Play interactive tourEdit tour
Windows Analysis Report FpYf5EGDO9.exe
Overview
General Information
Detection
Ursnif
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Found malware configuration
Sigma detected: Powershell run code from registry
Multi AV Scanner detection for submitted file
Sigma detected: Encoded IEX
Tries to steal Mail credentials (via file / registry access)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 61 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
Click to see the 2 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Encoded IEX | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: MSHTA Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag: |
Sigma detected: Mshta Spawning Windows Shell | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Suspicious Csc.exe Source File Folder | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Suspicious Rundll32 Activity | Show sources |
Source: | Author: juju4, Jonhnathan Ribeiro, oscd.community: |
Sigma detected: Non Interactive PowerShell | Show sources |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Sigma detected: T1086 PowerShell Execution | Show sources |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Data Obfuscation: |
---|
Sigma detected: Powershell run code from registry | Show sources |
Source: | Author: Joe Security: |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Compliance: |
---|
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 44_2_0374A2FE | |
Source: | Code function: | 44_2_0373E9AC |
Networking: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: |
Uses nslookup.exe to query domains | Show sources |
Source: | Process created: | ||
Source: | Process created: |
May check the online IP address of the machine | Show sources |
Source: | DNS query: | ||
Source: | DNS query: |
Uses ping.exe to check the status of other devices and networks | Show sources |
Source: | Process created: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | ASN Name: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | Code function: | 0_2_03C45988 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Binary or memory string: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Disables SPDY (HTTP compression, likely to perform web injects) | Show sources |
Source: | Registry key value created / modified: |
System Summary: |
---|
Writes or reads registry keys via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Code function: | 0_2_03C4AFC0 | |
Source: | Code function: | 0_2_03C47FBE | |
Source: | Code function: | 0_2_03C4836E | |
Source: | Code function: | 21_2_00A559E4 | |
Source: | Code function: | 21_2_00A57548 | |
Source: | Code function: | 21_2_00A3C3E4 | |
Source: | Code function: | 21_2_00A39098 | |
Source: | Code function: | 21_2_00A35420 | |
Source: | Code function: | 21_2_00A4C400 | |
Source: | Code function: | 21_2_00A44818 | |
Source: | Code function: | 21_2_00A50468 | |
Source: | Code function: | 21_2_00A3847C | |
Source: | Code function: | 21_2_00A41C44 | |
Source: | Code function: | 21_2_00A58448 | |
Source: | Code function: | 21_2_00A365A8 | |
Source: | Code function: | 21_2_00A329B0 | |
Source: | Code function: | 21_2_00A591B0 | |
Source: | Code function: | 21_2_00A4CDC4 | |
Source: | Code function: | 21_2_00A40DC8 | |
Source: | Code function: | 21_2_00A4B1D0 | |
Source: | Code function: | 21_2_00A4993C | |
Source: | Code function: | 21_2_00A53D68 | |
Source: | Code function: | 21_2_00A48974 | |
Source: | Code function: | 21_2_00A59AA8 | |
Source: | Code function: | 21_2_00A45AB4 | |
Source: | Code function: | 21_2_00A3AAB4 | |
Source: | Code function: | 21_2_00A42A90 | |
Source: | Code function: | 21_2_00A4DEE8 | |
Source: | Code function: | 21_2_00A452D0 | |
Source: | Code function: | 21_2_00A31638 | |
Source: | Code function: | 21_2_00A4220C | |
Source: | Code function: | 21_2_00A35A1C | |
Source: | Code function: | 21_2_00A477A0 | |
Source: | Code function: | 21_2_00A3CFF8 | |
Source: | Code function: | 21_2_00A39FC4 | |
Source: | Code function: | 21_2_00A33764 | |
Source: | Code function: | 21_2_00A5137C | |
Source: | Code function: | 21_2_00A51B4C | |
Source: | Code function: | 31_2_000001B888D27548 | |
Source: | Code function: | 31_2_000001B888D259E4 | |
Source: | Code function: | 31_2_000001B888D2137C | |
Source: | Code function: | 31_2_000001B888D177A0 | |
Source: | Code function: | 31_2_000001B888D21B4C | |
Source: | Code function: | 31_2_000001B888D03764 | |
Source: | Code function: | 31_2_000001B888D152D0 | |
Source: | Code function: | 31_2_000001B888D1DEE8 | |
Source: | Code function: | 31_2_000001B888D0847C | |
Source: | Code function: | 31_2_000001B888D09098 | |
Source: | Code function: | 31_2_000001B888D28448 | |
Source: | Code function: | 31_2_000001B888D11C44 | |
Source: | Code function: | 31_2_000001B888D20468 | |
Source: | Code function: | 31_2_000001B888D0CFF8 | |
Source: | Code function: | 31_2_000001B888D1C400 | |
Source: | Code function: | 31_2_000001B888D14818 | |
Source: | Code function: | 31_2_000001B888D05420 | |
Source: | Code function: | 31_2_000001B888D09FC4 | |
Source: | Code function: | 31_2_000001B888D0C3E4 | |
Source: | Code function: | 31_2_000001B888D065A8 | |
Source: | Code function: | 31_2_000001B888D029B0 | |
Source: | Code function: | 31_2_000001B888D291B0 | |
Source: | Code function: | 31_2_000001B888D1993C | |
Source: | Code function: | 31_2_000001B888D23D68 | |
Source: | Code function: | 31_2_000001B888D18974 | |
Source: | Code function: | 31_2_000001B888D12A90 | |
Source: | Code function: | 31_2_000001B888D29AA8 | |
Source: | Code function: | 31_2_000001B888D0AAB4 | |
Source: | Code function: | 31_2_000001B888D15AB4 | |
Source: | Code function: | 31_2_000001B888D01638 | |
Source: | Code function: | 31_2_000001B888D1220C | |
Source: | Code function: | 31_2_000001B888D05A1C | |
Source: | Code function: | 31_2_000001B888D10DC8 | |
Source: | Code function: | 31_2_000001B888D1B1D0 | |
Source: | Code function: | 31_2_000001B888D1CDC4 | |
Source: | Code function: | 31_2_000001B888D3B5A4 | |
Source: | Code function: | 44_2_037413FA | |
Source: | Code function: | 44_2_0374B006 |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00401703 | |
Source: | Code function: | 0_2_00401C90 | |
Source: | Code function: | 0_2_004019A0 | |
Source: | Code function: | 0_2_03C45CD1 | |
Source: | Code function: | 0_2_03C49E79 | |
Source: | Code function: | 0_2_03C49A0F | |
Source: | Code function: | 0_2_03C4B1E5 | |
Source: | Code function: | 21_2_00A4B080 | |
Source: | Code function: | 21_2_00A474E0 | |
Source: | Code function: | 21_2_00A570F8 | |
Source: | Code function: | 21_2_00A48078 | |
Source: | Code function: | 21_2_00A48844 | |
Source: | Code function: | 21_2_00A43104 | |
Source: | Code function: | 21_2_00A4B164 | |
Source: | Code function: | 21_2_00A3B964 | |
Source: | Code function: | 21_2_00A54200 | |
Source: | Code function: | 21_2_00A3C3E4 | |
Source: | Code function: | 21_2_00A6B00B | |
Source: | Code function: | 31_2_000001B888D1B164 | |
Source: | Code function: | 31_2_000001B888D24200 | |
Source: | Code function: | 31_2_000001B888D3B00B | |
Source: | Code function: | 44_2_037407E8 | |
Source: | Code function: | 44_2_0373B347 | |
Source: | Code function: | 44_2_0374FBD1 | |
Source: | Code function: | 44_2_0373A63D |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Virustotal: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: |
Source: | Key value queried: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Code function: | 0_2_03C48F1B |
Source: | Process created: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Command line argument: | 0_2_0042F2F0 | |
Source: | Command line argument: | 0_2_0042F2F0 | |
Source: | Command line argument: | 0_2_0042F2F0 | |
Source: | Command line argument: | 0_2_0042F2F0 | |
Source: | Command line argument: | 0_2_0042F2F0 | |
Source: | Command line argument: | 0_2_0042F2F0 | |
Source: | Command line argument: | 0_2_0042F2F0 |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | |||
Source: | File read: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: |
Source: | Window detected: |
Source: | File opened: | Jump to behavior |
Source: | Key opened: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation: |
---|
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Detected unpacking (changes PE section rights) | Show sources |
Source: | Unpacked PE file: |
Suspicious powershell command line found | Show sources |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_03C4E9B1 | |
Source: | Code function: | 0_2_03C4AFBF | |
Source: | Code function: | 0_2_03C4AC09 | |
Source: | Code function: | 0_2_03C4E630 | |
Source: | Code function: | 0_2_0042EA81 | |
Source: | Code function: | 0_2_021C5A55 | |
Source: | Code function: | 0_2_021BF062 | |
Source: | Code function: | 0_2_021BED94 | |
Source: | Code function: | 0_2_021C3D7E | |
