): | 5.268750609128095 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f9KHzxs7+AEszIWXp+N23f9KoyA:p37Lvkmb6KHl0WZE8lz9 |
MD5: | 49F0BD0679BF1D1C64609BEC9FF0E9A8 |
SHA1: | 891088F1D52E4CBA1FC00275C138412B721B3AA9 |
SHA-256: | 4850FD4D357E5351C8262D82A388985B2B2B981B101052EB731D5B5D26BF8A98 |
SHA-512: | 3DCCB541CD36CCD5AC5537E7E3843E158760817BACE3C8BBABF6CF7BAB13CDE2EE95AC1DC3FB4A442FFE855502004AA92246FD912E4E118BA5723AA85E1592DA |
Malicious: | true |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.6373866366749064 |
Encrypted: | false |
SSDEEP: | 48:6Im65J7+ikLLuu0SJmUqgX1uljua36tq:Q65J7yLhhIpuK6 |
MD5: | 97E33B4529706F244A7CC47FEF8277AE |
SHA1: | 947DC04DF356F47448FC32D5EE745596473B0F59 |
SHA-256: | E0C3FB85273C41F45A2A3DF4ADECFBAF8C3A69DA3255A2E3065026F3EFB2CA15 |
SHA-512: | 49366788F7963F742735F04691E4EFC9427CBED09B7B9883B599CFABFBF2E47303B21B2D4D555596334C5D394BAED8289B7DD848798C0F71502AA2263B2A297E |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | modified |
Size (bytes): | 412 |
Entropy (8bit): | 4.871364761010112 |
Encrypted: | false |
SSDEEP: | 12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH |
MD5: | 83B3C9D9190CE2C57B83EEE13A9719DF |
SHA1: | ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E |
SHA-256: | B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA |
SHA-512: | 0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1195 |
Entropy (8bit): | 5.320686932671721 |
Encrypted: | false |
SSDEEP: | 24:BxSAIxvBnD+x2DOXUWOLCHGI4XWrHjeTKKjX4CIym1ZJXWOLCHGI4SnxSAZn:BZcvhKoORF4GrqDYB1ZcF4UZZn |
MD5: | 8AF4A446FD74F106B3927FD02E153053 |
SHA1: | 0C5A039AC8E3712945A48112494E3209ED7F619A |
SHA-256: | 29DA2D3F7E72FFC0EAE80A9BE479BFA51450B70D9E0F7EC3B4090A3603E2B1AD |
SHA-512: | 60EC0EE0ACD4EBD70CDD3BB2277D456169A9DF53A8D0B13855F46F0DB97DEBD13ED9E6B0D738900E7C094CB3F3F210CA1ADDA1E834B08C63996A0953448FCF25 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1195 |
Entropy (8bit): | 5.322193987487182 |
Encrypted: | false |
SSDEEP: | 24:BxSAdxvBnD+x2DOXUWOLCHGI4XWetHjeTKKjX4CIym1ZJXPOLCHGI4znxSAZS:BZ/vhKoORF4G8qDYB1Z/F4TZZS |
MD5: | 8E619B398098C24D77705A3469300C9C |
SHA1: | 25DFE5320E20672519A43CF9C45E1B8FF38CBD4D |
SHA-256: | 60B3C46DFE1B6F20597588DA9B4ACB49651019D3CAEBD9015EC86158D392C6E1 |
SHA-512: | 6213A342205E2AB3285F6957EFF5620C1E2EAB02D2E0DFAC335C7833709DB80714DC93E913E451C93797C985D1AF9F8C6FB7BE01EE7A06CB637E6C8FE43175F9 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 5.437180554827025 |
TrID: |
|
File name: | uT9rwkGATJ.dll |
File size: | 662688 |
MD5: | 9a453cc31ebfca29d8df565258fbf8ce |
SHA1: | 5eb3be88abb84f63e04c92bc3e35a82a01689971 |
SHA256: | eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a |
SHA512: | c916ced5af88b060550b24f1136b5f6e3fde45207cdad721709eb209e706ae40bca9bd230ebf79d83981258ba674993b7f47174f91272358bd5ffe2db40e64b0 |
SSDEEP: | 12288:6vWBEPfqPoo44cvquI2Pg/8wsPrcPgIDU1Iu3vEI8Vck+5gS2oQkoKeyFtseQOYc:6v5Pbo4ZgaPrOpI1IkvIVc1qDoQko/yz |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......SQ...0...0...0..rV...0..rV..j0..rV...0..._...0..._...0....s..0...0..`0..._...0..._...0..._|..0..._...0..Rich.0..........PE..L.. |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x1001f336 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5F733B58 [Tue Sep 29 13:49:12 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 8d2de2ae605a2294ac6efde10e33795a |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007F2030D59067h |
call 00007F2030D5965Eh |
push dword ptr [ebp+10h] |
push dword ptr [ebp+0Ch] |
push dword ptr [ebp+08h] |
call 00007F2030D58F13h |
add esp, 0Ch |
pop ebp |
retn 000Ch |
push ebp |
mov ebp, esp |
push 00000000h |
call dword ptr [100320BCh] |
push dword ptr [ebp+08h] |
call dword ptr [100320B8h] |
push C0000409h |
call dword ptr [100320C0h] |
push eax |
call dword ptr [100320C4h] |
pop ebp |
ret |
push ebp |
mov ebp, esp |
sub esp, 00000324h |
push 00000017h |
call 00007F2030D69D49h |
test eax, eax |
je 00007F2030D59067h |
push 00000002h |
pop ecx |
int 29h |
mov dword ptr [1009CBC8h], eax |
mov dword ptr [1009CBC4h], ecx |
mov dword ptr [1009CBC0h], edx |
mov dword ptr [1009CBBCh], ebx |
mov dword ptr [1009CBB8h], esi |
mov dword ptr [1009CBB4h], edi |
mov word ptr [1009CBE0h], ss |
mov word ptr [1009CBD4h], cs |
mov word ptr [1009CBB0h], ds |
mov word ptr [1009CBACh], es |
mov word ptr [1009CBA8h], fs |
mov word ptr [1009CBA4h], gs |
pushfd |
