Windows Analysis Report gECym.bin
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 50 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
Click to see the 2 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Encoded IEX | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: MSHTA Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag: |
Sigma detected: Mshta Spawning Windows Shell | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Non Interactive PowerShell | Show sources |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Data Obfuscation: |
---|
Sigma detected: Powershell run code from registry | Show sources |
Source: | Author: Joe Security: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Source: | Avira: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Networking: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Domain query: | ||
Source: | Network Connect: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Binary or memory string: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Writes or reads registry keys via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Section loaded: |
Source: | Static PE information: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: |
Source: | File created: |
Source: | Classification label: |
Source: | File read: |
Source: | Process created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | |||
Source: | File read: | |||
Source: | File read: | |||
Source: | File read: |
Data Obfuscation: |
---|
Suspicious powershell command line found | Show sources |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Process created: |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Hooks registry keys query functions (used to hide registry keys) | Show sources |
Source: | IAT, EAT, inline or SSDT hook detected: |
Modifies the prolog of user mode functions (user mode inline hooks) | Show sources |
Source: | User mode code has changed: |
Modifies the export address table of user mode modules (user mode EAT hooks) | Show sources |
Source: | IAT of a user mode module has changed: |
Modifies the import address table of user mode modules (user mode IAT hooks) | Show sources |
Source: | EAT of a user mode module has changed: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: |
Source: | Process information queried: |
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Domain query: | ||
Source: | Network Connect: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation2 | DLL Side-Loading1 | DLL Side-Loading1 | Obfuscated Files or Information1 | Credential API Hooking3 | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Process Injection112 | Software Packing1 | Input Capture1 | File and Directory Discovery1 | Remote Desktop Protocol | Credential API Hooking3 | Exfiltration Over Bluetooth | Encrypted Channel11 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Command and Scripting Interpreter1 | Logon Script (Windows) | Logon Script (Windows) | DLL Side-Loading1 | Security Account Manager | System Information Discovery3 | SMB/Windows Admin Shares | Input Capture1 | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | PowerShell1 | Logon Script (Mac) | Logon Script (Mac) | Rootkit4 | NTDS | Query Registry1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol3 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading1 | LSA Secrets | Security Software Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion1 | Cached Domain Credentials | Virtualization/Sandbox Evasion1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection112 | DCSync | Process Discovery2 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Regsvr321 | Proc Filesystem | Remote System Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Rundll321 | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
11% | Virustotal | Browse | ||
6% | ReversingLabs |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen8 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
contextual.media.net | 23.211.6.95 | true | false | high | |
dart.l.doubleclick.net | 172.217.168.38 | true | false | high | |
tls13.taboola.map.fastly.net | 151.101.1.44 | true | false | high | |
aaaa.bar | 31.220.111.98 | true | false | high | |
myip.opendns.com | 102.129.143.33 | true | false | high | |
hblg.media.net | 23.211.6.95 | true | false | high | |
lg3.media.net | 23.211.6.95 | true | false | high | |
resolver1.opendns.com | 208.67.222.222 | true | false | high | |
btloader.com | 104.26.7.139 | true | false | high | |
geolocation.onetrust.com | 104.20.184.68 | true | false | high | |
ad-delivery.net | 104.26.3.70 | true | false | high | |
www.msn.com | unknown | unknown | false | high | |
ad.doubleclick.net | unknown | unknown | false | high | |
srtb.msn.com | unknown | unknown | false | high | |
img.img-taboola.com | unknown | unknown | false | high | |
web.vortex.data.msn.com | unknown | unknown | false | high | |
222.222.67.208.in-addr.arpa | unknown | unknown | false | high | |
cvision.media.net | unknown | unknown | false | high |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
false |
| unknown | |
false |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
false | high | ||
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
false |
| unknown | |
false |
| unknown | |
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.26.3.70 | ad-delivery.net | United States | 13335 | CLOUDFLARENETUS | false | |
31.220.111.98 | aaaa.bar | Lithuania | 47583 | AS-HOSTINGERLT | false | |
151.101.1.44 | tls13.taboola.map.fastly.net | United States | 54113 | FASTLYUS | false | |
104.26.7.139 | btloader.com | United States | 13335 | CLOUDFLARENETUS | false | |
104.20.184.68 | geolocation.onetrust.com | United States | 13335 | CLOUDFLARENETUS | false | |
172.217.168.38 | dart.l.doubleclick.net | United States | 15169 | GOOGLEUS | false |
Private |
---|
IP |
---|
192.168.2.1 |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 506330 |
Start date: | 20.10.2021 |
Start time: | 15:07:24 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 18m 13s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | gECym.bin (renamed file extension from bin to dll) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 49 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winDLL@26/19@24/7 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
15:10:37 | API Interceptor | |
15:10:37 | API Interceptor | |
15:10:37 | API Interceptor | |
15:12:26 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 5632 |
Entropy (8bit): | 2.303215435374284 |
Encrypted: | false |
SSDEEP: | 24:rBG//dyyoG//dyywjwyyaMJOyyqMJn9lW6rb9lW6r:rBG/8PG/8Nj7ncXV2i2 |
MD5: | B56ACB4E6B3293BA19D0503E2170C408 |
SHA1: | 92DB88CC10DB2A603E8466D7B402C37D21A584C3 |
SHA-256: | 2449C11333E65E0D972FB3F5BC3A0667C6E8EEF0350663A1968C0B1ED02E679B |
SHA-512: | 15CD996A299EA60B92DC0A5F5F9AC2924D8D61DD9173C2A821804C8C770268426228BD2455F17E9FEB051C7CC79EDD792F3421FB224E3AF0C3995A5F37B2EBBA |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 332800 |
Entropy (8bit): | 3.5961335597614354 |
Encrypted: | false |
SSDEEP: | 3072:3Z/2Bfcdmu5kgTzGtMZ/2Bfc+mu5kgTzGtYZ/2Bfcdmu5kgTzGtPZ/2Bfc+mu5kn:+3CA |