Source: | Code function: | 0_2_021BFF83 | |
Source: | Code function: | 0_2_021BE76A | |
Source: | Code function: | 0_2_021C2BC2 | |
Source: | Code function: | 44_2_0374FECE | |
Source: | Code function: | 44_2_03752D8B |
Source: | Code function: | 0_2_00401264 |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Hooks registry keys query functions (used to hide registry keys) | Show sources |
Source: | IAT, EAT, inline or SSDT hook detected: |
Self deletion via cmd delete | Show sources |
Source: | Process created: | ||
Source: | Process created: |
Modifies the export address table of user mode modules (user mode EAT hooks) | Show sources |
Source: | IAT of a user mode module has changed: |
Modifies the prolog of user mode functions (user mode inline hooks) | Show sources |
Source: | User mode code has changed: |
Modifies the import address table of user mode modules (user mode IAT hooks) | Show sources |
Source: | EAT of a user mode module has changed: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Uses ping.exe to sleep | Show sources |
Source: | Process created: | ||
Source: | Process created: |
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 44_2_0374A2FE | |
Source: | Code function: | 44_2_0373E9AC |
Source: | Code function: | 0_2_00401264 |
Source: | Code function: | 0_2_021BC1C2 |
HIPS / PFW / Operating System Protection Evasion: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: |
Maps a DLL or memory area into another process | Show sources |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: |
Allocates memory in foreign processes | Show sources |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | |||
Source: | Memory allocated: | |||
Source: | Memory allocated: | |||
Source: | Memory allocated: | |||
Source: | Memory allocated: |
Creates a thread in another existing process (thread injection) | Show sources |
Source: | Thread created: | Jump to behavior | ||
Source: | Thread created: | Jump to behavior | ||
Source: | Thread created: | |||
Source: | Thread created: | |||
Source: | Thread created: | |||
Source: | Thread created: | |||
Source: | Thread created: |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: |
Changes memory attributes in foreign processes to executable or writable | Show sources |
Source: | Memory protected: | Jump to behavior | ||
Source: | Memory protected: | Jump to behavior | ||
Source: | Memory protected: | Jump to behavior | ||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: |
Injects code into the Windows Explorer (explorer.exe) | Show sources |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Modifies the context of a thread in another process (thread injection) | Show sources |
Source: | Thread register set: | Jump to behavior | ||
Source: | Thread register set: | Jump to behavior | ||
Source: | Thread register set: | Jump to behavior | ||
Source: | Thread register set: | Jump to behavior | ||
Source: | Thread register set: | |||
Source: | Thread register set: | |||
Source: | Thread register set: | |||
Source: | Thread register set: | |||
Source: | Thread register set: |
Source: | Process created: |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | |||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_03C47A2E |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_00401E22 |
Source: | Code function: | 0_2_03C47A2E |
Source: | Code function: | 0_2_00401752 |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to steal Mail credentials (via file / registry access) | Show sources |
Source: | Key opened: | ||
Source: | Key opened: |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation2 | Path Interception | Process Injection812 | Obfuscated Files or Information2 | OS Credential Dumping1 | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Ingress Tool Transfer4 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Software Packing22 | Credential API Hooking3 | Account Discovery1 | Remote Desktop Protocol | Data from Local System1 | Exfiltration Over Bluetooth | Encrypted Channel11 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Command and Scripting Interpreter12 | Logon Script (Windows) | Logon Script (Windows) | File Deletion1 | Input Capture1 | File and Directory Discovery2 | SMB/Windows Admin Shares | Email Collection11 | Automated Exfiltration | Non-Application Layer Protocol3 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | PowerShell1 | Logon Script (Mac) | Logon Script (Mac) | Rootkit4 | NTDS | System Information Discovery26 | Distributed Component Object Model | Credential API Hooking3 | Scheduled Transfer | Application Layer Protocol14 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading1 | LSA Secrets | Security Software Discovery1 | SSH | Input Capture1 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion21 | Cached Domain Credentials | Virtualization/Sandbox Evasion21 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection812 | DCSync | Process Discovery3 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Rundll321 | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | System Owner/User Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | Remote System Discovery11 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact | ||
Compromise Software Dependencies and Development Tools | Windows Command Shell | Cron | Cron | Right-to-Left Override | Input Capture | System Network Configuration Discovery3 | Replication Through Removable Media | Remote Data Staging | Exfiltration Over Physical Medium | Mail Protocols | Service Stop |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
46% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen7 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
2% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
new-fp-shed.wg1.b.yahoo.com | 87.248.100.216 | true | false | high | |
myip.opendns.com | 84.17.52.63 | true | false | high | |
lycos.com | 209.202.254.90 | true | false | high | |
resolver1.opendns.com | 208.67.222.222 | true | false | high | |
ds-ats.member.g02.yahoodns.net | 212.82.100.140 | true | false |
| unknown |
yahoo.com | 74.6.143.26 | true | false | high | |
edge.gycpi.b.yahoodns.net | 87.248.118.22 | true | false |
| unknown |
soderunovos.website | 89.44.9.140 | true | true |
| unknown |
www.lycos.com | 209.202.254.90 | true | false | high | |
www.yahoo.com | unknown | unknown | false | high | |
mail.yahoo.com | unknown | unknown | false | high | |
222.222.67.208.in-addr.arpa | unknown | unknown | true |
| unknown |
login.yahoo.com | unknown | unknown | false | high |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false |
| unknown | |
false | unknown | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false | high | |||
false |
| unknown | ||
true |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | unknown | |||
false |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | unknown | |||
false | unknown | |||
false | high | |||
false | unknown | |||
true | unknown | |||
false | unknown | |||
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
89.44.9.140 | soderunovos.website | Romania | 9009 | M247GB | true | |
74.6.143.26 | yahoo.com | United States | 26101 | YAHOO-3US | false | |
209.202.254.90 | lycos.com | United States | 6354 | LYCOSUS | false | |
87.248.118.22 | edge.gycpi.b.yahoodns.net | United Kingdom | 203220 | YAHOO-DEBDE | false | |
87.248.100.216 | new-fp-shed.wg1.b.yahoo.com | United Kingdom | 34010 | YAHOO-IRDGB | false | |
212.82.100.140 | ds-ats.member.g02.yahoodns.net | United Kingdom | 34010 | YAHOO-IRDGB | false |
Private |
---|
IP |
---|
192.168.2.1 |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 527488 |
Start date: | 23.11.2021 |
Start time: | 20:57:36 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 14m 23s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | FpYf5EGDO9.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 40 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 6 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.bank.troj.spyw.evad.winEXE@33/20@11/7 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
20:59:38 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
89.44.9.140 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
74.6.143.26 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
new-fp-shed.wg1.b.yahoo.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
myip.opendns.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
M247GB | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
YAHOO-3US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
57f3642b4e37e28f5cbe3020c9331b4c | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11606 |
Entropy (8bit): | 4.883977562702998 |
Encrypted: | false |
SSDEEP: | 192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr |
MD5: | 1F1446CE05A385817C3EF20CBD8B6E6A |