pop dword ptr [1009CBD8h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [1009CBCCh], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [1009CBD0h], eax |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x9ac20 | 0xac | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x9accc | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x9ae000 | 0x428 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x9af000 | 0x1b80 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x99940 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x99998 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x32000 | 0x1d0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x30dfc | 0x30e00 | False | 0.680766464194 | data | 6.73243552493 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x32000 | 0x69670 | 0x69800 | False | 0.573033915877 | data | 4.48456725744 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9c000 | 0x911328 | 0xc00 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x9ae000 | 0x428 | 0x600 | False | 0.287109375 | data | 2.49030754887 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x9af000 | 0x1b80 | 0x1c00 | False | 0.796595982143 | data | 6.63506997151 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x9ae060 | 0x3c4 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetVolumeInformationW, VirtualProtect, EnterCriticalSection, GetModuleFileNameW, InitializeCriticalSection, GetTempPathW, CreateFileW, GetVersionExW, GetSystemDirectoryW, FindFirstChangeNotificationW, OpenProcess, LockResource, GetCurrentDirectoryW, GetWindowsDirectoryW, GetModuleHandleW, GetSystemTime, QueryPerformanceCounter, GetDateFormatW, WriteConsoleW, CloseHandle, SetFilePointerEx, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapReAlloc, HeapSize, GetStringTypeW, GetFileType, GetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, EnumSystemLocalesW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, DecodePointer |
WS2_32.dll | gethostbyname, shutdown, WSAStartup, getpeername, getsockname, send, socket, ntohs, getservbyname, recvfrom, recv, htonl, htons, sendto, setsockopt, WSACleanup |
WININET.dll | InternetCanonicalizeUrlW, InternetConnectW, InternetGetLastResponseInfoW, InternetCloseHandle, HttpOpenRequestW, InternetOpenW, HttpQueryInfoW, InternetOpenUrlW, InternetQueryDataAvailable, InternetSetOptionExW, InternetCrackUrlW, HttpSendRequestW, InternetSetStatusCallbackW, InternetWriteFile, InternetReadFile |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
Camptiny | 1 | 0x1001cb80 |
Consonantget | 2 | 0x1001ccb0 |
LongSubstance | 3 | 0x1001caf0 |
Rangetown | 4 | 0x1001cc80 |
Scoreplay | 5 | 0x1001ce90 |
Visit | 6 | 0x1001cce0 |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Laugh Ranhear person Corporation. All rights reserved |
InternalName | Logice Radiocorner |
FileVersion | 8.2.6.941 |
CompanyName | Laugh Ranhear person Corporation Minescale |
ProductName | Laugh Ranhear person Evenseat Sailmiss |
ProductVersion | 8.2.6.941 |
FileDescription | Laugh Ranhear person Evenseat Sailmiss |
OriginalFilename | Teach.dll |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 8, 2021 06:45:26.600399971 CEST | 49754 | 443 | 192.168.2.3 | 40.97.156.114 |
Oct 8, 2021 06:45:26.600461960 CEST | 443 | 49754 | 40.97.156.114 | 192.168.2.3 |
Oct 8, 2021 06:45:26.600564957 CEST | 49754 | 443 | 192.168.2.3 | 40.97.156.114 |
Oct 8, 2021 06:45:26.608392954 CEST | 49754 | 443 | 192.168.2.3 | 40.97.156.114 |
Oct 8, 2021 06:45:26.608432055 CEST | 443 | 49754 | 40.97.156.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.063493967 CEST | 443 | 49754 | 40.97.156.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.063595057 CEST | 49754 | 443 | 192.168.2.3 | 40.97.156.114 |
Oct 8, 2021 06:45:27.068871975 CEST | 49754 | 443 | 192.168.2.3 | 40.97.156.114 |
Oct 8, 2021 06:45:27.068896055 CEST | 443 | 49754 | 40.97.156.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.069401026 CEST | 443 | 49754 | 40.97.156.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.228650093 CEST | 49754 | 443 | 192.168.2.3 | 40.97.156.114 |
Oct 8, 2021 06:45:27.289676905 CEST | 49754 | 443 | 192.168.2.3 | 40.97.156.114 |
Oct 8, 2021 06:45:27.335153103 CEST | 443 | 49754 | 40.97.156.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.438730001 CEST | 443 | 49754 | 40.97.156.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.438791037 CEST | 443 | 49754 | 40.97.156.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.438916922 CEST | 49754 | 443 | 192.168.2.3 | 40.97.156.114 |
Oct 8, 2021 06:45:27.439054012 CEST | 49754 | 443 | 192.168.2.3 | 40.97.156.114 |
Oct 8, 2021 06:45:27.439075947 CEST | 443 | 49754 | 40.97.156.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.439133883 CEST | 49754 | 443 | 192.168.2.3 | 40.97.156.114 |
Oct 8, 2021 06:45:27.439146996 CEST | 443 | 49754 | 40.97.156.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.464658976 CEST | 49755 | 443 | 192.168.2.3 | 52.98.208.114 |
Oct 8, 2021 06:45:27.464709997 CEST | 443 | 49755 | 52.98.208.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.464792013 CEST | 49755 | 443 | 192.168.2.3 | 52.98.208.114 |
Oct 8, 2021 06:45:27.465646982 CEST | 49755 | 443 | 192.168.2.3 | 52.98.208.114 |
Oct 8, 2021 06:45:27.465676069 CEST | 443 | 49755 | 52.98.208.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.563524008 CEST | 443 | 49755 | 52.98.208.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.563625097 CEST | 49755 | 443 | 192.168.2.3 | 52.98.208.114 |
Oct 8, 2021 06:45:27.565572977 CEST | 49755 | 443 | 192.168.2.3 | 52.98.208.114 |