MD5: | E18515874802ADABB53A5FDA9129AA3B |
SHA1: | B5E4471C3B7585C26EB07ED9D1708F2D11419C26 |
SHA-256: | C5C901014D0AD31761C34F248BCA359042DC32A56F18934B1681A8A5F08D3325 |
SHA-512: | 1B16A003EC2FABA88B9E0383B4B1F43586DB475A1CA88E0EC2F84ECE719A7A5779F75696C3416794FB2D8CB8302BD4EC62ED28EB8B3E437C03002C517F1472F3 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4096 |
Entropy (8bit): | 1.6705445729981827 |
Encrypted: | false |
SSDEEP: | 12:rl0oXGFxT4XDrEgm8Gr76Fr+lXDrEgm8GD7qw9lpQA9dv9lsQ0Y9cC:rtG8r+lTG8C9laAH9lr0Y2 |
MD5: | B22965349F002388D86C795AFD60EB6A |
SHA1: | 68AA871597398E51A33ABF8C402C8D54C484AFCB |
SHA-256: | EBFFCD86C7D5468E4021389A5A72B51178AE653892BDFF78B2799D4205612DE7 |
SHA-512: | C62ADFADA8DA38E0DB68AE58E5401FCEFB001B14CF098AA3AF04B56CBCEC8B43E4E5A7324FDB14BA5854DA72B8723856B8BFF0B2DE64C555363E4279B69FCF7F |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4096 |
Entropy (8bit): | 1.6657795438851608 |
Encrypted: | false |
SSDEEP: | 12:rl0oXGFvXDrEgm8Gr76FA+lXDrEgm8GD7qw9lpQA9dv9lsQ0Y9cC:rYG8A+lTG8C9laAH9lr0Y2 |
MD5: | 7B33FEEE0D101255C74A14617B867714 |
SHA1: | EC8CF0E9F78A22A2D07A567D947A842C22B593E0 |
SHA-256: | DCC08AA984FBC0153588DA4FC94DA31B710DCAFD83745FBD42B920CC30F46110 |
SHA-512: | FD8CC23EBDF673D3478AD7AA71A85586EF7E413846A715BF96EEEC762D68C7410EB358818711C83B76D1DF8863A46640EAF4ABC1CA67845B725CE1A99EF7404A |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 1.5617078821522077 |
Encrypted: | false |
SSDEEP: | 12:rlxAF6cDrEgm8GD7KFsr+lXDrEgm8GD7qw9lpQA9dI:ryG80r+lTG8C9laAg |
MD5: | 7D83E65B1A457E107649B777321DD535 |
SHA1: | 0910FEDDE1889D1FB167F3877BFEDB2C89B371FF |
SHA-256: | 76E6CFBA96B530161AA5C22CC0BA98AE299A3E3AAEDDD693DF71F6671BA757BD |
SHA-512: | 696D0340BFBA24A714949F68382605708EC1C32B893E2768C942FE29154059D39033FD7D83EF3AE9A4E9AF4371E13AC23E0948EC9262828D6F5C6DDA1D7B0C89 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 356 |
Entropy (8bit): | 5.09283390816657 |
Encrypted: | false |
SSDEEP: | 6:TMVBdc9EMdLD5Ltqc41EH8tPCTD90/QL3WIZK0QhPPFVDHkEtMjwu:TMHdNMNxOEHCPCnWimI00ONVbkEtMb |
MD5: | 62E15860B582D37CA3DC1E8D89A26808 |
SHA1: | A3CA8F879F027A187BAED3808170D6DC9BB869AB |
SHA-256: | 88E4A132068204BC44F931CCA5AD81C3A1C24D9EAB5C1A76FE491C8FC15462F3 |
SHA-512: | AC7BCEF376AE0F612E9B9EE6AA7FF7BD3C72B18E404160E531B73DB25AE7C52427BCC45DC4CE285ACDDCDD03CA9F0F9A714B0A13A44DE5884FD9B2F82E7D1B17 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 354 |
Entropy (8bit): | 5.154761999497282 |
Encrypted: | false |
SSDEEP: | 6:TMVBdc9EMdLD5Ltqc4fLGTkCQm5xupnPCTD90/QL3WIZK0QhPPFkI5kU5EtMjwu:TMHdNMNxe2kY5xu1PCnWimI00ONkak6t |
MD5: | 0B75967CE7823399CC9E68BFB39555AB |
SHA1: | 091F7FD13C40120E60A7DB5EF077C57FE360A7A4 |
SHA-256: | E063C3FB1FAC640CC3A5D45DC8B1C4118D9E49F038353D08E3007895D01B2C66 |
SHA-512: | 90AA3E8082FCED94D90E5EF2EC85FA5A1A7D34BE809FCEEA0BC537C57B8A7007D37783E910A6A06B02D30CF7C099EBD0A89D7A29CBF2A008AC60D05A96A916D0 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 360 |
Entropy (8bit): | 5.115695135561688 |
Encrypted: | false |
SSDEEP: | 6:TMVBdc9EMdLD5Ltqc4GLxHcO7IG+X3PCTD90/QL3WIZK0QhPPFyhBcEEtMjwu:TMHdNMNxvLf7IG+nPCnWimI00ONmZEty |
MD5: | 995D36FBF50B147C5BBB8631E1818BCB |
SHA1: | A717E139D22DADFDF5E3001311548D2B8162736B |
SHA-256: | 1037C0DB52D760F85E31788A79938F98C02DAAA503EB1EF17428780DA5CF7A53 |
SHA-512: | BCF4CF4E390276F2D2028515C9AC177F5DC06B1116676F21431CA96F442615E211EB3C8BC36A86F271F937F25B90911AD29088EEFBEC6212C61FE80D0E00A2EF |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 350 |
Entropy (8bit): | 5.103042002751772 |
Encrypted: | false |
SSDEEP: | 6:TMVBdc9EMdLD5Ltqc4Jfh8xPCTD90/QL3WIZK0QhPPFgE5EtMjwu:TMHdNMNxi58xPCnWimI00ONd5EtMb |
MD5: | 1D0E1196E21C30784542EA183D95A74A |
SHA1: | CE8404D40C89CAA6AADC3CBF0ABB29A289D1E1FE |
SHA-256: | 38D4C1B1A09D82ACE7C8FA471101DCB9DD56C6F7DB175C3EFC8505312D651F66 |
SHA-512: | C369214C76B5F5BD6D0A6C3215924D1104D47D9FAE590C5BE6DB97AE208CEADED5C7F458C749C7E3E7DEC50957F85E737B608C2FD6C9E80182AFF042B0DEE41E |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 356 |
Entropy (8bit): | 5.129962863682922 |
Encrypted: | false |
SSDEEP: | 6:TMVBdc9EMdLD5Ltqc4UxGwjkl3GPCTD90/QL3WIZK0QhPPF8K0QU5EtMjwu:TMHdNMNxhGwQl3GPCnWimI00ON8K075t |
MD5: | 9EE7BB9F737A35DFED726C4336113B67 |
SHA1: | AD66D3D924114AF6CCFBA356BE34F2F31363B218 |
SHA-256: | E9840BF4F1450FC2AF52F31F730021228A7CB245A9618D2869C5C8AC3A9265D3 |
SHA-512: | E140396C5BBDD8C96C0826DA5A79BD7E76118612485005F11ABBFEA4531159802B10B7D98A37AB166C629B2BD3DE30DF0A2F76C99D003AD12814C6C62A12F02F |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 354 |
Entropy (8bit): | 5.097430067460448 |
Encrypted: | false |
SSDEEP: | 6:TMVBdc9EMdLD5Ltqc4Qun2Bpm+PCTD90/QL3WIZK0QhPPFAkEtMjwu:TMHdNMNx0nUpm+PCnWimI00ONxEtMb |
MD5: | A20F5AC3338194FC43A94D368F1C9BC4 |
SHA1: | AB3F7F046C8BD7B4C9D859B489E1125AC0A1BF8E |
SHA-256: | E6ADD4201A8FA3A044175A4FBBCA41E37D77B534B4E6673B2E0750DC55A27567 |
SHA-512: | CF7D7AA80F1E1BC5593AF427094F393F96EB82086EFE6D79437CFF5A319128789FB371C14E36A76062FCBC6E74A0E0611180B6B24015AC9408E1DFE4E7953331 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 356 |
Entropy (8bit): | 5.157487660473765 |
Encrypted: | false |
SSDEEP: | 6:TMVBdc9EMdLD5Ltqc4oTZE+dSVX3PCTD90/QL3WIZK0QhPPF6Kq5EtMjwu:TMHdNMNxxZE+ol3PCnWimI00ON6Kq5Es |
MD5: | 9CC05798E2875E33DA3EDF0EC27114E7 |
SHA1: | FCA636B9EE2F1ED2BE5CC432D7858B2A1F39448C |
SHA-256: | E49C4CC7CB305E47A167A3CF2903AC6ACFE07BB3B4A768C6E5CE7456382FB759 |
SHA-512: | 097E6FD828903745B87C0CABEF36F5B68416CD17AA5BE9A777BCACC3A8AA6951BCC234E42B3D6290FF87AFCB6C8A38A6DC73AD181DE0C479BAD4BFCFD151C6AE |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 358 |
Entropy (8bit): | 5.13236679854782 |
Encrypted: | false |
SSDEEP: | 6:TMVBdc9EMdLD5Ltqc4YX2nWisFVUB+PCTD90/QL3WIZK0QhPPF02CqEtMjwu:TMHdNMNxcWiC++PCnWimI00ONVEtMb |
MD5: | 10F611B03BE4A108C81266AFDCD91385 |
SHA1: | 12FBE36DE82221E790A9A5D466BB2662571FF974 |
SHA-256: | D0BCC8F1B999D1ECCD3ADBE429D4CE109D233FF0A713690067BC285BAC7ACAA1 |
SHA-512: | 0F05E1D796C0EC220F3A159ADAA979E5F7DC8CCA6751D115595DF405D50F9A8F037D9B309523C9FA1FC6BC2B72FC7C898E10918610FAD70B8A6FC1726EFAA5ED |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 354 |
Entropy (8bit): | 5.133907694283372 |
Encrypted: | false |
SSDEEP: | 6:TMVBdc9EMdLD5Ltqc4Inb17y3+GcPCTD90/QL3WIZK0QhPPFiwE5EtMjwu:TMHdNMNxfnZ23+5PCnWimI00ONe5EtMb |
MD5: | 7C6EB178DBB04EBFC7E6B9C793025BC0 |
SHA1: | 326D228502753815F74904D961CF0C9734D9201A |
SHA-256: | D1273EDCD6D95D4D85DC4F1F090A939C59D9B88E01F6B5DB815506A180D4DE6A |
SHA-512: | 01725A4426637D7770EBCB78CA365C13DAD5095B5D7BAB96F7CB93E4921BBD40CD7E82B6F9F864B50EC0435564CF584F4CAC20C8D7E3EA16C0E08081F06D6D13 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.08578582712352636 |
Encrypted: | false |
SSDEEP: | 3:NUofhQ0SA/WU/lg/lclllv/nt+lybltll1lRslkhlEkll/aEhh4V7:fpQ/AecgUFAlkxHbh4V7 |
MD5: | A290D9C564235C12A4957F7722B9C169 |
SHA1: | DE05A28BE040AA95C2D8D6A6CC15780A22C98032 |
SHA-256: | 4763A26542D87F93254C9A1BE3DE157209CE44AEEE8225E2C45E8CC4C945E71B |
SHA-512: | DB37057AF3CFDDCBF6252D32D5C11D7134D3C90DEF8F4062A526B3C5B28A5AB31354EC4BE00381CE85D6D83CFAEFE49DCD2B6F59EBF930F1BE899CE497529781 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.06045461972774207 |