SHA1: | 1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D |
SHA-256: | 2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE |
SHA-512: | 252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 64 |
Entropy (8bit): | 0.9260988789684415 |
Encrypted: | false |
SSDEEP: | 3:Nlllulb/lj:NllUb/l |
MD5: | 13AF6BE1CB30E2FB779EA728EE0A6D67 |
SHA1: | F33581AC2C60B1F02C978D14DC220DCE57CC9562 |
SHA-256: | 168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F |
SHA-512: | 1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\cmd.exe |
File Type: | |
Category: | modified |
Size (bytes): | 117 |
Entropy (8bit): | 4.51228797597229 |
Encrypted: | false |
SSDEEP: | 3:cPaRhARtt7TSjjhThARtnJI1/v:oMWbtChWbng/v |
MD5: | A45E1F430E5F27F3800271EA643136A0 |
SHA1: | 26F5310FA0B49B1568413BC590BE8B974EC12987 |
SHA-256: | E459FD7C19DE215CD06D71D6D4449C402DC4058A3A7FCF752B77C291655CC8F9 |
SHA-512: | BA6B86ED4B359E4EF3412E00DB274201D93F5B22B91AD02DFE0894D0C2CAD15032F8F92630DD20A4E0C995E9C87E79555FD0F9CD56722220F56A336946F2CEC2 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 426 |
Entropy (8bit): | 5.033139906052158 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJ3eIVMRSRa+eNMjSSRrtXuSRHq1zyaRMseeBVtEvwy:V/DTLDfuRXl9eg5rtVuzyleBKwy |
MD5: | 4D67B4EE9B0124EA3067CCCC7F44B80F |
SHA1: | 2FE1AFC564476F305A0E2D3F57FC067E3C08E594 |
SHA-256: | 5F263A0DD8E22A4DE11BC5870D10AE9B8D6DFD3CF5CBE915ACE34F747E88C225 |
SHA-512: | 6CA77C9F0D56A036715ABD769E54236F66E7F8FE25CA1B3979DA81976E25AE7B655781A4D141B5C87CFBD5195BB2DC71D1B9D15B875C244FE8EEBDA72624E137 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 351 |
Entropy (8bit): | 5.278318349630682 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f4zxs7+AEszIWXp+N23fzGAn:p37Lvkmb6KHwWZE8CA |
MD5: | BC70783C96A238BA655593E342B9F14F |
SHA1: | 602976D538640F98BB934A2B550CF0DDAC4F3EE6 |
SHA-256: | F31431C2E7BE9D780B3900A2CE17023A085F065523BC91FDCAA072FD00ECCFE2 |
SHA-512: | 67D9A608A4757C15C791F0CC670883EE8067ABD2C27592D1AFBE6D1CD989250EF790C1C6147E0CC02428FC9B19B0BA1BFF19353557D81C12E998D12D4A75A1A6 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.661168047511821 |
Encrypted: | false |
SSDEEP: | 24:etGSZcM2Wreq8MTBo6EyX4oonTj9dWhdmWdFtkZfUjFKWI+ycuZhNCSQakSNSVPE:6ZeYSMTBdlX4t3DWjwJU5J1ulya32q |
MD5: | 8387E1189611349B98D2098FEDA7DC3D |
SHA1: | 7365B4E64653E9724279EEA92583E7BE694146A4 |
SHA-256: | 62E4730FD807446620449BC72646B39A7088698061347635439780BEF69AA8D1 |
SHA-512: | 2AB585C161C0B4F9E2211657D051A44344C4E3C8218F20FE9DD37E5C3B50B254210AC9D39BA25CF02D3F178BFA7C7A024537C4052722B731B3D1141FF1D9F24A |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 848 |
Entropy (8bit): | 5.328401971088736 |
Encrypted: | false |
SSDEEP: | 12:xKIR37Lvkmb6KHwWZE8C1KaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KHxE8oKaM5DqBVKVrdFAMBJTH |
MD5: | DE60CB4B973C89DB1CA831AEFC5FE7CF |
SHA1: | F074C4EB01E5B627227C597C9D2354EF725EC570 |
SHA-256: | 1B75158B8528BAD371568EE85107A3D36EEA2B51074E82E2CC9A5FDBA924A403 |
SHA-512: | D33AF0CC88E8351AF4FDC8D022ACB878244B5DCA28B2ADAAB58BD85BF61E4B6C232170DA88EF16515FB8753A8D53816679C8A9603B39C9ACFF6350076A9B99FF |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.10949149293103 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grykSQak7YnqqNSVPN5Dlq5J:+RI+ycuZhNCSQakSNSVPNnqX |
MD5: | 863D455CD0D191F459760CC4DCE4E8BB |
SHA1: | 8229FC84BDD205FC3A9985DB1E70040896EAF3CE |
SHA-256: | 51F8B62C4B786370CF4E71F5CECD8679E5DA2D13D9C773789FD30076A69AEC79 |
SHA-512: | 8B62D25E18D58816381AFA04BF7F6EAD04E948F8E813AF977FD9A4C38D1243174314D4B35F1B70E5010046E0B7138BF0C968BC6053E08BC94B7CA91452302392 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.0738524384874757 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryDak7YnqqvPN5Dlq5J:+RI+ycuZhNhakSvPNnqX |
MD5: | C2D866EAB542DC2E96510D2B78B50BA0 |
SHA1: | 11792FA8538C80AE0BDDE578E912F4B510D3929D |
SHA-256: | 9153ACB652C422ABA36046E6BD63C15ACE04D1D1AB1501AC376F991D833372D1 |
SHA-512: | 9AF4D5FB82FA223EE3F0F4B19D4FD8D51C6FEC901C9E0017EE2ADEFE57E4E5F4B7CAF7D368F1FD86733344CF8851FC73B7DB8F90528B8294D55963F0C35A7B3D |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1320 |
Entropy (8bit): | 3.9887400565326674 |
Encrypted: | false |
SSDEEP: | 24:HfnW9Q3q6hH2hKdNWI+ycuZhNCSQakSNSVPNnq9hgd:P53qeMKd41ulya32q9y |
MD5: | ACC30F70E6A583DA1D499AA1E4E7122F |
SHA1: | F2709DA4327CAB53FB1AB0DDC8D0A1FE4C1A9CB9 |
SHA-256: | 7EFA06080F2E90DAF6224F2B08434BE97DF0BA4FDB6FAE3D8666D52A89DAABFD |
SHA-512: | 716635BAAC4E4313A6AEC9F39729C5766E0FE97FEB0A3E1CAB9E8EBE8DABC8D699AF6A7B2F2A0FA4EE29EA24F197057D418BB0E17E135B33FBBF57763457B45D |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1320 |
Entropy (8bit): | 3.97295814037481 |
Encrypted: | false |
SSDEEP: | 24:HqnW9rVfytHCWhKdNwI+ycuZhNhakSvPNnq9hgd:8WVfytbKdm1ulha3tq9y |
MD5: | C9912D93B5802D8EADCF8D36D91A5E38 |
SHA1: | 484FFFD89A10CB8DF08B97C54F4F1D28D5C79E9D |
SHA-256: | 5408AD27D80D801335AAA0E0477F42342DEB6264A5DB772C5F99253A3F37BE28 |
SHA-512: | B0519A087CE5E06BE3D3F950D14D3D02866E5850BC6160EC7CD79C56CD95BE6216524D9EBCC611DB404C413C1F617431BF3866F73C5BADDED1E350B226B2E15F |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 414 |
Entropy (8bit): | 5.012387590489786 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJc0H/VMRSR7a1gPc9OopxkSRa+rVSSRnA/fFOlN218zPQy:V/DTLDfuPH/ly/xv9rV5nA/NwSQQy |
MD5: | E458C9B10EE5485711E8601EC2A9F7E7 |
SHA1: | 52EBD94DA80BD5538C113C1A73BA0F773B3207F4 |
SHA-256: | 10D6C8D84A31080F063B2FF734D3EC20DA046B698298723676C722C80D932683 |
SHA-512: | 98F83BF02C6E41CDB284BC764B9F31231BA7936A086679333D8AA8A459448BCAE8A77765E3709EBB493FF274BF55F01282FB0EDA20391FC943E4BC0F184CF0E9 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 351 |
Entropy (8bit): | 5.230045602824142 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fxEp7LGzxs7+AEszIWXp+N23fxEpD:p37Lvkmb6KH5EpOWZE85EpDn |
MD5: | AEDA637F0B93910DDA9DCB41585D1FBF |
SHA1: | 7D528268F83393309FBB4DCB105B11C7EBD1826D |
SHA-256: | 20B32FC56CB870C6CDCBF8D753CB42C34D07801D392189238740EA42FC9A17A3 |
SHA-512: | 22F717BF7766EB7E3986521BBBB63CAD78047D56AF9D5AC7148418B78F37E4E1E2ED70BBEBF121730D251C47E24B8A2D06CB7C5C9F2456B687E0CEE768936B9E |
Malicious: | true |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.6242156235464043 |
Encrypted: | false |
SSDEEP: | 24:etGS68+mUE7R85lwCk3tQJ3pPo3864OFtkZfpuDZ0WI+ycuZhNhakSvPNnq:60XE7S5lwhe8jwJpYZX1ulha3tq |
MD5: | FF28D58E52C9B08A0B91C34FE6CB8086 |
SHA1: | EC7E91AEB56249664477F8A1A88261329C987F57 |
SHA-256: | 40D2156C7127E729396659AB33BF3F105EFD7BEF135E9C680E4FBF79AE427E23 |
SHA-512: | BDBEF6188AB09F806D0C41DC578AC17D5531015C757D5E4752CDA2F3C771B04FE8D7B9E9C2DC8FC84EB31201832C6B8CAAF6938451F84FBBB551BAE59EFEC24C |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 848 |
Entropy (8bit): | 5.3131522141031855 |
Encrypted: | false |
SSDEEP: | 24:AId3ka6KH4PE84iKaM5DqBVKVrdFAMBJTH:Akka6AIE8HKxDcVKdBJj |
MD5: | 0E1AD61E45113253E5CFE1E18A0F35EC |
SHA1: | FC96533B42CBEE7B23340B5CB6C45CA6EB3AA576 |
SHA-256: | 1230246ED71C46FE8AEADE013E8D857EBD022689CA611DDFC7EE5847868F1981 |
SHA-512: | 0BC9F6E5317EAEB26EC7F1F37CF82552F6C78FE40F2D1622E6AA0215D24E2657A63D9D4EC8C956E3F3F59905C44B11A2D3BB4FB9434B2BAEC0BC207F87D5811C |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\explorer.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10859 |
Entropy (8bit): | 4.446683388718207 |
Encrypted: | false |
SSDEEP: | 96:FYnnnAJppp222222MXXC3ZlMB4+j+PDdEyRPdrkUUxeXAyNY90ZDCmmmm88888Yh:9FlQyNQ0Z6wwwwOOOO5 |
MD5: | ED7ED76ADB16092B594B8CF3433DA64C |
SHA1: | BD28A1BBAB4EDB61E3E6E6C1A7AF25C0511DFC9A |
SHA-256: | 89113B138596A9A8DDF4DCF524FC60FC1D0855E67B3859FECBA1360F42190EBD |
SHA-512: | 759673DAF16A071F025179FC4A67CED8DE93E1E0B0842A3E73E0FBE33A146DBBF61E8194AA0E1F91968FB2478CE5F654EF4C9D513B98B23E8BE1E726F6E56964 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1193 |
Entropy (8bit): | 5.325011715072354 |
Encrypted: | false |
SSDEEP: | 24:BxSAaxvBnRKx2DOXUWOLCHGI4qWPtHjeTKKjX4CIym1ZJX0OLCHGI4jGnxSAZLi:BZGvhQoORF4tPtqDYB1Z2F4cZZe |
MD5: | 64DCF29EFCD6A6F38728361169A5ED63 |
SHA1: | A5C6CB281423AE7E55D2DF225B55D5C8AFC5B01D |
SHA-256: | CFC03A12FEF125CACE17B18C13EA4F53D578E9D05BF5CCCC67ADCF439FEA9A53 |
SHA-512: | E3FA3070041740AF06107B731596E629A17B96556943C13DA589BC3BDF0A9C6A4849BB089600027DBB4A52A1DF0E4EA3813FE385E615E0AF4340934C9633D213 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\nslookup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 28 |
Entropy (8bit): | 4.039148671903071 |
Encrypted: | false |
SSDEEP: | 3:U+6QlBxAN:U+7BW |
MD5: | D796BA3AE0C072AA0E189083C7E8C308 |
SHA1: | ABB1B68758B9C2BF43018A4AEAE2F2E72B626482 |
SHA-256: | EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E |
SHA-512: | BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 5.870124121679364 |
TrID: |
|
File name: | FpYf5EGDO9.exe |
File size: | 299520 |
MD5: | 2f1743897afa6f586ae97f53bf55c14e |