Oct 8, 2021 06:45:27.565601110 CEST | 443 | 49755 | 52.98.208.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.570905924 CEST | 443 | 49755 | 52.98.208.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.573955059 CEST | 49755 | 443 | 192.168.2.3 | 52.98.208.114 |
Oct 8, 2021 06:45:27.601692915 CEST | 443 | 49755 | 52.98.208.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.601761103 CEST | 443 | 49755 | 52.98.208.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.601859093 CEST | 49755 | 443 | 192.168.2.3 | 52.98.208.114 |
Oct 8, 2021 06:45:27.601986885 CEST | 49755 | 443 | 192.168.2.3 | 52.98.208.114 |
Oct 8, 2021 06:45:27.602010965 CEST | 443 | 49755 | 52.98.208.114 | 192.168.2.3 |
Oct 8, 2021 06:45:27.626440048 CEST | 49756 | 443 | 192.168.2.3 | 52.97.151.18 |
Oct 8, 2021 06:45:27.626493931 CEST | 443 | 49756 | 52.97.151.18 | 192.168.2.3 |
Oct 8, 2021 06:45:27.626591921 CEST | 49756 | 443 | 192.168.2.3 | 52.97.151.18 |
Oct 8, 2021 06:45:27.627329111 CEST | 49756 | 443 | 192.168.2.3 | 52.97.151.18 |
Oct 8, 2021 06:45:27.627357006 CEST | 443 | 49756 | 52.97.151.18 | 192.168.2.3 |
Oct 8, 2021 06:45:27.726604939 CEST | 443 | 49756 | 52.97.151.18 | 192.168.2.3 |
Oct 8, 2021 06:45:27.726694107 CEST | 49756 | 443 | 192.168.2.3 | 52.97.151.18 |
Oct 8, 2021 06:45:27.728822947 CEST | 49756 | 443 | 192.168.2.3 | 52.97.151.18 |
Oct 8, 2021 06:45:27.728843927 CEST | 443 | 49756 | 52.97.151.18 | 192.168.2.3 |
Oct 8, 2021 06:45:27.729233027 CEST | 443 | 49756 | 52.97.151.18 | 192.168.2.3 |
Oct 8, 2021 06:45:27.731389046 CEST | 49756 | 443 | 192.168.2.3 | 52.97.151.18 |
Oct 8, 2021 06:45:27.775171041 CEST | 443 | 49756 | 52.97.151.18 | 192.168.2.3 |
Oct 8, 2021 06:45:27.783435106 CEST | 443 | 49756 | 52.97.151.18 | 192.168.2.3 |
Oct 8, 2021 06:45:27.783607006 CEST | 443 | 49756 | 52.97.151.18 | 192.168.2.3 |
Oct 8, 2021 06:45:27.783667088 CEST | 49756 | 443 | 192.168.2.3 | 52.97.151.18 |
Oct 8, 2021 06:45:27.783791065 CEST | 49756 | 443 | 192.168.2.3 | 52.97.151.18 |
Oct 8, 2021 06:45:27.783809900 CEST | 443 | 49756 | 52.97.151.18 | 192.168.2.3 |
Oct 8, 2021 06:45:27.783845901 CEST | 49756 | 443 | 192.168.2.3 | 52.97.151.18 |
Oct 8, 2021 06:45:27.783857107 CEST | 443 | 49756 | 52.97.151.18 | 192.168.2.3 |
Oct 8, 2021 06:45:31.579452991 CEST | 49764 | 443 | 192.168.2.3 | 40.97.160.2 |
Oct 8, 2021 06:45:31.579493999 CEST | 443 | 49764 | 40.97.160.2 | 192.168.2.3 |
Oct 8, 2021 06:45:31.579586983 CEST | 49764 | 443 | 192.168.2.3 | 40.97.160.2 |
Oct 8, 2021 06:45:31.584486961 CEST | 49764 | 443 | 192.168.2.3 | 40.97.160.2 |
Oct 8, 2021 06:45:31.584502935 CEST | 443 | 49764 | 40.97.160.2 | 192.168.2.3 |
Oct 8, 2021 06:45:32.105117083 CEST | 443 | 49764 | 40.97.160.2 | 192.168.2.3 |
Oct 8, 2021 06:45:32.105273962 CEST | 49764 | 443 | 192.168.2.3 | 40.97.160.2 |
Oct 8, 2021 06:45:32.108359098 CEST | 49764 | 443 | 192.168.2.3 | 40.97.160.2 |
Oct 8, 2021 06:45:32.108381987 CEST | 443 | 49764 | 40.97.160.2 | 192.168.2.3 |
Oct 8, 2021 06:45:32.108710051 CEST | 443 | 49764 | 40.97.160.2 | 192.168.2.3 |
Oct 8, 2021 06:45:32.150989056 CEST | 49764 | 443 | 192.168.2.3 | 40.97.160.2 |
Oct 8, 2021 06:45:32.555356026 CEST | 49764 | 443 | 192.168.2.3 | 40.97.160.2 |
Oct 8, 2021 06:45:32.599149942 CEST | 443 | 49764 | 40.97.160.2 | 192.168.2.3 |
Oct 8, 2021 06:45:32.725969076 CEST | 443 | 49764 | 40.97.160.2 | 192.168.2.3 |
Oct 8, 2021 06:45:32.726056099 CEST | 443 | 49764 | 40.97.160.2 | 192.168.2.3 |
Oct 8, 2021 06:45:32.730325937 CEST | 49764 | 443 | 192.168.2.3 | 40.97.160.2 |
Oct 8, 2021 06:45:32.733315945 CEST | 49764 | 443 | 192.168.2.3 | 40.97.160.2 |
Oct 8, 2021 06:45:32.733340025 CEST | 443 | 49764 | 40.97.160.2 | 192.168.2.3 |
Oct 8, 2021 06:45:32.773565054 CEST | 49765 | 443 | 192.168.2.3 | 40.101.9.178 |
Oct 8, 2021 06:45:32.773619890 CEST | 443 | 49765 | 40.101.9.178 | 192.168.2.3 |
Oct 8, 2021 06:45:32.785016060 CEST | 49765 | 443 | 192.168.2.3 | 40.101.9.178 |
Oct 8, 2021 06:45:32.791428089 CEST | 49765 | 443 | 192.168.2.3 | 40.101.9.178 |
Oct 8, 2021 06:45:32.791455030 CEST | 443 | 49765 | 40.101.9.178 | 192.168.2.3 |
Oct 8, 2021 06:45:32.889491081 CEST | 443 | 49765 | 40.101.9.178 | 192.168.2.3 |
Oct 8, 2021 06:45:32.889511108 CEST | 443 | 49765 | 40.101.9.178 | 192.168.2.3 |
Oct 8, 2021 06:45:32.894906998 CEST | 49765 | 443 | 192.168.2.3 | 40.101.9.178 |
Oct 8, 2021 06:45:32.916502953 CEST | 49765 | 443 | 192.168.2.3 | 40.101.9.178 |
Oct 8, 2021 06:45:32.916527033 CEST | 443 | 49765 | 40.101.9.178 | 192.168.2.3 |
Oct 8, 2021 06:45:32.916889906 CEST | 443 | 49765 | 40.101.9.178 | 192.168.2.3 |
Oct 8, 2021 06:45:32.921912909 CEST | 49765 | 443 | 192.168.2.3 | 40.101.9.178 |
Oct 8, 2021 06:45:32.955389977 CEST | 443 | 49765 | 40.101.9.178 | 192.168.2.3 |
Oct 8, 2021 06:45:32.955476999 CEST | 443 | 49765 | 40.101.9.178 | 192.168.2.3 |
Oct 8, 2021 06:45:32.955548048 CEST | 49765 | 443 | 192.168.2.3 | 40.101.9.178 |
Oct 8, 2021 06:45:32.955708981 CEST | 49765 | 443 | 192.168.2.3 | 40.101.9.178 |