Encrypted: | false |
SSDEEP: | 3:alFXEAUolllfltE3lX9/Dl/Oly3lgHl0llftRslkhlEkllM+lylhllAlFJejl+lE:a/vllsngF0/AlkxFIBGKjEW1 |
MD5: | 9FFCF967410609EAB508F254E7CA6AA2 |
SHA1: | 061671A355104728137C16CDEC077B7312545F36 |
SHA-256: | A3EC8754D1131E7E3F9E35A5EA52257B5CAE7686F3F4355DA048AC16F4A30E98 |
SHA-512: | 11D215E25AFE2EB70C54C54C6B4E3125382C842324889FFC15E1B9F0E333C04473E9A8EED6FBDA0C09478693811EF46EFE97A16D08209EF00496B98AFD6B6973 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.06045461972774207 |
Encrypted: | false |
SSDEEP: | 3:alFXEAUolllfltE3lX9/Dl/Oly3lgHl0llftRslkhlEkllM+lylhllAlFJejl+lE:a/vllsngF0/AlkxFIBGKjEW1 |
MD5: | 9FFCF967410609EAB508F254E7CA6AA2 |
SHA1: | 061671A355104728137C16CDEC077B7312545F36 |
SHA-256: | A3EC8754D1131E7E3F9E35A5EA52257B5CAE7686F3F4355DA048AC16F4A30E98 |
SHA-512: | 11D215E25AFE2EB70C54C54C6B4E3125382C842324889FFC15E1B9F0E333C04473E9A8EED6FBDA0C09478693811EF46EFE97A16D08209EF00496B98AFD6B6973 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 176128 |
Entropy (8bit): | 3.348410225065147 |
Encrypted: | false |
SSDEEP: | 3072:cZ/2Bfcdmu5kgTzGtPZ/2Bfc+mu5kgTzGt:VA |
MD5: | 1BC9D33003AE79A9DC826B9177CE4107 |
SHA1: | E2FE82C8A27AB5D6FEB48FC0036F41BE4F2753FF |
SHA-256: | 76493F5DDC21ABC9D0FC4172AC29CE56937AF95407FA16AF758741BD8B99C4A7 |
SHA-512: | E85C349FB6DA0E3FC7C7C215D3BC919330D9415898894F29AB806161D5AE2854389CED20A5231772E23C0DE03971D2E7C30467FC094012ECE8C20D5B97E780BD |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.05700439027613612 |
Encrypted: | false |
SSDEEP: | 3:alFXEAUolllHlly+lllX9/Dl/Oly3lgHlXXlRslkhlEkllM+lylhllAlFJejltl:a/vllrNngFAlkxFIBGKj1 |
MD5: | BAE4F7A74A5A11C6C051F0918C1CECEF |
SHA1: | C352D244D87037DE12A8995C84FF85B517F333CE |
SHA-256: | 8BC3D5AA4632E5A49AD6B02696D9535763AF4CE8D940695035F6EBED411098AE |
SHA-512: | B5F643956DEB154C4604ACD45FDE9DD8FF6CF6B4B0801DFA80B96D5A64ED7D37F095BBB2C67D09DC6895C32017B20551996E5387DFB9B34DF494237FB53A40E0 |
Malicious: | false |
Reputation: | unknown |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.669453102824052 |
TrID: |
|
File name: | gECym.dll |
File size: | 263072 |
MD5: | fcb53acd5fd1637a2ac1bc69f396e92c |
SHA1: | a09432a56375c5a39856d59e402c3f8642edda7b |
SHA256: | cc7045d9fe77c4aa4cb646d01fb4700008a34f58f49358d0b0b0997d21016aab |
SHA512: | 47bcd8326a65b2a50ee7a9691853c6a6d6a424ad4e0a7760794aa20c137450017793ed9756302666b6b1aed93048d879395a6fde2c95f9b9fc67ca4bd6e38116 |
SSDEEP: | 3072:eb/VDsMK5SdPlKCXbkB9Kv1y5Gun6XKwRDcXEX55d2wNQ+XnwEf4bvuQ5OjrDGZt:WCoMRt6XKUSRACdOj57jY5jM9H8eGN |
File Content Preview: | MZ......................................................................!..L.!This -7Afram cannot be run in DOS mode....$.......PE..L...8yoa...........!.........................................................P......z................................@..... |
File Icon |
---|
Icon Hash: | 70e8d0dcbc30f462 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x100095ff |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x616F7938 [Wed Oct 20 02:04:40 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 91478fc94f6cfd55f2f79a8b82441b87 |
Authenticode Signature |
---|
Signature Valid: | false |
Signature Issuer: | CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | CED7C13C8B94994AFFCC6AD7B7DF388F |
Thumbprint SHA-1: | B27F938A1E7F314A7B60C48EA196961CDAA09F7A |
Thumbprint SHA-256: | 3C658DDCD37DFA65F69C0B35697EDAA12DBDF68388A9AD54BBEFCF24F786ABB7 |
Serial: | 5755C3BFA958E29EF9DCA3FBA9FC02D4 |
Entrypoint Preview |
---|
Instruction |
---|
xor edi, edi |
push edi |
push edi |
call dword ptr [100049F4h] |
mov edi, eax |
jmp 00007F2CF4914D60h |
mov ecx, dword ptr [edx-08h] |
lea ecx, dword ptr [ebp-18h] |
int3 |
push esi |
mov eax, 004159B8h |
int3 |
jmp dword ptr [0041271Ch] |
mov ebp, esp |
jmp 00007F2CF4902914h |
inc esi |
pop ebp |
int3 |
xor ecx, eax |
call 00007F2CF49012EEh |
xor edx, dword ptr [ebp+28h] |
add edx, 46h |
xor edx, edx |
add edx, 3077A3CDh |
xor edx, dword ptr [1003B15Bh] |
add edx, 01h |
xor edx, dword ptr [ebp+24h] |
mov dword ptr [1003BD39h], edx |
mov esi, edx |
add esi, D6F0E4A5h |
sub esi, dword ptr [ebp+28h] |
add esi, 648A3A98h |
xor esi, 72h |
mov dword ptr [ebp+14h], esi |
push 10018AA4h |
ret |
jne 00007F2CF4903086h |
mov eax, 00416654h |
int3 |
jmp dword ptr [004126F8h] |
call 00007F2CF490245Fh |
int3 |
jmp dword ptr [004121ACh] |
int3 |
int3 |
jmp dword ptr [0041271Ch] |
jmp 00007F2CF4902A43h |
xor esi, esi |
add esi, dword ptr [1003C07Dh] |
sub esi, 284AC1ACh |
add esi, dword ptr [1003C34Dh] |
mov dword ptr [1003C34Dh], esi |
push 1003491Ah |
push 1003568Ah |
call dword ptr [10004ADCh] |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x400c | 0x84 | .text |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4ba8 | 0xa0 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x40000 | 0x1020 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x3e600 | 0x1da0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x42000 | 0x27e4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x49b8 | 0x1f0 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1b22d | 0x1b400 | False | 0.555260894495 | data | 6.48316057239 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x1d000 | 0x1f0 | 0x200 | False | 0.49609375 | COM executable for DOS | 3.58053780946 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1e000 | 0x21a2a | 0x1e600 | False | 0.583116319444 | data | 6.017622124 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x40000 | 0x1020 | 0x1200 | False | 0.330512152778 | data | 3.17732875516 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x42000 | 0x27e4 | 0x2800 | False | 0.80029296875 | data | 6.81110960286 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x401c0 | 0x8a8 | data | English | United States |
RT_ICON | 0x40a68 | 0x2e8 | data | English | United States |
RT_STRING | 0x40d50 | 0x40 | data | English | United States |
RT_STRING | 0x40d90 | 0x74 | data | English | United States |
RT_GROUP_ICON | 0x40e04 | 0x14 | data | English | United States |
RT_GROUP_ICON | 0x40e18 | 0x14 | data | English | United States |
RT_VERSION | 0x40e2c | 0x1f4 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
kbdal.dll | KbdLayerDescriptor |
kernel32.dll | QueryPerformanceFrequency, GetCurrentThreadId, VirtualProtect, WaitForSingleObjectEx, QueryPerformanceCounter, EnterCriticalSection, CreateDirectoryW, GlobalFree, GetStartupInfoW, AttachConsole, SetCurrentDirectoryW, WaitForSingleObject, GlobalLock, LocalAlloc, GetTempPathW, GetCurrentProcess, GetTickCount, GetLastError, GetModuleHandleW, AllocConsole, FindNextFileW, SetEvent, LocalFree, ResetEvent, ReadConsoleW, GlobalUnlock, IsProcessorFeaturePresent, Sleep, IsDebuggerPresent, InitializeCriticalSectionAndSpinCount, FindClose, GetSystemDefaultUILanguage, GetStdHandle, InitializeSListHead, OpenProcess, CloseHandle, CreateWaitableTimerW, CreateEventW, GetModuleHandleA, TerminateProcess, GetUserDefaultUILanguage, LeaveCriticalSection, SetConsoleTitleW, SetWaitableTimer, WriteConsoleW, DeleteCriticalSection, FindFirstFileW, GetCurrentProcessId, GetCommandLineW, SetUnhandledExceptionFilter, SetConsoleTextAttribute, UnhandledExceptionFilter, GlobalSize, GetProcAddress |