SHA1: | 21a51f4a3fa0c65509a1c7ef640f7e6b779aee49 |
SHA256: | 440c297bcaa0e4ca3d84281d524b8351ad1ea2b5aabb22795db824a356cd54bd |
SHA512: | 162fb9b7e4e18c7a6a3acfa24c284f23602337810e6de5126895673f481706ddeb09454737326bc6e5a834f1404ea48b8d6c0b0c3c199a4ea3c29c608450a667 |
SSDEEP: | 6144:W8wgMcxaKnK1JVhXzHw9SXuZet0ySeznAySUQBs97Tp:W8hMszaPhDQ9SXuZet0ySezaUQB+/p |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0..#t..pt..pt..p..Up]..p..`pe..p..Tp...p}.mp...pt..pu..p..Qpu..p..dpu..p..cpu..pRicht..p........PE..L..."..`................... |
File Icon |
---|
Icon Hash: | a2e8e8e8a2a2a488 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x418140 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, NX_COMPAT |
Time Stamp: | 0x60AFB322 [Thu May 27 14:56:34 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 6f82efd43bd3095537b2fbbd588fd6ad |
Entrypoint Preview |
---|
Instruction |
---|
mov edi, edi |
push ebp |
mov ebp, esp |
call 00007F0694A54F5Bh |
call 00007F0694A54C66h |
pop ebp |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
mov edi, edi |
push ebp |
mov ebp, esp |
push FFFFFFFEh |
push 0042FEC0h |
push 0041C360h |
mov eax, dword ptr fs:[00000000h] |
push eax |
add esp, FFFFFF98h |
push ebx |
push esi |
push edi |
mov eax, dword ptr [00432064h] |
xor dword ptr [ebp-08h], eax |
xor eax, ebp |
push eax |
lea eax, dword ptr [ebp-10h] |
mov dword ptr fs:[00000000h], eax |
mov dword ptr [ebp-18h], esp |
mov dword ptr [ebp-70h], 00000000h |
lea eax, dword ptr [ebp-60h] |
push eax |
call dword ptr [00401358h] |
cmp dword ptr [01FB5ABCh], 00000000h |
jne 00007F0694A54C60h |
push 00000000h |
push 00000000h |
push 00000001h |
push 00000000h |
call dword ptr [00401354h] |
call 00007F0694A54DE3h |
mov dword ptr [ebp-6Ch], eax |
call 00007F0694A58DABh |
test eax, eax |
jne 00007F0694A54C5Ch |
push 0000001Ch |
call 00007F0694A54DA0h |
add esp, 04h |
call 00007F0694A58708h |
test eax, eax |
jne 00007F0694A54C5Ch |
push 00000010h |
call 00007F0694A54D8Dh |
add esp, 04h |
push 00000001h |
call 00007F0694A58653h |
add esp, 04h |
call 00007F0694A5630Bh |
mov dword ptr [ebp-04h], 00000000h |
call 00007F0694A55EEFh |
test eax, eax |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x304a4 | 0x78 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1bb7000 | 0x5470 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1bbd000 | 0x17e4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1440 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x17f70 | 0x40 | .text |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x3f8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x30cf6 | 0x30e00 | False | 0.609994405371 | data | 7.04723316599 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x32000 | 0x1b84ac0 | 0x1400 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x1bb7000 | 0x5470 | 0x5600 | False | 0.609511264535 | data | 5.96212400018 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x1bbd000 | 0x1155c | 0x11600 | False | 0.0751039793165 | data | 0.975523484519 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
YONAMIKORUFENI | 0x1bba700 | 0xee8 | ASCII text, with very long lines, with no line terminators | Spanish | Paraguay |
RT_CURSOR | 0x1bbb5e8 | 0x8a8 | dBase III DBT, version number 0, next free block index 40, 1st item "\251\317" | Divehi; Dhivehi; Maldivian | Maldives |
RT_ICON | 0x1bb7330 | 0x8a8 | data | Spanish | Paraguay |
RT_ICON | 0x1bb7bd8 | 0x6c8 | data | Spanish | Paraguay |
RT_ICON | 0x1bb82a0 | 0x568 | GLS_BINARY_LSB_FIRST | Spanish | Paraguay |
RT_ICON | 0x1bb8808 | 0x10a8 | data | Spanish | Paraguay |
RT_ICON | 0x1bb98b0 | 0x988 | data | Spanish | Paraguay |
RT_ICON | 0x1bba238 | 0x468 | GLS_BINARY_LSB_FIRST | Spanish | Paraguay |
RT_STRING | 0x1bbbea8 | 0xfc | data | Divehi; Dhivehi; Maldivian | Maldives |
RT_STRING | 0x1bbbfa8 | 0x26c | data | Divehi; Dhivehi; Maldivian | Maldives |
RT_STRING | 0x1bbc218 | 0x254 | data | Divehi; Dhivehi; Maldivian | Maldives |
RT_GROUP_CURSOR | 0x1bbbe90 | 0x14 | data | Divehi; Dhivehi; Maldivian | Maldives |
RT_GROUP_ICON | 0x1bba6a0 | 0x5a | data | Spanish | Paraguay |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetNumaNodeProcessorMask, SetCriticalSectionSpinCount, SearchPathW, SetInformationJobObject, lstrcmpA, FindFirstFileW, SetThreadContext, EnumCalendarInfoA, WriteConsoleInputW, IsBadStringPtrW, lstrlenA, EnumDateFormatsExW, CopyFileExW, GetNumaProcessorNode, TlsGetValue, SetLocalTime, UnmapViewOfFile, MoveFileExA, CommConfigDialogA, GetNumberOfConsoleInputEvents, GetConsoleAliasExesLengthA, SetErrorMode, FindResourceW, BuildCommDCBAndTimeoutsA, FreeLibrary, DeleteVolumeMountPointA, SetUnhandledExceptionFilter, LoadLibraryExW, SetDllDirectoryW, InterlockedIncrement, GetQueuedCompletionStatus, VerSetConditionMask, MoveFileExW, ReadConsoleA, InterlockedDecrement, WaitNamedPipeA, SetMailslotInfo, SetConsoleActiveScreenBuffer, WritePrivateProfileSectionA, SetDefaultCommConfigW, SetEnvironmentVariableW, CreateJobObjectW, SignalObjectAndWait, AddConsoleAliasW, GetComputerNameW, SetEvent, SetThreadExecutionState, OpenSemaphoreA, CreateHardLinkA, GetFileAttributesExA, _lclose, GetModuleHandleW, GetTickCount, GetCommConfig, GetProcessHeap, IsBadReadPtr, GetConsoleAliasesLengthA, GetSystemTimeAsFileTime, GetPrivateProfileStringW, GetConsoleTitleA, CreateRemoteThread, GetCompressedFileSizeW, EnumTimeFormatsA, SetCommTimeouts, CreateActCtxW, InitializeCriticalSection, GetProcessTimes, TlsSetValue, AllocateUserPhysicalPages, OpenProcess, FindResourceExA, GlobalAlloc, GetPrivateProfileIntA, LoadLibraryW, GetConsoleMode, FatalAppExitW, GetThreadSelectorEntry, AssignProcessToJobObject, GetCalendarInfoA, ReadFileScatter, SetSystemTimeAdjustment, SetVolumeMountPointA, ReadConsoleOutputW, SetConsoleCP, InterlockedPopEntrySList, LeaveCriticalSection, GetFileAttributesA, GlobalFlags, lstrcpynW, GetNamedPipeInfo, HeapValidate, GetVolumePathNamesForVolumeNameW, CreateSemaphoreA, SetConsoleCursorPosition, VerifyVersionInfoA, HeapQueryInformation, WritePrivateProfileSectionW, TerminateProcess, GetAtomNameW, FileTimeToSystemTime, UnregisterWait, lstrcatA, GetBinaryTypeW, CompareStringW, ExitThread, GetVolumePathNameA, lstrlenW, SetConsoleTitleA, WritePrivateProfileStringW, GlobalUnlock, VirtualUnlock, GetTempPathW, GetStringTypeExA, GetNamedPipeHandleStateW, GetLargestConsoleWindowSize, GetPrivateProfileIntW, InterlockedExchange, ReleaseActCtx, SetCurrentDirectoryA, GetStdHandle, FindFirstFileA, GetLastError, ChangeTimerQueueTimer, BackupRead, BindIoCompletionCallback, GetProcAddress, FindVolumeMountPointClose, GetLongPathNameA, VirtualAlloc, HeapSize, SetFirmwareEnvironmentVariableW, CreateNamedPipeA, CreateJobSet, LocalLock, LockFileEx, VerLanguageNameW, BuildCommDCBW, DefineDosDeviceA, FindClose, GetPrivateProfileStringA, LoadLibraryA, Process32FirstW, OpenMutexA, ProcessIdToSessionId, MoveFileA, GetExitCodeThread, GetNumberFormatW, SetFileApisToANSI, QueryDosDeviceW, SetConsoleWindowInfo, SetThreadIdealProcessor, HeapWalk, GetPrivateProfileStructA, GetTapeParameters, GetVolumePathNamesForVolumeNameA, GetModuleFileNameA, GetDefaultCommConfigA, FindNextFileA, WriteProfileStringA, WTSGetActiveConsoleSessionId, EnumDateFormatsA, WaitCommEvent, _lread, FindFirstChangeNotificationA, GetProcessShutdownParameters, QueueUserWorkItem, ContinueDebugEvent, IsDebuggerPresent, GetProcessAffinityMask, FatalExit, FreeEnvironmentStringsW, EnumResourceNamesA, WriteProfileStringW, EnumDateFormatsW, FatalAppExitA, PeekConsoleInputA, DeleteCriticalSection, WriteConsoleOutputAttribute, OutputDebugStringA, GetCPInfoExA, DuplicateHandle, FindFirstVolumeA, GetVersionExA, ReadConsoleInputW, TlsAlloc, TerminateJobObject, CloseHandle, GetVersion, DeleteTimerQueueTimer, GlobalAddAtomW, SetFileValidData, FindActCtxSectionStringW, ResetWriteWatch, UnregisterWaitEx, ReadConsoleOutputCharacterW, TlsFree, GetProfileSectionW, EnumSystemLocalesW, lstrcpyW, CreateFileW, SetStdHandle, GetPrivateProfileSectionNamesW, EnumResourceNamesW, GetThreadContext, GetModuleFileNameW, GetFullPathNameA, RaiseException, GetCommandLineW, HeapSetInformation, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, DecodePointer, ExitProcess, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, EncodePointer, SetLastError, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, EnterCriticalSection, GetCurrentProcess, UnhandledExceptionFilter, HeapAlloc, HeapReAlloc, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, WriteConsoleW, OutputDebugStringW, IsProcessorFeaturePresent, SetFilePointer, GetConsoleCP, FlushFileBuffers |
USER32.dll | GetMessageTime |
GDI32.dll | GetBitmapBits |
ADVAPI32.dll | InitiateSystemShutdownA, GetFileSecurityW |
MSIMG32.dll | AlphaBlend |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Spanish | Paraguay | |