Oct 8, 2021 06:45:32.955728054 CEST | 443 | 49765 | 40.101.9.178 | 192.168.2.3 |
Oct 8, 2021 06:45:32.986630917 CEST | 49766 | 443 | 192.168.2.3 | 52.97.178.98 |
Oct 8, 2021 06:45:32.986685038 CEST | 443 | 49766 | 52.97.178.98 | 192.168.2.3 |
Oct 8, 2021 06:45:32.986800909 CEST | 49766 | 443 | 192.168.2.3 | 52.97.178.98 |
Oct 8, 2021 06:45:32.987714052 CEST | 49766 | 443 | 192.168.2.3 | 52.97.178.98 |
Oct 8, 2021 06:45:32.987731934 CEST | 443 | 49766 | 52.97.178.98 | 192.168.2.3 |
Oct 8, 2021 06:45:33.093559980 CEST | 443 | 49766 | 52.97.178.98 | 192.168.2.3 |
Oct 8, 2021 06:45:33.093661070 CEST | 49766 | 443 | 192.168.2.3 | 52.97.178.98 |
Oct 8, 2021 06:45:33.096313000 CEST | 49766 | 443 | 192.168.2.3 | 52.97.178.98 |
Oct 8, 2021 06:45:33.096330881 CEST | 443 | 49766 | 52.97.178.98 | 192.168.2.3 |
Oct 8, 2021 06:45:33.096762896 CEST | 443 | 49766 | 52.97.178.98 | 192.168.2.3 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 8, 2021 06:45:26.566437006 CEST | 51143 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:45:26.585459948 CEST | 53 | 51143 | 8.8.8.8 | 192.168.2.3 |
Oct 8, 2021 06:45:27.443280935 CEST | 56009 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:45:27.462877035 CEST | 53 | 56009 | 8.8.8.8 | 192.168.2.3 |
Oct 8, 2021 06:45:27.607156992 CEST | 59026 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:45:27.625135899 CEST | 53 | 59026 | 8.8.8.8 | 192.168.2.3 |
Oct 8, 2021 06:45:31.535360098 CEST | 52130 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:45:31.553368092 CEST | 53 | 52130 | 8.8.8.8 | 192.168.2.3 |
Oct 8, 2021 06:45:32.747283936 CEST | 55102 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:45:32.765964985 CEST | 53 | 55102 | 8.8.8.8 | 192.168.2.3 |
Oct 8, 2021 06:45:32.966011047 CEST | 56236 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:45:32.984483004 CEST | 53 | 56236 | 8.8.8.8 | 192.168.2.3 |
Oct 8, 2021 06:45:47.981653929 CEST | 50728 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:45:48.005803108 CEST | 53 | 50728 | 8.8.8.8 | 192.168.2.3 |
Oct 8, 2021 06:45:53.492539883 CEST | 64367 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:45:53.512773037 CEST | 53 | 64367 | 8.8.8.8 | 192.168.2.3 |
Oct 8, 2021 06:46:08.057581902 CEST | 51539 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:46:08.080866098 CEST | 53 | 51539 | 8.8.8.8 | 192.168.2.3 |
Oct 8, 2021 06:46:08.459676027 CEST | 55393 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:46:08.490591049 CEST | 53 | 55393 | 8.8.8.8 | 192.168.2.3 |
Oct 8, 2021 06:46:08.990503073 CEST | 50585 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:46:09.020853043 CEST | 53 | 50585 | 8.8.8.8 | 192.168.2.3 |
Oct 8, 2021 06:46:14.767023087 CEST | 63456 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:46:14.784287930 CEST | 53 | 63456 | 8.8.8.8 | 192.168.2.3 |
Oct 8, 2021 06:46:15.257365942 CEST | 58540 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:46:15.281104088 CEST | 53 | 58540 | 8.8.8.8 | 192.168.2.3 |
Oct 8, 2021 06:46:15.942392111 CEST | 55108 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 8, 2021 06:46:15.962352991 CEST | 53 | 55108 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Oct 8, 2021 06:45:26.566437006 CEST | 192.168.2.3 | 8.8.8.8 | 0xb675 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:45:27.443280935 CEST | 192.168.2.3 | 8.8.8.8 | 0xf717 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:45:27.607156992 CEST | 192.168.2.3 | 8.8.8.8 | 0xf806 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:45:31.535360098 CEST | 192.168.2.3 | 8.8.8.8 | 0xc2fe | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:45:32.747283936 CEST | 192.168.2.3 | 8.8.8.8 | 0xd767 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:45:32.966011047 CEST | 192.168.2.3 | 8.8.8.8 | 0xa3ac | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:45:47.981653929 CEST | 192.168.2.3 | 8.8.8.8 | 0xb5e9 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:45:53.492539883 CEST | 192.168.2.3 | 8.8.8.8 | 0xb38a | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:46:08.057581902 CEST | 192.168.2.3 | 8.8.8.8 | 0x6e0 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:46:08.459676027 CEST | 192.168.2.3 | 8.8.8.8 | 0xce86 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:46:08.990503073 CEST | 192.168.2.3 | 8.8.8.8 | 0x4b05 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:46:14.767023087 CEST | 192.168.2.3 | 8.8.8.8 | 0xe225 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:46:15.257365942 CEST | 192.168.2.3 | 8.8.8.8 | 0x5b3f | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:46:15.942392111 CEST | 192.168.2.3 | 8.8.8.8 | 0xe0c0 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Oct 8, 2021 06:45:26.585459948 CEST | 8.8.8.8 | 192.168.2.3 | 0xb675 | No error (0) | 40.97.156.114 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:26.585459948 CEST | 8.8.8.8 | 192.168.2.3 | 0xb675 | No error (0) | 40.97.160.2 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:26.585459948 