ole32.dll | PropVariantClear, StringFromGUID2, CoUninitialize, RegisterDragDrop, CreateItemMoniker, CreateStreamOnHGlobal, GetRunningObjectTable, OleInitialize, CoCreateInstance, OleUninitialize, RevokeDragDrop, CoCreateGuid, CoTaskMemFree, CoInitializeEx |
shell32.dll | SHChangeNotify, CommandLineToArgvW, ShellExecuteW |
shlwapi.dll | PathCompactPathExW, PathFindExtensionW, PathBuildRootW, PathGetDriveNumberW, PathStripPathW, PathRemoveExtensionW, PathIsNetworkPathW |
user32.dll | GetClientRect, RegisterClipboardFormatW, IsWindow, SetKeyboardState, SetCapture, GetKeyboardState, ReleaseCapture, TranslateMessage, GetWindowRect, GetWindowInfo, SetWindowLongW, IsWindowVisible, ShowWindow, GetParent, LoadIconW, ClientToScreen, ScreenToClient, TrackPopupMenu, MsgWaitForMultipleObjectsEx, DestroyMenu, GetSystemMetrics, IsIconic, GetKeyState, GetCursorPos, RegisterClassW, GetWindowLongW, SetWindowPos, PostMessageW, IsClipboardFormatAvailable, DispatchMessageW, MessageBoxW, SetCursorPos, AppendMenuW, CreatePopupMenu, SetCursor, CreateWindowExW, DefWindowProcW |
wmpshell.dll | DllUnregisterServer |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
DllUnregisterServer | 1 | 0x10006e4f |
DllRegisterServer | 2 | 0x1000dfa9 |
DllGetClassObject | 3 | 0x10013662 |
DllCanUnloadNow | 4 | 0x1001658e |
Version Infos |
---|
Description | Data |
---|---|
InternalName | Similative |
PrivateBuild | Crystallic |
LegalTrademarks | Codeine |
FileVersion | 6, 7, 8, 6 |
CompanyName | Star Force |
Translation | 0x0409 0x04e4 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 20, 2021 15:08:35.889739037 CEST | 49784 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.889781952 CEST | 443 | 49784 | 104.20.184.68 | 192.168.2.5 |
Oct 20, 2021 15:08:35.889837980 CEST | 49785 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.889863014 CEST | 49784 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.889867067 CEST | 443 | 49785 | 104.20.184.68 | 192.168.2.5 |
Oct 20, 2021 15:08:35.890306950 CEST | 49785 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.891561031 CEST | 49785 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.891627073 CEST | 443 | 49785 | 104.20.184.68 | 192.168.2.5 |
Oct 20, 2021 15:08:35.892085075 CEST | 49784 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.892107010 CEST | 443 | 49784 | 104.20.184.68 | 192.168.2.5 |
Oct 20, 2021 15:08:35.932991982 CEST | 443 | 49784 | 104.20.184.68 | 192.168.2.5 |
Oct 20, 2021 15:08:35.933101892 CEST | 49784 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.939477921 CEST | 443 | 49785 | 104.20.184.68 | 192.168.2.5 |
Oct 20, 2021 15:08:35.939654112 CEST | 49785 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.939768076 CEST | 49784 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.939785957 CEST | 443 | 49784 | 104.20.184.68 | 192.168.2.5 |
Oct 20, 2021 15:08:35.940016985 CEST | 443 | 49784 | 104.20.184.68 | 192.168.2.5 |
Oct 20, 2021 15:08:35.940082073 CEST | 49784 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.940695047 CEST | 49784 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.949043036 CEST | 49785 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.949062109 CEST | 443 | 49785 | 104.20.184.68 | 192.168.2.5 |
Oct 20, 2021 15:08:35.949428082 CEST | 443 | 49785 | 104.20.184.68 | 192.168.2.5 |
Oct 20, 2021 15:08:35.949606895 CEST | 49785 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.972785950 CEST | 443 | 49784 | 104.20.184.68 | 192.168.2.5 |
Oct 20, 2021 15:08:35.972893000 CEST | 443 | 49784 | 104.20.184.68 | 192.168.2.5 |
Oct 20, 2021 15:08:35.972942114 CEST | 49784 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.972973108 CEST | 49784 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.975054026 CEST | 49784 | 443 | 192.168.2.5 | 104.20.184.68 |
Oct 20, 2021 15:08:35.975086927 CEST | 443 | 49784 | 104.20.184.68 | 192.168.2.5 |
Oct 20, 2021 15:08:42.157363892 CEST | 49820 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.157413960 CEST | 443 | 49820 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.157511950 CEST | 49820 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.159472942 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.159528971 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.159689903 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.161057949 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.161096096 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.176109076 CEST | 49820 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.176148891 CEST | 443 | 49820 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.210551977 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.210813046 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.214256048 CEST | 443 | 49820 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.214443922 CEST | 49820 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.306514978 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.306580067 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.307080984 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.307097912 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.307351112 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.307446957 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.315216064 CEST | 49820 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.315546036 CEST | 443 | 49820 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.315674067 CEST | 49820 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.338458061 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.338540077 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.338579893 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.338610888 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.338618040 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.338632107 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.338684082 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.338690042 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.338704109 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.338733912 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.338762999 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.338767052 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.338778019 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.338808060 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.338845968 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.338855982 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.338876009 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:42.338898897 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.338929892 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.683657885 CEST | 49821 | 443 | 192.168.2.5 | 104.26.7.139 |
Oct 20, 2021 15:08:42.683698893 CEST | 443 | 49821 | 104.26.7.139 | 192.168.2.5 |
Oct 20, 2021 15:08:50.291220903 CEST | 49824 | 443 | 192.168.2.5 | 172.217.168.38 |