Divehi; Dhivehi; Maldivian | Maldives |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 23, 2021 20:59:01.188534021 CET | 49747 | 443 | 192.168.2.3 | 74.6.143.26 |
Nov 23, 2021 20:59:01.188596010 CET | 443 | 49747 | 74.6.143.26 | 192.168.2.3 |
Nov 23, 2021 20:59:01.188694954 CET | 49747 | 443 | 192.168.2.3 | 74.6.143.26 |
Nov 23, 2021 20:59:01.223388910 CET | 49747 | 443 | 192.168.2.3 | 74.6.143.26 |
Nov 23, 2021 20:59:01.223433971 CET | 443 | 49747 | 74.6.143.26 | 192.168.2.3 |
Nov 23, 2021 20:59:01.455176115 CET | 443 | 49747 | 74.6.143.26 | 192.168.2.3 |
Nov 23, 2021 20:59:01.455302000 CET | 49747 | 443 | 192.168.2.3 | 74.6.143.26 |
Nov 23, 2021 20:59:01.838922024 CET | 49747 | 443 | 192.168.2.3 | 74.6.143.26 |
Nov 23, 2021 20:59:01.838963985 CET | 443 | 49747 | 74.6.143.26 | 192.168.2.3 |
Nov 23, 2021 20:59:01.839232922 CET | 443 | 49747 | 74.6.143.26 | 192.168.2.3 |
Nov 23, 2021 20:59:01.839298010 CET | 49747 | 443 | 192.168.2.3 | 74.6.143.26 |
Nov 23, 2021 20:59:01.843496084 CET | 49747 | 443 | 192.168.2.3 | 74.6.143.26 |
Nov 23, 2021 20:59:01.884892941 CET | 443 | 49747 | 74.6.143.26 | 192.168.2.3 |
Nov 23, 2021 20:59:01.957516909 CET | 443 | 49747 | 74.6.143.26 | 192.168.2.3 |
Nov 23, 2021 20:59:01.957607985 CET | 49747 | 443 | 192.168.2.3 | 74.6.143.26 |
Nov 23, 2021 20:59:01.957634926 CET | 443 | 49747 | 74.6.143.26 | 192.168.2.3 |
Nov 23, 2021 20:59:01.957654953 CET | 443 | 49747 | 74.6.143.26 | 192.168.2.3 |
Nov 23, 2021 20:59:01.957710028 CET | 49747 | 443 | 192.168.2.3 | 74.6.143.26 |
Nov 23, 2021 20:59:02.087204933 CET | 49747 | 443 | 192.168.2.3 | 74.6.143.26 |
Nov 23, 2021 20:59:02.087254047 CET | 443 | 49747 | 74.6.143.26 | 192.168.2.3 |
Nov 23, 2021 20:59:02.118227959 CET | 49748 | 443 | 192.168.2.3 | 87.248.100.216 |
Nov 23, 2021 20:59:02.118277073 CET | 443 | 49748 | 87.248.100.216 | 192.168.2.3 |
Nov 23, 2021 20:59:02.118367910 CET | 49748 | 443 | 192.168.2.3 | 87.248.100.216 |
Nov 23, 2021 20:59:02.119088888 CET | 49748 | 443 | 192.168.2.3 | 87.248.100.216 |
Nov 23, 2021 20:59:02.119108915 CET | 443 | 49748 | 87.248.100.216 | 192.168.2.3 |
Nov 23, 2021 20:59:02.203983068 CET | 443 | 49748 | 87.248.100.216 | 192.168.2.3 |
Nov 23, 2021 20:59:02.204166889 CET | 49748 | 443 | 192.168.2.3 | 87.248.100.216 |
Nov 23, 2021 20:59:02.214313984 CET | 49748 | 443 | 192.168.2.3 | 87.248.100.216 |
Nov 23, 2021 20:59:02.214344025 CET | 443 | 49748 | 87.248.100.216 | 192.168.2.3 |
Nov 23, 2021 20:59:02.214649916 CET | 443 | 49748 | 87.248.100.216 | 192.168.2.3 |
Nov 23, 2021 20:59:02.215068102 CET | 49748 | 443 | 192.168.2.3 | 87.248.100.216 |
Nov 23, 2021 20:59:02.215991974 CET | 49748 | 443 | 192.168.2.3 | 87.248.100.216 |
Nov 23, 2021 20:59:02.260881901 CET | 443 | 49748 | 87.248.100.216 | 192.168.2.3 |
Nov 23, 2021 20:59:02.409250975 CET | 443 | 49748 | 87.248.100.216 | 192.168.2.3 |
Nov 23, 2021 20:59:02.409365892 CET | 49748 | 443 | 192.168.2.3 | 87.248.100.216 |
Nov 23, 2021 20:59:02.409385920 CET | 443 | 49748 | 87.248.100.216 | 192.168.2.3 |
Nov 23, 2021 20:59:02.409440994 CET | 49748 | 443 | 192.168.2.3 | 87.248.100.216 |
Nov 23, 2021 20:59:02.409447908 CET | 443 | 49748 | 87.248.100.216 | 192.168.2.3 |
Nov 23, 2021 20:59:02.409502029 CET | 49748 | 443 | 192.168.2.3 | 87.248.100.216 |
Nov 23, 2021 20:59:02.411650896 CET | 49748 | 443 | 192.168.2.3 | 87.248.100.216 |
Nov 23, 2021 20:59:02.411673069 CET | 443 | 49748 | 87.248.100.216 | 192.168.2.3 |
Nov 23, 2021 20:59:22.621581078 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:22.621613026 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:22.621711969 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:22.622286081 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:22.622297049 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:22.772825003 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:22.772947073 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:22.856421947 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:22.856455088 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:22.856741905 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:22.857845068 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:22.879123926 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:22.924865961 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:22.993434906 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:22.993472099 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:22.993495941 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:22.993606091 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:22.993624926 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:22.993719101 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:22.993722916 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:22.994304895 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:22.994342089 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:22.994436026 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:22.994445086 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:22.994494915 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.037786961 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.037815094 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.037983894 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.038005114 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.038053036 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.038547993 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.038567066 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.038649082 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.038657904 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.038696051 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.039382935 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.039403915 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.039828062 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.039836884 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.039922953 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.082202911 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.082228899 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.082324028 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.082344055 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.082391977 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.082488060 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.083184004 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.083205938 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.083281040 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.083292007 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.083317995 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.083340883 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.083847046 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.083867073 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.083940029 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.083956003 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.084034920 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.084302902 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.084321976 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.084377050 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.084388018 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.084410906 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.084434032 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.084779978 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.084800959 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.084867001 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.084878922 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.084902048 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.084930897 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.088999987 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.089057922 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.089116096 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.089121103 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.089159966 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.089539051 CET | 49751 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.089556932 CET | 443 | 49751 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.295615911 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.295650005 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.295737982 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.296448946 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.296459913 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.425728083 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.425885916 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.426706076 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.426713943 