CEST | 8.8.8.8 | 192.168.2.3 | 0xb675 | No error (0) | 40.97.128.194 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:26.585459948 CEST | 8.8.8.8 | 192.168.2.3 | 0xb675 | No error (0) | 40.97.164.146 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:26.585459948 CEST | 8.8.8.8 | 192.168.2.3 | 0xb675 | No error (0) | 40.97.153.146 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:26.585459948 CEST | 8.8.8.8 | 192.168.2.3 | 0xb675 | No error (0) | 40.97.116.82 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:26.585459948 CEST | 8.8.8.8 | 192.168.2.3 | 0xb675 | No error (0) | 40.97.148.226 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:26.585459948 CEST | 8.8.8.8 | 192.168.2.3 | 0xb675 | No error (0) | 40.97.161.50 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.462877035 CEST | 8.8.8.8 | 192.168.2.3 | 0xf717 | No error (0) | outlook.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.462877035 CEST | 8.8.8.8 | 192.168.2.3 | 0xf717 | No error (0) | outlook.ha.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.462877035 CEST | 8.8.8.8 | 192.168.2.3 | 0xf717 | No error (0) | outlook.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.462877035 CEST | 8.8.8.8 | 192.168.2.3 | 0xf717 | No error (0) | FRA-efz.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.462877035 CEST | 8.8.8.8 | 192.168.2.3 | 0xf717 | No error (0) | 52.98.208.114 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.462877035 CEST | 8.8.8.8 | 192.168.2.3 | 0xf717 | No error (0) | 52.97.212.34 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.462877035 CEST | 8.8.8.8 | 192.168.2.3 | 0xf717 | No error (0) | 52.97.137.98 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.625135899 CEST | 8.8.8.8 | 192.168.2.3 | 0xf806 | No error (0) | outlook.ha.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.625135899 CEST | 8.8.8.8 | 192.168.2.3 | 0xf806 | No error (0) | outlook.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.625135899 CEST | 8.8.8.8 | 192.168.2.3 | 0xf806 | No error (0) | HHN-efz.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.625135899 CEST | 8.8.8.8 | 192.168.2.3 | 0xf806 | No error (0) | 52.97.151.18 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.625135899 CEST | 8.8.8.8 | 192.168.2.3 | 0xf806 | No error (0) | 52.97.147.178 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.625135899 CEST | 8.8.8.8 | 192.168.2.3 | 0xf806 | No error (0) | 52.97.223.66 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:27.625135899 CEST | 8.8.8.8 | 192.168.2.3 | 0xf806 | No error (0) | 52.98.207.210 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:31.553368092 CEST | 8.8.8.8 | 192.168.2.3 | 0xc2fe | No error (0) | 40.97.160.2 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:31.553368092 CEST | 8.8.8.8 | 192.168.2.3 | 0xc2fe | No error (0) | 40.97.128.194 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:31.553368092 CEST | 8.8.8.8 | 192.168.2.3 | 0xc2fe | No error (0) | 40.97.164.146 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:31.553368092 CEST | 8.8.8.8 | 192.168.2.3 | 0xc2fe | No error (0) | 40.97.153.146 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:31.553368092 CEST | 8.8.8.8 | 192.168.2.3 | 0xc2fe | No error (0) | 40.97.116.82 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:31.553368092 CEST | 8.8.8.8 | 192.168.2.3 | 0xc2fe | No error (0) | 40.97.148.226 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:31.553368092 CEST | 8.8.8.8 | 192.168.2.3 | 0xc2fe | No error (0) | 40.97.161.50 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:31.553368092 CEST | 8.8.8.8 | 192.168.2.3 | 0xc2fe | No error (0) | 40.97.156.114 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.765964985 CEST | 8.8.8.8 | 192.168.2.3 | 0xd767 | No error (0) | outlook.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.765964985 CEST | 8.8.8.8 | 192.168.2.3 | 0xd767 | No error (0) | outlook.ha.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.765964985 CEST | 8.8.8.8 | 192.168.2.3 | 0xd767 | No error (0) | outlook.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.765964985 CEST | 8.8.8.8 | 192.168.2.3 | 0xd767 | No error (0) | FRA-efz.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.765964985 CEST | 8.8.8.8 | 192.168.2.3 | 0xd767 | No error (0) | 40.101.9.178 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.765964985 CEST | 8.8.8.8 | 192.168.2.3 | 0xd767 | No error (0) | 52.98.208.66 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.765964985 CEST | 8.8.8.8 | 192.168.2.3 | 0xd767 | No error (0) | 40.101.124.194 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.984483004 CEST | 8.8.8.8 | 192.168.2.3 | 0xa3ac | No error (0) | outlook.ha.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.984483004 CEST | 8.8.8.8 | 192.168.2.3 | 0xa3ac | No error (0) | outlook.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.984483004 CEST | 8.8.8.8 | 192.168.2.3 | 0xa3ac | No error (0) | HHN-efz.