Oct 20, 2021 15:08:50.291261911 CEST | 443 | 49824 | 172.217.168.38 | 192.168.2.5 |
Oct 20, 2021 15:08:50.291372061 CEST | 49824 | 443 | 192.168.2.5 | 172.217.168.38 |
Oct 20, 2021 15:08:50.295773029 CEST | 49825 | 443 | 192.168.2.5 | 172.217.168.38 |
Oct 20, 2021 15:08:50.295825005 CEST | 443 | 49825 | 172.217.168.38 | 192.168.2.5 |
Oct 20, 2021 15:08:50.295924902 CEST | 49825 | 443 | 192.168.2.5 | 172.217.168.38 |
Oct 20, 2021 15:08:50.303937912 CEST | 49825 | 443 | 192.168.2.5 | 172.217.168.38 |
Oct 20, 2021 15:08:50.303991079 CEST | 443 | 49825 | 172.217.168.38 | 192.168.2.5 |
Oct 20, 2021 15:08:50.312355995 CEST | 49826 | 443 | 192.168.2.5 | 104.26.3.70 |
Oct 20, 2021 15:08:50.312412977 CEST | 443 | 49826 | 104.26.3.70 | 192.168.2.5 |
Oct 20, 2021 15:08:50.312592030 CEST | 49826 | 443 | 192.168.2.5 | 104.26.3.70 |
Oct 20, 2021 15:08:50.314461946 CEST | 49827 | 443 | 192.168.2.5 | 104.26.3.70 |
Oct 20, 2021 15:08:50.314502954 CEST | 443 | 49827 | 104.26.3.70 | 192.168.2.5 |
Oct 20, 2021 15:08:50.319432020 CEST | 49827 | 443 | 192.168.2.5 | 104.26.3.70 |
Oct 20, 2021 15:08:50.319477081 CEST | 49827 | 443 | 192.168.2.5 | 104.26.3.70 |
Oct 20, 2021 15:08:50.319484949 CEST | 443 | 49827 | 104.26.3.70 | 192.168.2.5 |
Oct 20, 2021 15:08:50.364216089 CEST | 443 | 49827 | 104.26.3.70 | 192.168.2.5 |
Oct 20, 2021 15:08:50.364347935 CEST | 443 | 49827 | 104.26.3.70 | 192.168.2.5 |
Oct 20, 2021 15:08:50.364407063 CEST | 49827 | 443 | 192.168.2.5 | 104.26.3.70 |
Oct 20, 2021 15:08:50.364474058 CEST | 49827 | 443 | 192.168.2.5 | 104.26.3.70 |
Oct 20, 2021 15:08:50.366620064 CEST | 443 | 49825 | 172.217.168.38 | 192.168.2.5 |
Oct 20, 2021 15:08:50.366776943 CEST | 49825 | 443 | 192.168.2.5 | 172.217.168.38 |
Oct 20, 2021 15:08:50.391625881 CEST | 49824 | 443 | 192.168.2.5 | 172.217.168.38 |
Oct 20, 2021 15:08:50.391660929 CEST | 443 | 49824 | 172.217.168.38 | 192.168.2.5 |
Oct 20, 2021 15:08:50.398144007 CEST | 49826 | 443 | 192.168.2.5 | 104.26.3.70 |
Oct 20, 2021 15:08:50.398180962 CEST | 443 | 49826 | 104.26.3.70 | 192.168.2.5 |
Oct 20, 2021 15:08:50.405420065 CEST | 49827 | 443 | 192.168.2.5 | 104.26.3.70 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 20, 2021 15:08:30.124794960 CEST | 65296 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:08:34.783061028 CEST | 56969 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:08:35.327625990 CEST | 55161 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:08:35.347404957 CEST | 53 | 55161 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:08:35.864444971 CEST | 54757 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:08:35.886532068 CEST | 53 | 54757 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:08:38.127250910 CEST | 49992 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:08:38.147479057 CEST | 53 | 49992 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:08:38.603321075 CEST | 60075 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:08:38.624269009 CEST | 53 | 60075 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:08:40.389971972 CEST | 64345 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:08:42.134711981 CEST | 57128 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:08:42.155055046 CEST | 53 | 57128 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:08:50.150769949 CEST | 54791 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:08:50.176003933 CEST | 53 | 54791 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:08:50.207711935 CEST | 50463 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:08:50.230431080 CEST | 53 | 50463 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:08:51.055684090 CEST | 50394 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:08:55.795512915 CEST | 58530 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:08:55.814032078 CEST | 53 | 58530 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:10:41.611599922 CEST | 53 | 54450 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:10:41.696527004 CEST | 53 | 59261 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:10:48.063822031 CEST | 53 | 57151 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:10:54.487529039 CEST | 53 | 59413 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:12:01.904071093 CEST | 56432 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:12:01.930294037 CEST | 53 | 56432 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:12:02.095237970 CEST | 52929 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:12:02.116945028 CEST | 53 | 52929 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:12:08.391160011 CEST | 64317 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:12:08.409462929 CEST | 53 | 64317 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:12:14.814949036 CEST | 56895 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:12:14.839359999 CEST | 53 | 56895 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:12:39.636048079 CEST | 57515 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:12:39.637876987 CEST | 58199 | 53 | 192.168.2.5 | 8.8.8.8 |
Oct 20, 2021 15:12:39.655416965 CEST | 53 | 57515 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:12:39.655639887 CEST | 53 | 58199 | 8.8.8.8 | 192.168.2.5 |
Oct 20, 2021 15:12:39.658279896 CEST | 58200 | 53 | 192.168.2.5 | 208.67.222.222 |
Oct 20, 2021 15:12:39.660295963 CEST | 58201 | 53 | 192.168.2.5 | 208.67.222.222 |
Oct 20, 2021 15:12:39.674038887 CEST | 53 | 58200 | 208.67.222.222 | 192.168.2.5 |
Oct 20, 2021 15:12:39.675090075 CEST | 58202 | 53 | 192.168.2.5 | 208.67.222.222 |
Oct 20, 2021 15:12:39.675980091 CEST | 53 | 58201 | 208.67.222.222 | 192.168.2.5 |
Oct 20, 2021 15:12:39.676615000 CEST | 58203 | 53 | 192.168.2.5 | 208.67.222.222 |
Oct 20, 2021 15:12:39.690810919 CEST | 53 | 58202 | 208.67.222.222 | 192.168.2.5 |
Oct 20, 2021 15:12:39.692991972 CEST | 53 | 58203 | 208.67.222.222 | 192.168.2.5 |
Oct 20, 2021 15:12:39.697055101 CEST | 58204 | 53 | 192.168.2.5 | 208.67.222.222 |
Oct 20, 2021 15:12:39.697527885 CEST | 58205 | 53 | 192.168.2.5 | 208.67.222.222 |
Oct 20, 2021 15:12:39.712977886 CEST | 53 | 58204 | 208.67.222.222 | 192.168.2.5 |
Oct 20, 2021 15:12:39.713160992 CEST | 53 | 58205 | 208.67.222.222 | 192.168.2.5 |