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.431432962 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.431440115 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.536165953 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.536191940 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.536211967 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.536283016 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.536303997 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.536339998 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.536364079 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.536976099 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.537000895 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.537085056 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.537098885 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.537144899 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.576915979 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.576950073 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.577080011 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.577105045 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.577124119 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.577145100 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.577747107 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.577775002 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.577845097 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.577855110 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.577898979 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.578553915 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.578578949 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.578641891 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.578651905 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.578675032 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.578691959 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.617528915 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.617558956 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.617731094 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.617748976 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.617799997 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.618639946 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.618669033 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.618768930 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.618777037 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.618824959 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.619649887 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.619673967 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.619764090 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.619771957 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.619817019 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.620513916 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.620537043 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.620620012 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.620628119 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.620670080 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.621151924 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.621180058 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.621268988 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.621275902 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.621300936 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.621350050 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.621889114 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.621917963 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.621990919 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.621999025 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.622030973 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.622049093 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.623168945 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.623197079 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.623284101 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.623291969 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.623341084 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.658174992 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.658201933 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.658365011 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.658377886 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.658442974 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.658907890 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.658981085 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.659008980 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.659035921 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.659060955 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.659476995 CET | 49753 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.659488916 CET | 443 | 49753 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.789534092 CET | 49755 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.789592028 CET | 443 | 49755 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.789729118 CET | 49755 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.790496111 CET | 49755 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.790520906 CET | 443 | 49755 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.926182032 CET | 443 | 49755 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.926330090 CET | 49755 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.926847935 CET | 49755 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.926865101 CET | 443 | 49755 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:23.931217909 CET | 49755 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:23.931238890 CET | 443 | 49755 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:24.001416922 CET | 443 | 49755 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:24.001444101 CET | 443 | 49755 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:24.001493931 CET | 49755 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:24.001514912 CET | 443 | 49755 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 20:59:24.001516104 CET | 49755 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:24.001574993 CET | 49755 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:24.001787901 CET | 49755 | 443 | 192.168.2.3 | 89.44.9.140 |
Nov 23, 2021 20:59:24.001811981 CET | 443 | 49755 | 89.44.9.140 | 192.168.2.3 |
Nov 23, 2021 21:01:37.357984066 CET | 49817 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:37.358038902 CET | 443 | 49817 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:37.358125925 CET | 49817 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:37.360423088 CET | 49817 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:37.360451937 CET | 443 | 49817 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:37.706243992 CET | 443 | 49817 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:37.706399918 CET | 49817 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.343686104 CET | 49817 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.343744040 CET | 443 | 49817 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.344118118 CET | 443 | 49817 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.344249964 CET | 49817 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.344285965 CET | 49817 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.384866953 CET | 443 | 49817 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.453881979 CET | 443 | 49817 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.453989029 CET | 443 | 49817 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.453989029 CET | 49817 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.454051018 CET | 49817 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.456794977 CET | 49817 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.456823111 CET | 443 | 49817 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.476954937 CET | 49818 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.476991892 CET | 443 | 49818 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.477125883 CET | 49818 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.477467060 CET | 49818 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.477482080 CET | 443 | 49818 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.814618111 CET | 443 | 49818 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.814743042 CET | 49818 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.818628073 CET | 49818 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.818639994 