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.984483004 CEST | 8.8.8.8 | 192.168.2.3 | 0xa3ac | No error (0) | 52.97.178.98 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.984483004 CEST | 8.8.8.8 | 192.168.2.3 | 0xa3ac | No error (0) | 52.97.212.242 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.984483004 CEST | 8.8.8.8 | 192.168.2.3 | 0xa3ac | No error (0) | 52.97.151.146 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:32.984483004 CEST | 8.8.8.8 | 192.168.2.3 | 0xa3ac | No error (0) | 52.97.162.2 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:45:48.005803108 CEST | 8.8.8.8 | 192.168.2.3 | 0xb5e9 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:45:53.512773037 CEST | 8.8.8.8 | 192.168.2.3 | 0xb38a | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Oct 8, 2021 06:46:08.080866098 CEST | 8.8.8.8 | 192.168.2.3 | 0x6e0 | No error (0) | 193.29.104.83 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:46:08.490591049 CEST | 8.8.8.8 | 192.168.2.3 | 0xce86 | No error (0) | 193.29.104.83 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:46:09.020853043 CEST | 8.8.8.8 | 192.168.2.3 | 0x4b05 | No error (0) | 193.29.104.83 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:46:14.784287930 CEST | 8.8.8.8 | 192.168.2.3 | 0xe225 | No error (0) | 193.29.104.83 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:46:15.281104088 CEST | 8.8.8.8 | 192.168.2.3 | 0x5b3f | No error (0) | 193.29.104.83 | A (IP address) | IN (0x0001) | ||
Oct 8, 2021 06:46:15.962352991 CEST | 8.8.8.8 | 192.168.2.3 | 0xe0c0 | No error (0) | 193.29.104.83 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTPS Proxied Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49754 | 40.97.156.114 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-08 04:45:27 UTC | 0 | OUT | |
2021-10-08 04:45:27 UTC | 0 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49755 | 52.98.208.114 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-08 04:45:27 UTC | 1 | OUT | |
2021-10-08 04:45:27 UTC | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
10 | 192.168.2.3 | 49832 | 193.29.104.83 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-08 04:46:15 UTC | 709 | OUT | |
2021-10-08 04:46:15 UTC | 710 | IN | |
2021-10-08 04:46:15 UTC | 710 | IN | |
2021-10-08 04:46:15 UTC | 726 | IN | |
2021-10-08 04:46:15 UTC | 742 | IN | |
2021-10-08 04:46:15 UTC | 758 | IN | |
2021-10-08 04:46:15 UTC | 774 | IN | |
2021-10-08 04:46:15 UTC | 790 | IN | |
2021-10-08 04:46:15 UTC | 806 | IN | |
2021-10-08 04:46:15 UTC | 822 | IN | |
2021-10-08 04:46:15 UTC | 838 | IN | |
2021-10-08 04:46:15 UTC | 854 | IN | |
2021-10-08 04:46:15 UTC | 870 | IN | |
2021-10-08 04:46:15 UTC | 886 | IN | |
2021-10-08 04:46:15 UTC | 902 | IN | |
2021-10-08 04:46:15 UTC | 918 | IN | |
2021-10-08 04:46:15 UTC | 934 | IN | |
2021-10-08 04:46:15 UTC | 950 | IN | |
2021-10-08 04:46:15 UTC | 966 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
11 | 192.168.2.3 | 49833 | 193.29.104.83 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-08 04:46:16 UTC | 979 | OUT | |
2021-10-08 04:46:16 UTC | 980 | IN | |
2021-10-08 04:46:16 UTC | 980 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.3 | 49756 | 52.97.151.18 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-08 04:45:27 UTC | 2 | OUT | |
2021-10-08 04:45:27 UTC | 2 | IN | |
2021-10-08 04:45:27 UTC | 3 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.3 | 49764 | 40.97.160.2 | 443 | C:\Windows\SysWOW64\rundll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-08 04:45:32 UTC | 4 | OUT | |
2021-10-08 04:45:32 UTC | 4 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.3 | 49765 | 40.101.9.178 | 443 | C:\Windows\SysWOW64\rundll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-08 04:45:32 UTC | 5 | OUT | |
2021-10-08 04:45:32 UTC | 6 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
5 | 192.168.2.3 | 49766 | 52.97.178.98 | 443 | C:\Windows\SysWOW64\rundll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-08 04:45:33 UTC | 6 | OUT | |
2021-10-08 04:45:33 UTC | 7 | IN | |
2021-10-08 04:45:33 UTC | 7 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
6 | 192.168.2.3 | 49828 | 193.29.104.83 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-08 04:46:08 UTC | 9 | OUT | |
2021-10-08 04:46:08 UTC | 9 | IN | |
2021-10-08 04:46:08 UTC | 10 | IN | |
2021-10-08 04:46:08 UTC | 25 | IN | |
2021-10-08 04:46:08 UTC | 41 | IN | |
2021-10-08 04:46:08 UTC | 57 | IN | |
2021-10-08 04:46:08 UTC | 73 | IN | |
2021-10-08 04:46:08 UTC | 89 | IN | |
2021-10-08 04:46:08 UTC | 105 | IN | |
2021-10-08 04:46:08 UTC | 121 | IN | |
2021-10-08 04:46:08 UTC | 137 | IN | |
2021-10-08 04:46:08 UTC | 153 | IN | |
2021-10-08 04:46:08 UTC | 169 | IN | |
2021-10-08 04:46:08 UTC | 185 | IN | |
2021-10-08 04:46:08 UTC | 201 | IN | |
2021-10-08 04:46:08 UTC | 217 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
7 | 192.168.2.3 | 49829 | 193.29.104.83 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-08 04:46:08 UTC | 223 | OUT | |