Oct 20, 2021 15:12:39.970794916 CEST | 53 | 65221 | 8.8.8.8 | 192.168.2.5 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Oct 20, 2021 15:08:30.124794960 CEST | 192.168.2.5 | 8.8.8.8 | 0x9bed | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:08:34.783061028 CEST | 192.168.2.5 | 8.8.8.8 | 0x9bf0 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:08:35.327625990 CEST | 192.168.2.5 | 8.8.8.8 | 0x4079 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:08:35.864444971 CEST | 192.168.2.5 | 8.8.8.8 | 0x8e2a | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:08:38.127250910 CEST | 192.168.2.5 | 8.8.8.8 | 0x427 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:08:38.603321075 CEST | 192.168.2.5 | 8.8.8.8 | 0x2333 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:08:40.389971972 CEST | 192.168.2.5 | 8.8.8.8 | 0x8204 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:08:42.134711981 CEST | 192.168.2.5 | 8.8.8.8 | 0x5b7b | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:08:50.150769949 CEST | 192.168.2.5 | 8.8.8.8 | 0xb143 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:08:50.207711935 CEST | 192.168.2.5 | 8.8.8.8 | 0xd300 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:08:51.055684090 CEST | 192.168.2.5 | 8.8.8.8 | 0x4857 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:08:55.795512915 CEST | 192.168.2.5 | 8.8.8.8 | 0xd38f | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:12:01.904071093 CEST | 192.168.2.5 | 8.8.8.8 | 0xabcb | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:12:02.095237970 CEST | 192.168.2.5 | 8.8.8.8 | 0x7101 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:12:08.391160011 CEST | 192.168.2.5 | 8.8.8.8 | 0xbb42 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:12:14.814949036 CEST | 192.168.2.5 | 8.8.8.8 | 0x3bf8 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:12:39.636048079 CEST | 192.168.2.5 | 8.8.8.8 | 0x8546 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:12:39.637876987 CEST | 192.168.2.5 | 8.8.8.8 | 0x1e25 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:12:39.658279896 CEST | 192.168.2.5 | 208.67.222.222 | 0x1 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Oct 20, 2021 15:12:39.660295963 CEST | 192.168.2.5 | 208.67.222.222 | 0x1 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Oct 20, 2021 15:12:39.675090075 CEST | 192.168.2.5 | 208.67.222.222 | 0x2 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:12:39.676615000 CEST | 192.168.2.5 | 208.67.222.222 | 0x2 | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 20, 2021 15:12:39.697055101 CEST | 192.168.2.5 | 208.67.222.222 | 0x3 | Standard query (0) | 28 | IN (0x0001) | |
Oct 20, 2021 15:12:39.697527885 CEST | 192.168.2.5 | 208.67.222.222 | 0x3 | Standard query (0) | 28 | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Oct 20, 2021 15:08:30.142769098 CEST | 8.8.8.8 | 192.168.2.5 | 0x9bed | No error (0) | www-msn-com.a-0003.a-msedge.net | CNAME (Canonical name) | IN (0x0001) | ||
Oct 20, 2021 15:08:34.812608957 CEST | 8.8.8.8 | 192.168.2.5 | 0x9bf0 | No error (0) | web.vortex.data.microsoft.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 20, 2021 15:08:35.347404957 CEST | 8.8.8.8 | 192.168.2.5 | 0x4079 | No error (0) | 23.211.6.95 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:35.886532068 CEST | 8.8.8.8 | 192.168.2.5 | 0x8e2a | No error (0) | 104.20.184.68 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:35.886532068 CEST | 8.8.8.8 | 192.168.2.5 | 0x8e2a | No error (0) | 104.20.185.68 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:38.147479057 CEST | 8.8.8.8 | 192.168.2.5 | 0x427 | No error (0) | 23.211.6.95 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:38.624269009 CEST | 8.8.8.8 | 192.168.2.5 | 0x2333 | No error (0) | 23.211.6.95 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:40.407922983 CEST | 8.8.8.8 | 192.168.2.5 | 0x8204 | No error (0) | cvision.media.net.edgekey.net | CNAME (Canonical name) | IN (0x0001) | ||
Oct 20, 2021 15:08:42.155055046 CEST | 8.8.8.8 | 192.168.2.5 | 0x5b7b | No error (0) | 104.26.7.139 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:42.155055046 CEST | 8.8.8.8 | 192.168.2.5 | 0x5b7b | No error (0) | 104.26.6.139 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:42.155055046 CEST | 8.8.8.8 | 192.168.2.5 | 0x5b7b | No error (0) | 172.67.70.134 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:50.176003933 CEST | 8.8.8.8 | 192.168.2.5 | 0xb143 | No error (0) | dart.l.doubleclick.net | CNAME (Canonical name) | IN (0x0001) | ||
Oct 20, 2021 15:08:50.176003933 CEST | 8.8.8.8 | 192.168.2.5 | 0xb143 | No error (0) | 172.217.168.38 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:50.230431080 CEST | 8.8.8.8 | 192.168.2.5 | 0xd300 | No error (0) | 104.26.3.70 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:50.230431080 CEST | 8.8.8.8 | 192.168.2.5 | 0xd300 | No error (0) | 172.67.69.19 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:50.230431080 CEST | 8.8.8.8 | 192.168.2.5 | 0xd300 | No error (0) | 104.26.2.70 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:51.086312056 CEST | 8.8.8.8 | 192.168.2.5 | 0x4857 | No error (0) | www.msn.com | CNAME (Canonical name) | IN (0x0001) | ||
Oct 20, 2021 15:08:51.086312056 CEST | 8.8.8.8 | 192.168.2.5 | 0x4857 | No error (0) | www-msn-com.a-0003.a-msedge.net | CNAME (Canonical name) | IN (0x0001) | ||
Oct 20, 2021 15:08:55.814032078 CEST | 8.8.8.8 | 192.168.2.5 | 0xd38f | No error (0) | tls13.taboola.map.fastly.net | CNAME (Canonical name) | IN (0x0001) | ||
Oct 20, 2021 15:08:55.814032078 CEST | 8.8.8.8 | 192.168.2.5 | 0xd38f | No error (0) | 151.101.1.44 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:55.814032078 CEST | 8.8.8.8 | 192.168.2.5 | 0xd38f | No error (0) | 151.101.65.44 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:55.814032078 CEST | 8.8.8.8 | 192.168.2.5 | 0xd38f | No error (0) | 151.101.129.44 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:08:55.814032078 CEST | 8.8.8.8 | 192.168.2.5 | 0xd38f | No error (0) | 151.101.193.44 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:12:01.930294037 CEST | 8.8.8.8 | 192.168.2.5 | 0xabcb | No error (0) | 31.220.111.98 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:12:02.116945028 CEST | 8.8.8.8 | 192.168.2.5 | 0x7101 | No error (0) | 31.220.111.98 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:12:08.409462929 CEST | 8.8.8.8 | 192.168.2.5 | 0xbb42 | No error (0) | 31.220.111.98 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:12:14.839359999 CEST | 8.8.8.8 | 192.168.2.5 | 0x3bf8 | No error (0) | 31.220.111.98 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:12:39.655416965 CEST | 8.8.8.8 | 192.168.2.5 | 0x8546 | No error (0) | 208.67.222.222 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:12:39.655639887 CEST | 8.8.8.8 | 192.168.2.5 | 0x1e25 | No error (0) | 208.67.222.222 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:12:39.674038887 CEST | 208.67.222.222 | 192.168.2.5 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Oct 20, 2021 15:12:39.674038887 CEST | 208.67.222.222 | 192.168.2.5 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Oct 20, 2021 15:12:39.674038887 CEST | 208.67.222.222 | 192.168.2.5 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Oct 20, 2021 15:12:39.675980091 CEST | 208.67.222.222 | 192.168.2.5 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Oct 20, 2021 15:12:39.675980091 CEST | 208.67.222.222 | 192.168.2.5 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Oct 20, 2021 15:12:39.675980091 CEST | 208.67.222.222 | 192.168.2.5 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Oct 20, 2021 15:12:39.690810919 CEST | 208.67.222.222 | 192.168.2.5 | 0x2 | No error (0) | 102.129.143.33 | A (IP address) | IN (0x0001) | ||
Oct 20, 2021 15:12:39.692991972 CEST | 208.67.222.222 | 192.168.2.5 | 0x2 | No error (0) | 102.129.143.33 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTPS Proxied Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.5 | 49784 | 104.20.184.68 | 443 |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:08:35 UTC | 0 | OUT | |