CET | 443 | 49818 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.818960905 CET | 443 | 49818 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.819051027 CET | 49818 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.819061995 CET | 49818 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.860877991 CET | 443 | 49818 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.934211016 CET | 443 | 49818 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.934292078 CET | 443 | 49818 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.934410095 CET | 49818 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.934426069 CET | 49818 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.934679985 CET | 49818 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.934705019 CET | 443 | 49818 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.934719086 CET | 49818 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.935228109 CET | 49818 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.935302019 CET | 49819 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.935338020 CET | 443 | 49819 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:38.935448885 CET | 49819 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.935803890 CET | 49819 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:38.935818911 CET | 443 | 49819 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:39.156992912 CET | 443 | 49819 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:39.157135963 CET | 49819 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:39.157598972 CET | 49819 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:39.157608986 CET | 443 | 49819 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:39.158586979 CET | 49819 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:39.158601999 CET | 443 | 49819 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:39.444669962 CET | 443 | 49819 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:39.444848061 CET | 49819 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:39.444866896 CET | 443 | 49819 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:39.444891930 CET | 443 | 49819 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:39.445002079 CET | 443 | 49819 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:39.445142984 CET | 49819 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:39.445158958 CET | 443 | 49819 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:39.445171118 CET | 49819 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:39.445296049 CET | 49819 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:39.445333958 CET | 443 | 49819 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:39.445472956 CET | 49819 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:39.445482969 CET | 443 | 49819 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:39.445631981 CET | 49819 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:39.494577885 CET | 49819 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 23, 2021 21:01:39.494616032 CET | 443 | 49819 | 209.202.254.90 | 192.168.2.3 |
Nov 23, 2021 21:01:39.556839943 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.556896925 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.557003021 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.557667971 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.557691097 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.601085901 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.603852987 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.603885889 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.608082056 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.608974934 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.608995914 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.609021902 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.609028101 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.609352112 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.609559059 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.661571026 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.661633015 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.661696911 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.661716938 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.661730051 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.661732912 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.661766052 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.661767960 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.661777020 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.661824942 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.661842108 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.661848068 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.661892891 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.664424896 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.664448977 CET | 443 | 49820 | 87.248.118.22 | 192.168.2.3 |
Nov 23, 2021 21:01:39.664458990 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.664527893 CET | 49820 | 443 | 192.168.2.3 | 87.248.118.22 |
Nov 23, 2021 21:01:39.687269926 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.687309027 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.687408924 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.687861919 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.687876940 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.821858883 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.821969032 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.821986914 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.822036982 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.825716972 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.825731993 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.825853109 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.825862885 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.825956106 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.826028109 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.916393995 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.916459084 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.916488886 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.916508913 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.916522980 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.916557074 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.957545996 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.957564116 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.957683086 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.957731962 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.957751989 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.957767963 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.957771063 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.957844019 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.998323917 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.998447895 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:39.998568058 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:39.998641014 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
Nov 23, 2021 21:01:40.001907110 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:40.003588915 CET | 49821 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 23, 2021 21:01:40.003622055 CET | 443 | 49821 | 212.82.100.140 | 192.168.2.3 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 23, 2021 20:59:01.141908884 CET | 60784 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 23, 2021 20:59:01.161288023 CET | 53 | 60784 | 8.8.8.8 | 192.168.2.3 |
Nov 23, 2021 20:59:02.095560074 CET | 51143 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 23, 2021 20:59:02.115087986 CET | 53 | 51143 | 8.8.8.8 | 192.168.2.3 |
Nov 23, 2021 20:59:22.596138954 CET | 49572 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 23, 2021 20:59:22.617527008 CET | 53 | 49572 | 8.8.8.8 | 192.168.2.3 |
Nov 23, 2021 21:01:33.643055916 CET | 53615 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 23, 2021 21:01:33.662415028 CET | 53 | 53615 | 8.8.8.8 | 192.168.2.3 |
Nov 23, 2021 21:01:33.671132088 CET | 53616 | 53 | 192.168.2.3 | 208.67.222.222 |
Nov 23, 2021 21:01:33.688481092 CET | 53 | 53616 | 208.67.222.222 | 192.168.2.3 |
Nov 23, 2021 21:01:33.690542936 CET | 53617 | 53 | 192.168.2.3 | 208.67.222.222 |
Nov 23, 2021 21:01:33.707777977 CET | 53 | 53617 | 208.67.222.222 | 192.168.2.3 |
Nov 23, 2021 21:01:33.737785101 CET | 53618 | 53 | 192.168.2.3 | 208.67.222.222 |
Nov 23, 2021 21:01:33.755074978 CET | 53 | 53618 | 208.67.222.222 | 192.168.2.3 |