2021-10-08 04:46:08 UTC | 223 | IN | |
2021-10-08 04:46:08 UTC | 224 | IN | |
2021-10-08 04:46:08 UTC | 239 | IN | |
2021-10-08 04:46:08 UTC | 255 | IN | |
2021-10-08 04:46:08 UTC | 271 | IN | |
2021-10-08 04:46:08 UTC | 287 | IN | |
2021-10-08 04:46:08 UTC | 303 | IN | |
2021-10-08 04:46:08 UTC | 319 | IN | |
2021-10-08 04:46:08 UTC | 335 | IN | |
2021-10-08 04:46:08 UTC | 351 | IN | |
2021-10-08 04:46:08 UTC | 367 | IN | |
2021-10-08 04:46:08 UTC | 383 | IN | |
2021-10-08 04:46:08 UTC | 399 | IN | |
2021-10-08 04:46:08 UTC | 415 | IN | |
2021-10-08 04:46:08 UTC | 431 | IN | |
2021-10-08 04:46:08 UTC | 447 | IN | |
2021-10-08 04:46:08 UTC | 463 | IN | |
2021-10-08 04:46:08 UTC | 479 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
8 | 192.168.2.3 | 49830 | 193.29.104.83 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-08 04:46:09 UTC | 493 | OUT | |
2021-10-08 04:46:09 UTC | 493 | IN | |
2021-10-08 04:46:09 UTC | 494 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
9 | 192.168.2.3 | 49831 | 193.29.104.83 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-08 04:46:14 UTC | 495 | OUT | |
2021-10-08 04:46:14 UTC | 496 | IN | |
2021-10-08 04:46:14 UTC | 496 | IN | |
2021-10-08 04:46:14 UTC | 512 | IN | |
2021-10-08 04:46:15 UTC | 528 | IN | |
2021-10-08 04:46:15 UTC | 544 | IN | |
2021-10-08 04:46:15 UTC | 560 | IN | |
2021-10-08 04:46:15 UTC | 576 | IN | |
2021-10-08 04:46:15 UTC | 592 | IN | |
2021-10-08 04:46:15 UTC | 608 | IN | |
2021-10-08 04:46:15 UTC | 624 | IN | |
2021-10-08 04:46:15 UTC | 640 | IN | |
2021-10-08 04:46:15 UTC | 656 | IN | |
2021-10-08 04:46:15 UTC | 672 | IN | |
2021-10-08 04:46:15 UTC | 688 | IN | |
2021-10-08 04:46:15 UTC | 704 | IN |
Code Manipulations |
---|
User Modules |
---|
Hook Summary |
---|
Function Name | Hook Type | Active in Processes |
---|---|---|
CreateProcessAsUserW | EAT | explorer.exe |
CreateProcessAsUserW | INLINE | explorer.exe |
CreateProcessW | EAT | explorer.exe |
CreateProcessW | INLINE | explorer.exe |
CreateProcessA | EAT | explorer.exe |
CreateProcessA | INLINE | explorer.exe |
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW | IAT | explorer.exe |
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW | IAT | explorer.exe |
Processes |
---|
Process: explorer.exe, Module: KERNEL32.DLL |
---|
Function Name | Hook Type | New Data |
---|---|---|
CreateProcessAsUserW | EAT | 7FFC8BAF521C |
CreateProcessAsUserW | INLINE | 0xFF 0xF2 0x25 0x50 0x00 0x00 |
CreateProcessW | EAT | 7FFC8BAF5200 |
CreateProcessW | INLINE | 0xFF 0xF2 0x25 0x50 0x00 0x00 |
CreateProcessA | EAT | 7FFC8BAF520E |
CreateProcessA | INLINE | 0xFF 0xF2 0x25 0x50 0x00 0x00 |
Process: explorer.exe, Module: WININET.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW | IAT | 7FFC8BAF5200 |
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW | IAT | 6640E2C |
Process: explorer.exe, Module: user32.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW | IAT | 7FFC8BAF5200 |
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW | IAT | 6640E2C |
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 06:43:32 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xdd0000 |
File size: | 893440 bytes |
MD5 hash: | 72FCD8FB0ADC38ED9050569AD673650E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
General |
---|
Start time: | 06:43:33 |
Start date: | 08/10/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd80000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 06:43:33 |
Start date: | 08/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xab0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 06:43:33 |
Start date: | 08/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xab0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 06:43:37 |
Start date: | 08/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xab0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 06:43:43 |
Start date: | 08/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xab0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 06:46:14 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\mshta.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff610460000 |
File size: | 14848 bytes |
MD5 hash: | 197FC97C6A843BEBB445C1D9C58DCBDB |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 06:46:16 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff777fc0000 |
File size: | 447488 bytes |
MD5 hash: | 95000560239032BC68B4C2FDFCDEF913 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | .Net C# or VB.NET |
Reputation: | high |
General |
---|
Start time: | 06:46:16 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7f20f0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 06:46:19 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\mshta.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff610460000 |
File size: | 14848 bytes |
MD5 hash: | 197FC97C6A843BEBB445C1D9C58DCBDB |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:46:21 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff777fc0000 |