2021-10-20 13:08:35 UTC | 0 | IN | |
2021-10-20 13:08:35 UTC | 0 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.5 | 49821 | 104.26.7.139 | 443 |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:08:42 UTC | 0 | OUT | |
2021-10-20 13:08:42 UTC | 1 | IN | |
2021-10-20 13:08:42 UTC | 1 | IN | |
2021-10-20 13:08:42 UTC | 2 | IN | |
2021-10-20 13:08:42 UTC | 3 | IN | |
2021-10-20 13:08:42 UTC | 5 | IN | |
2021-10-20 13:08:42 UTC | 6 | IN | |
2021-10-20 13:08:42 UTC | 7 | IN | |
2021-10-20 13:08:42 UTC | 9 | IN | |
2021-10-20 13:08:42 UTC | 10 | IN | |
2021-10-20 13:08:42 UTC | 11 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
10 | 192.168.2.5 | 49952 | 31.220.111.98 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:12:02 UTC | 113 | OUT | |
2021-10-20 13:12:03 UTC | 114 | IN | |
2021-10-20 13:12:03 UTC | 115 | IN | |
2021-10-20 13:12:03 UTC | 146 | IN | |
2021-10-20 13:12:03 UTC | 162 | IN | |
2021-10-20 13:12:04 UTC | 210 | IN | |
2021-10-20 13:12:04 UTC | 242 | IN | |
2021-10-20 13:12:04 UTC | 274 | IN | |
2021-10-20 13:12:04 UTC | 290 | IN | |
2021-10-20 13:12:04 UTC | 338 | IN | |
2021-10-20 13:12:05 UTC | 354 | IN | |
2021-10-20 13:12:05 UTC | 402 | IN | |
2021-10-20 13:12:05 UTC | 418 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
11 | 192.168.2.5 | 49954 | 31.220.111.98 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:12:02 UTC | 114 | OUT | |
2021-10-20 13:12:03 UTC | 130 | IN | |
2021-10-20 13:12:03 UTC | 131 | IN | |
2021-10-20 13:12:03 UTC | 178 | IN | |
2021-10-20 13:12:03 UTC | 194 | IN | |
2021-10-20 13:12:04 UTC | 226 | IN | |
2021-10-20 13:12:04 UTC | 258 | IN | |
2021-10-20 13:12:04 UTC | 306 | IN | |
2021-10-20 13:12:04 UTC | 322 | IN | |
2021-10-20 13:12:05 UTC | 370 | IN | |
2021-10-20 13:12:05 UTC | 386 | IN | |
2021-10-20 13:12:05 UTC | 433 | IN | |
2021-10-20 13:12:05 UTC | 449 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
12 | 192.168.2.5 | 49960 | 31.220.111.98 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:12:05 UTC | 464 | OUT | |
2021-10-20 13:12:06 UTC | 465 | IN | |
2021-10-20 13:12:06 UTC | 466 | IN | |
2021-10-20 13:12:06 UTC | 481 | IN | |
2021-10-20 13:12:06 UTC | 497 | IN | |
2021-10-20 13:12:06 UTC | 513 | IN | |
2021-10-20 13:12:06 UTC | 545 | IN | |
2021-10-20 13:12:07 UTC | 561 | IN | |
2021-10-20 13:12:07 UTC | 577 | IN | |
2021-10-20 13:12:07 UTC | 625 | IN | |
2021-10-20 13:12:07 UTC | 657 | IN | |
2021-10-20 13:12:07 UTC | 673 | IN | |
2021-10-20 13:12:07 UTC | 689 | IN | |
2021-10-20 13:12:07 UTC | 721 | IN | |
2021-10-20 13:12:07 UTC | 737 | IN | |
2021-10-20 13:12:07 UTC | 753 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
13 | 192.168.2.5 | 49961 | 31.220.111.98 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:12:05 UTC | 465 | OUT | |
2021-10-20 13:12:06 UTC | 529 | IN | |
2021-10-20 13:12:06 UTC | 530 | IN | |
2021-10-20 13:12:07 UTC | 593 | IN | |
2021-10-20 13:12:07 UTC | 609 | IN | |
2021-10-20 13:12:07 UTC | 641 | IN | |
2021-10-20 13:12:07 UTC | 705 | IN | |
2021-10-20 13:12:08 UTC | 768 | IN | |
2021-10-20 13:12:08 UTC | 784 | IN | |
2021-10-20 13:12:08 UTC | 801 | IN | |
2021-10-20 13:12:08 UTC | 817 | IN | |
2021-10-20 13:12:08 UTC | 833 | IN | |
2021-10-20 13:12:08 UTC | 851 | IN | |
2021-10-20 13:12:08 UTC | 867 | IN | |
2021-10-20 13:12:09 UTC | 883 | IN | |
2021-10-20 13:12:09 UTC | 899 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
14 | 192.168.2.5 | 49962 | 31.220.111.98 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:12:08 UTC | 800 | OUT | |
2021-10-20 13:12:08 UTC | 849 | IN | |
2021-10-20 13:12:08 UTC | 849 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
15 | 192.168.2.5 | 49963 | 31.220.111.98 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:12:08 UTC | 849 | OUT | |
2021-10-20 13:12:09 UTC | 914 | IN | |
2021-10-20 13:12:09 UTC | 915 | IN | |
2021-10-20 13:12:09 UTC | 930 | IN | |
2021-10-20 13:12:09 UTC | 946 | IN | |
2021-10-20 13:12:09 UTC | 963 | IN | |
2021-10-20 13:12:10 UTC | 979 | IN | |
2021-10-20 13:12:10 UTC | 997 | IN | |
2021-10-20 13:12:10 UTC | 1013 | IN | |
2021-10-20 13:12:10 UTC | 1029 | IN | |
2021-10-20 13:12:10 UTC | 1045 | IN | |
2021-10-20 13:12:10 UTC | 1061 | IN | |
2021-10-20 13:12:10 UTC | 1077 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
16 | 192.168.2.5 | 49965 | 31.220.111.98 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:12:09 UTC | 962 | OUT | |
2021-10-20 13:12:10 UTC | 995 | IN | |
2021-10-20 13:12:10 UTC | 995 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
17 | 192.168.2.5 | 49967 | 31.220.111.98 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:12:10 UTC | 1092 | OUT | |
2021-10-20 13:12:11 UTC | 1092 | IN | |
2021-10-20 13:12:11 UTC | 1092 | IN | |
2021-10-20 13:12:11 UTC | 1108 | IN | |
2021-10-20 13:12:11 UTC | 1124 | IN | |
2021-10-20 13:12:11 UTC | 1140 | IN | |
2021-10-20 13:12:12 UTC | 1156 | IN | |
2021-10-20 13:12:12 UTC | 1172 | IN | |
2021-10-20 13:12:12 UTC | 1188 | IN | |
2021-10-20 13:12:12 UTC | 1204 | IN | |
2021-10-20 13:12:12 UTC | 1220 | IN | |
2021-10-20 13:12:12 UTC | 1236 | IN | |
2021-10-20 13:12:13 UTC | 1252 | IN | |
2021-10-20 13:12:13 UTC | 1268 | IN | |
2021-10-20 13:12:13 UTC | 1284 | IN | |
2021-10-20 13:12:13 UTC | 1300 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
18 | 192.168.2.5 | 49968 | 31.220.111.98 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:12:13 UTC | 1315 | OUT | |
2021-10-20 13:12:14 UTC | 1315 | IN | |
2021-10-20 13:12:14 UTC | 1316 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
19 | 192.168.2.5 | 49969 | 31.220.111.98 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:12:15 UTC | 1318 | OUT | |
2021-10-20 13:12:16 UTC | 1318 | IN | |
2021-10-20 13:12:16 UTC | 1318 | IN | |
2021-10-20 13:12:16 UTC | 1334 | IN | |
2021-10-20 13:12:16 UTC | 1350 | IN | |
2021-10-20 13:12:17 UTC | 1366 | IN | |
2021-10-20 13:12:17 UTC | 1382 | IN | |
2021-10-20 13:12:17 UTC | 1398 | IN | |
2021-10-20 13:12:17 UTC | 1414 | IN | |
2021-10-20 13:12:18 UTC | 1430 | IN | |
2021-10-20 13:12:18 UTC | 1446 | IN | |
2021-10-20 13:12:18 UTC | 1462 | IN | |
2021-10-20 13:12:18 UTC | 1478 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.5 | 49827 | 104.26.3.70 | 443 |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:08:50 UTC | 11 | OUT | |
2021-10-20 13:08:50 UTC | 14 | IN | |
2021-10-20 13:08:50 UTC | 15 | IN | |
2021-10-20 13:08:50 UTC | 15 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
20 | 192.168.2.5 | 49970 | 31.220.111.98 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:12:20 UTC | 1493 | OUT | |
2021-10-20 13:12:21 UTC | 1493 | IN | |
2021-10-20 13:12:21 UTC | 1494 | IN | |
2021-10-20 13:12:21 UTC | 1509 | IN | |
2021-10-20 13:12:21 UTC | 1525 | IN | |
2021-10-20 13:12:21 UTC | 1541 | IN | |
2021-10-20 13:12:21 UTC | 1557 | IN | |
2021-10-20 13:12:21 UTC | 1573 | IN | |
2021-10-20 13:12:22 UTC | 1589 | IN | |
2021-10-20 13:12:22 UTC | 1605 | IN | |
2021-10-20 13:12:22 UTC | 1621 | IN | |
2021-10-20 13:12:22 UTC | 1637 | IN | |
2021-10-20 13:12:22 UTC | 1653 | IN | |