Nov 23, 2021 21:01:37.242913961 CET | 50728 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 23, 2021 21:01:37.355216980 CET | 53 | 50728 | 8.8.8.8 | 192.168.2.3 |
Nov 23, 2021 21:01:38.458543062 CET | 53777 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 23, 2021 21:01:38.476181984 CET | 53 | 53777 | 8.8.8.8 | 192.168.2.3 |
Nov 23, 2021 21:01:39.536601067 CET | 57106 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 23, 2021 21:01:39.555768013 CET | 53 | 57106 | 8.8.8.8 | 192.168.2.3 |
Nov 23, 2021 21:01:39.667114019 CET | 60352 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 23, 2021 21:01:39.686436892 CET | 53 | 60352 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Nov 23, 2021 20:59:01.141908884 CET | 192.168.2.3 | 8.8.8.8 | 0x6b3a | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 23, 2021 20:59:02.095560074 CET | 192.168.2.3 | 8.8.8.8 | 0xb3 | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 23, 2021 20:59:22.596138954 CET | 192.168.2.3 | 8.8.8.8 | 0x4cb | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 23, 2021 21:01:33.643055916 CET | 192.168.2.3 | 8.8.8.8 | 0x74e5 | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 23, 2021 21:01:33.671132088 CET | 192.168.2.3 | 208.67.222.222 | 0x1 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Nov 23, 2021 21:01:33.690542936 CET | 192.168.2.3 | 208.67.222.222 | 0x2 | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 23, 2021 21:01:33.737785101 CET | 192.168.2.3 | 208.67.222.222 | 0x3 | Standard query (0) | 28 | IN (0x0001) | |
Nov 23, 2021 21:01:37.242913961 CET | 192.168.2.3 | 8.8.8.8 | 0x3485 | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 23, 2021 21:01:38.458543062 CET | 192.168.2.3 | 8.8.8.8 | 0xa124 | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 23, 2021 21:01:39.536601067 CET | 192.168.2.3 | 8.8.8.8 | 0xaadd | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 23, 2021 21:01:39.667114019 CET | 192.168.2.3 | 8.8.8.8 | 0x4667 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Nov 23, 2021 20:59:01.161288023 CET | 8.8.8.8 | 192.168.2.3 | 0x6b3a | No error (0) | 74.6.143.26 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 20:59:01.161288023 CET | 8.8.8.8 | 192.168.2.3 | 0x6b3a | No error (0) | 98.137.11.163 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 20:59:01.161288023 CET | 8.8.8.8 | 192.168.2.3 | 0x6b3a | No error (0) | 98.137.11.164 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 20:59:01.161288023 CET | 8.8.8.8 | 192.168.2.3 | 0x6b3a | No error (0) | 74.6.143.25 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 20:59:01.161288023 CET | 8.8.8.8 | 192.168.2.3 | 0x6b3a | No error (0) | 74.6.231.20 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 20:59:01.161288023 CET | 8.8.8.8 | 192.168.2.3 | 0x6b3a | No error (0) | 74.6.231.21 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 20:59:02.115087986 CET | 8.8.8.8 | 192.168.2.3 | 0xb3 | No error (0) | new-fp-shed.wg1.b.yahoo.com | CNAME (Canonical name) | IN (0x0001) | ||
Nov 23, 2021 20:59:02.115087986 CET | 8.8.8.8 | 192.168.2.3 | 0xb3 | No error (0) | 87.248.100.216 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 20:59:02.115087986 CET | 8.8.8.8 | 192.168.2.3 | 0xb3 | No error (0) | 87.248.100.215 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 20:59:22.617527008 CET | 8.8.8.8 | 192.168.2.3 | 0x4cb | No error (0) | 89.44.9.140 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 21:01:33.662415028 CET | 8.8.8.8 | 192.168.2.3 | 0x74e5 | No error (0) | 208.67.222.222 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 21:01:33.688481092 CET | 208.67.222.222 | 192.168.2.3 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Nov 23, 2021 21:01:33.688481092 CET | 208.67.222.222 | 192.168.2.3 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Nov 23, 2021 21:01:33.688481092 CET | 208.67.222.222 | 192.168.2.3 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Nov 23, 2021 21:01:33.707777977 CET | 208.67.222.222 | 192.168.2.3 | 0x2 | No error (0) | 84.17.52.63 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 21:01:37.355216980 CET | 8.8.8.8 | 192.168.2.3 | 0x3485 | No error (0) | 209.202.254.90 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 21:01:38.476181984 CET | 8.8.8.8 | 192.168.2.3 | 0xa124 | No error (0) | 209.202.254.90 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 21:01:39.555768013 CET | 8.8.8.8 | 192.168.2.3 | 0xaadd | No error (0) | edge.gycpi.b.yahoodns.net | CNAME (Canonical name) | IN (0x0001) | ||
Nov 23, 2021 21:01:39.555768013 CET | 8.8.8.8 | 192.168.2.3 | 0xaadd | No error (0) | 87.248.118.22 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 21:01:39.555768013 CET | 8.8.8.8 | 192.168.2.3 | 0xaadd | No error (0) | 87.248.118.23 | A (IP address) | IN (0x0001) | ||
Nov 23, 2021 21:01:39.686436892 CET | 8.8.8.8 | 192.168.2.3 | 0x4667 | No error (0) | ds-ats.member.g02.yahoodns.net | CNAME (Canonical name) | IN (0x0001) | ||
Nov 23, 2021 21:01:39.686436892 CET | 8.8.8.8 | 192.168.2.3 | 0x4667 | No error (0) | 212.82.100.140 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTPS Proxied Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49747 | 74.6.143.26 | 443 | C:\Users\user\Desktop\FpYf5EGDO9.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-23 19:59:01 UTC | 0 | OUT | |
2021-11-23 19:59:01 UTC | 0 | IN | |
2021-11-23 19:59:01 UTC | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49748 | 87.248.100.216 | 443 | C:\Users\user\Desktop\FpYf5EGDO9.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-23 19:59:02 UTC | 1 | OUT | |
2021-11-23 19:59:02 UTC | 1 | IN | |
2021-11-23 19:59:02 UTC | 2 | IN | |
2021-11-23 19:59:02 UTC | 3 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.3 | 49751 | 89.44.9.140 | 443 | C:\Users\user\Desktop\FpYf5EGDO9.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-23 19:59:22 UTC | 4 | OUT | |
2021-11-23 19:59:22 UTC | 4 | IN | |
2021-11-23 19:59:22 UTC | 5 | IN | |
2021-11-23 19:59:22 UTC | 20 | IN | |
2021-11-23 19:59:23 UTC | 36 | IN | |
2021-11-23 19:59:23 UTC | 52 | IN | |
2021-11-23 19:59:23 UTC | 68 | IN | |
2021-11-23 19:59:23 UTC | 84 | IN | |
2021-11-23 19:59:23 UTC | 100 | IN | |
2021-11-23 19:59:23 UTC | 116 | IN | |
2021-11-23 19:59:23 UTC | 132 | IN | |
2021-11-23 19:59:23 UTC | 148 | IN | |
2021-11-23 19:59:23 UTC | 164 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.3 | 49753 | 89.44.9.140 | 443 | C:\Users\user\Desktop\FpYf5EGDO9.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-23 19:59:23 UTC | 179 | OUT | |
2021-11-23 19:59:23 UTC | 180 | IN | |
2021-11-23 19:59:23 UTC | 180 | IN | |
2021-11-23 19:59:23 UTC | 196 | IN | |
2021-11-23 19:59:23 UTC | 212 | IN | |
2021-11-23 19:59:23 UTC | 228 | IN | |
2021-11-23 19:59:23 UTC | 244 | IN | |
2021-11-23 19:59:23 UTC | 260 | IN | |
2021-11-23 19:59:23 UTC | 276 | IN | |
2021-11-23 19:59:23 UTC | 292 | IN | |
2021-11-23 19:59:23 UTC | 308 | IN | |
2021-11-23 19:59:23 UTC | 324 | IN | |
2021-11-23 19:59:23 UTC | 340 | IN | |
2021-11-23 19:59:23 UTC | 356 | IN | |
2021-11-23 19:59:23 UTC | 372 | IN | |
2021-11-23 19:59:23 UTC | 388 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.3 | 49755 | 89.44.9.140 | 443 | C:\Users\user\Desktop\FpYf5EGDO9.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-23 19:59:23 UTC | 402 | OUT | |
2021-11-23 19:59:23 UTC | 403 | IN | |
2021-11-23 19:59:23 UTC | 403 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
5 | 192.168.2.3 | 49817 | 209.202.254.90 | 443 | C:\Windows\explorer.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-23 20:01:38 UTC | 405 | OUT | |
2021-11-23 20:01:38 UTC | 405 | IN | |
2021-11-23 20:01:38 UTC | 406 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
6 | 192.168.2.3 | 49818 | 209.202.254.90 | 443 | C:\Windows\explorer.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-23 20:01:38 UTC | 407 | OUT | |
2021-11-23 20:01:38 UTC | 407 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
7 | 192.168.2.3 | 49819 | 209.202.254.90 | 443 | C:\Windows\explorer.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-23 20:01:39 UTC | 408 | OUT | |
2021-11-23 20:01:39 UTC | 408 | IN | |
2021-11-23 20:01:39 UTC | 408 | IN | |
2021-11-23 20:01:39 UTC | 408 | IN | |
2021-11-23 20:01:39 UTC | 421 | IN | |
2021-11-23 20:01:39 UTC | 421 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
8 | 192.168.2.3 | 49820 | 87.248.118.22 | 443 | C:\Windows\explorer.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-23 20:01:39 UTC | 421 | OUT | |
2021-11-23 20:01:39 UTC | 421 | IN | |
2021-11-23 20:01:39 UTC | 422 | IN | |
2021-11-23 20:01:39 UTC | 424 | IN | |
2021-11-23 20:01:39 UTC | 427 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
9 | 192.168.2.3 | 49821 | 212.82.100.140 | 443 | C:\Windows\explorer.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-23 20:01:39 UTC | 427 | OUT | |
2021-11-23 20:01:39 UTC | 428 | IN |