File size: | 447488 bytes |
MD5 hash: | 95000560239032BC68B4C2FDFCDEF913 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | .Net C# or VB.NET |
General |
---|
Start time: | 06:46:21 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7f20f0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:46:25 |
Start date: | 08/10/2021 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff677cd0000 |
File size: | 2739304 bytes |
MD5 hash: | B46100977911A0C9FB1C3E5F16A5017D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | .Net C# or VB.NET |
General |
---|
Start time: | 06:46:26 |
Start date: | 08/10/2021 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff732960000 |
File size: | 47280 bytes |
MD5 hash: | 33BB8BE0B4F547324D93D5D2725CAC3D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:46:28 |
Start date: | 08/10/2021 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff677cd0000 |
File size: | 2739304 bytes |
MD5 hash: | B46100977911A0C9FB1C3E5F16A5017D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | .Net C# or VB.NET |
General |
---|
Start time: | 06:46:29 |
Start date: | 08/10/2021 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff677cd0000 |
File size: | 2739304 bytes |
MD5 hash: | B46100977911A0C9FB1C3E5F16A5017D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | .Net C# or VB.NET |
General |
---|
Start time: | 06:46:31 |
Start date: | 08/10/2021 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff732960000 |
File size: | 47280 bytes |
MD5 hash: | 33BB8BE0B4F547324D93D5D2725CAC3D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:46:31 |
Start date: | 08/10/2021 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff732960000 |
File size: | 47280 bytes |
MD5 hash: | 33BB8BE0B4F547324D93D5D2725CAC3D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:46:35 |
Start date: | 08/10/2021 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff677cd0000 |
File size: | 2739304 bytes |
MD5 hash: | B46100977911A0C9FB1C3E5F16A5017D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | .Net C# or VB.NET |
General |
---|
Start time: | 06:46:35 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\control.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6dd8e0000 |
File size: | 117760 bytes |
MD5 hash: | 625DAC87CB5D7D44C5CA1DA57898065F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:46:37 |
Start date: | 08/10/2021 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff732960000 |
File size: | 47280 bytes |
MD5 hash: | 33BB8BE0B4F547324D93D5D2725CAC3D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:46:39 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6ce540000 |
File size: | 69632 bytes |
MD5 hash: | 73C519F050C20580F8A62C849D49215A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:46:41 |
Start date: | 08/10/2021 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff720ea0000 |
File size: | 3933184 bytes |
MD5 hash: | AD5296B280E8F522A8A897C96BAB0E1D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Yara matches: |
|
General |
---|
Start time: | 06:46:43 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\control.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6dd8e0000 |
File size: | 117760 bytes |
MD5 hash: | 625DAC87CB5D7D44C5CA1DA57898065F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:46:46 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6ce540000 |
File size: | 69632 bytes |
MD5 hash: | 73C519F050C20580F8A62C849D49215A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:46:59 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff673be0000 |
File size: | 273920 bytes |
MD5 hash: | 4E2ACF4F8A396486AB4268C94A6A245F |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:46:59 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7f20f0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:47:00 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\PING.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff704c90000 |
File size: | 21504 bytes |
MD5 hash: | 6A7389ECE70FB97BFE9A570DB4ACCC3B |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:47:06 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff673be0000 |
File size: | 273920 bytes |
MD5 hash: | 4E2ACF4F8A396486AB4268C94A6A245F |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:47:07 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7f20f0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:47:09 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\PING.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff704c90000 |
File size: | 21504 bytes |
MD5 hash: | 6A7389ECE70FB97BFE9A570DB4ACCC3B |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 06:47:10 |
Start date: | 08/10/2021 |
Path: | C:\Windows\System32\RuntimeBroker.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6225d0000 |
File size: | 99272 bytes |
MD5 hash: | C7E36B4A5D9E6AC600DD7A0E0D52DAC5 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Disassembly |
---|
Code Analysis |
---|