2021-10-20 13:12:22 UTC | 1669 | IN | |
2021-10-20 13:12:22 UTC | 1685 | IN | |
2021-10-20 13:12:22 UTC | 1701 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
21 | 192.168.2.5 | 49972 | 31.220.111.98 | 443 | C:\Windows\System32\loaddll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:12:24 UTC | 1716 | OUT | |
2021-10-20 13:12:25 UTC | 1717 | IN | |
2021-10-20 13:12:25 UTC | 1717 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.5 | 49825 | 172.217.168.38 | 443 |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:08:50 UTC | 12 | OUT | |
2021-10-20 13:08:50 UTC | 12 | IN | |
2021-10-20 13:08:50 UTC | 13 | IN | |
2021-10-20 13:08:50 UTC | 13 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.5 | 49834 | 151.101.1.44 | 443 |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:08:55 UTC | 15 | OUT | |
2021-10-20 13:08:56 UTC | 17 | IN | |
2021-10-20 13:08:56 UTC | 18 | IN | |
2021-10-20 13:08:56 UTC | 19 | IN | |
2021-10-20 13:08:56 UTC | 21 | IN | |
2021-10-20 13:08:56 UTC | 22 | IN | |
2021-10-20 13:08:56 UTC | 24 | IN | |
2021-10-20 13:08:56 UTC | 25 | IN | |
2021-10-20 13:08:56 UTC | 26 | IN | |
2021-10-20 13:08:56 UTC | 28 | IN | |
2021-10-20 13:08:56 UTC | 29 | IN | |
2021-10-20 13:08:56 UTC | 30 | IN | |
2021-10-20 13:08:56 UTC | 32 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
5 | 192.168.2.5 | 49835 | 151.101.1.44 | 443 |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:08:55 UTC | 16 | OUT | |
2021-10-20 13:08:56 UTC | 44 | IN | |
2021-10-20 13:08:56 UTC | 45 | IN | |
2021-10-20 13:08:56 UTC | 46 | IN | |
2021-10-20 13:08:56 UTC | 48 | IN | |
2021-10-20 13:08:56 UTC | 49 | IN | |
2021-10-20 13:08:56 UTC | 50 | IN | |
2021-10-20 13:08:56 UTC | 52 | IN | |
2021-10-20 13:08:56 UTC | 53 | IN | |
2021-10-20 13:08:56 UTC | 54 | IN | |
2021-10-20 13:08:56 UTC | 56 | IN | |
2021-10-20 13:08:56 UTC | 57 | IN | |
2021-10-20 13:08:56 UTC | 59 | IN | |
2021-10-20 13:08:56 UTC | 60 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
6 | 192.168.2.5 | 49836 | 151.101.1.44 | 443 |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:08:55 UTC | 16 | OUT | |
2021-10-20 13:08:56 UTC | 32 | IN | |
2021-10-20 13:08:56 UTC | 33 | IN | |
2021-10-20 13:08:56 UTC | 35 | IN | |
2021-10-20 13:08:56 UTC | 36 | IN | |
2021-10-20 13:08:56 UTC | 37 | IN | |
2021-10-20 13:08:56 UTC | 39 | IN | |
2021-10-20 13:08:56 UTC | 40 | IN | |
2021-10-20 13:08:56 UTC | 42 | IN | |
2021-10-20 13:08:56 UTC | 43 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
7 | 192.168.2.5 | 49837 | 151.101.1.44 | 443 |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:08:56 UTC | 60 | OUT | |
2021-10-20 13:08:56 UTC | 61 | IN | |
2021-10-20 13:08:56 UTC | 62 | IN | |
2021-10-20 13:08:56 UTC | 63 | IN | |
2021-10-20 13:08:56 UTC | 65 | IN | |
2021-10-20 13:08:56 UTC | 66 | IN | |
2021-10-20 13:08:56 UTC | 68 | IN | |
2021-10-20 13:08:56 UTC | 69 | IN | |
2021-10-20 13:08:56 UTC | 70 | IN | |
2021-10-20 13:08:56 UTC | 72 | IN | |
2021-10-20 13:08:56 UTC | 73 | IN | |
2021-10-20 13:08:56 UTC | 74 | IN | |
2021-10-20 13:08:56 UTC | 76 | IN | |
2021-10-20 13:08:56 UTC | 77 | IN | |
2021-10-20 13:08:56 UTC | 78 | IN | |
2021-10-20 13:08:56 UTC | 80 | IN | |
2021-10-20 13:08:56 UTC | 81 | IN | |
2021-10-20 13:08:56 UTC | 82 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
8 | 192.168.2.5 | 49832 | 151.101.1.44 | 443 |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:08:56 UTC | 83 | OUT | |
2021-10-20 13:08:56 UTC | 84 | IN | |
2021-10-20 13:08:56 UTC | 85 | IN | |
2021-10-20 13:08:56 UTC | 87 | IN | |
2021-10-20 13:08:56 UTC | 89 | IN | |
2021-10-20 13:08:56 UTC | 91 | IN | |
2021-10-20 13:08:56 UTC | 94 | IN | |
2021-10-20 13:08:56 UTC | 98 | IN | |
2021-10-20 13:08:56 UTC | 100 | IN | |
2021-10-20 13:08:56 UTC | 101 | IN | |
2021-10-20 13:08:56 UTC | 103 | IN | |
2021-10-20 13:08:56 UTC | 104 | IN | |
2021-10-20 13:08:56 UTC | 105 | IN | |
2021-10-20 13:08:56 UTC | 107 | IN | |
2021-10-20 13:08:56 UTC | 108 | IN | |
2021-10-20 13:08:56 UTC | 109 | IN | |
2021-10-20 13:08:56 UTC | 111 | IN | |
2021-10-20 13:08:56 UTC | 112 | IN | |
2021-10-20 13:08:56 UTC | 113 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
9 | 192.168.2.5 | 49833 | 151.101.1.44 | 443 |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-20 13:08:56 UTC | 83 | OUT | |
2021-10-20 13:08:56 UTC | 86 | IN | |
2021-10-20 13:08:56 UTC | 90 | IN | |
2021-10-20 13:08:56 UTC | 93 | IN | |
2021-10-20 13:08:56 UTC | 95 | IN | |
2021-10-20 13:08:56 UTC | 97 | IN | |
2021-10-20 13:08:56 UTC | 99 | IN |
Code Manipulations |
---|
User Modules |
---|
Hook Summary |
---|
Function Name | Hook Type | Active in Processes |
---|---|---|
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW | IAT | explorer.exe |
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW | IAT | explorer.exe |
CreateProcessAsUserW | EAT | explorer.exe |
CreateProcessAsUserW | INLINE | explorer.exe |
CreateProcessW | EAT | explorer.exe |
CreateProcessW | INLINE | explorer.exe |
CreateProcessA | EAT | explorer.exe |
CreateProcessA | INLINE | explorer.exe |
Processes |
---|
Process: explorer.exe, Module: WININET.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW | IAT | 7FFA9B335200 |
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW | IAT | 66CA300 |
Process: explorer.exe, Module: user32.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW | IAT | 7FFA9B335200 |
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW | IAT | 66CA300 |
Process: explorer.exe, Module: KERNEL32.DLL |
---|
Function Name | Hook Type | New Data |
---|---|---|
CreateProcessAsUserW | EAT | 7FFA9B33521C |
CreateProcessAsUserW | INLINE | 0xFF 0xF2 0x25 0x50 0x00 0x00 |
CreateProcessW | EAT | 7FFA9B335200 |
CreateProcessW | INLINE | 0xFF 0xF2 0x25 0x50 0x00 0x00 |
CreateProcessA | EAT | 7FFA9B33520E |
CreateProcessA | INLINE | 0xFF 0xF2 0x25 0x50 0x00 0x00 |
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 15:08:24 |
Start date: | 20/10/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x12e0000 |
File size: | 893440 bytes |
MD5 hash: | 72FCD8FB0ADC38ED9050569AD673650E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
General |
---|
Start time: | 15:08:25 |
Start date: | 20/10/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x150000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:08:25 |
Start date: | 20/10/2021 |
Path: | C:\Windows\SysWOW64\regsvr32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1070000 |
File size: | 20992 bytes |
MD5 hash: | 426E7499F6A7346F0410DEAD0805586B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 15:08:25 |
Start date: | 20/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa20000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 15:08:26 |
Start date: | 20/10/2021 |
Path: | C:\Program Files\internet explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff751890000 |
File size: | 823560 bytes |
MD5 hash: | 6465CB92B25A7BC1DF8E01D8AC5E7596 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:08:26 |
Start date: | 20/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa20000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|