Edit tour
Windows
Analysis Report
72EED30398363-0983BNDJ0398763536.exe
Overview
General Information
Detection
NanoCore, GuLoader
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected GuLoader
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard
Classification
- System is w10x64native
- 72EED30398363-0983BNDJ0398763536.exe (PID: 7660 cmdline:
"C:\Users\ user\Deskt op\72EED30 398363-098 3BNDJ03987 63536.exe" MD5: 511AD0297CD3E268E8D0C53C1207DC95) - CasPol.exe (PID: 4452 cmdline:
"C:\Users\ user\Deskt op\72EED30 398363-098 3BNDJ03987 63536.exe" MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD) - CasPol.exe (PID: 4620 cmdline:
"C:\Users\ user\Deskt op\72EED30 398363-098 3BNDJ03987 63536.exe" MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD) - CasPol.exe (PID: 4328 cmdline:
"C:\Users\ user\Deskt op\72EED30 398363-098 3BNDJ03987 63536.exe" MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD) - CasPol.exe (PID: 2856 cmdline:
"C:\Users\ user\Deskt op\72EED30 398363-098 3BNDJ03987 63536.exe" MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD) - conhost.exe (PID: 4072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - schtasks.exe (PID: 380 cmdline:
schtasks.e xe" /creat e /f /tn " DSL Monito r" /xml "C :\Users\us er\AppData \Local\Tem p\tmpE4A7. tmp MD5: 478BEAEC1C3A9417272BC8964ADD1CEE) - conhost.exe (PID: 388 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
- CasPol.exe (PID: 7968 cmdline:
C:\Windows \Microsoft .NET\Frame work\v2.0. 50727\casp ol.exe 0 MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD) - conhost.exe (PID: 6760 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
- cleanup
{"Payload URL": "https://drive.google.com/uc?export=download&id=1xOEjCOqIA-Yci9ED_I139gMqhvvo_S5Y"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
AV Detection |
---|
Source: | Author: Joe Security: |
E-Banking Fraud |
---|
Source: | Author: Joe Security: |
Stealing of Sensitive Information |
---|
Source: | Author: Joe Security: |
Remote Access Functionality |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Registry value created: | Jump to behavior |
Source: | File opened: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Networking |
---|
Source: | URLs: |
Source: | JA3 fingerprint: |
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Static PE information: |
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Window detected: |
Source: | File opened: |
Source: | Registry value created: | Jump to behavior |
Source: | File opened: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | Process created: |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File opened: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: |
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Process information queried: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | System information queried: |
Source: | API call chain: | ||
Source: | API call chain: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Process token adjusted: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: |
Source: | Memory allocated: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Code function: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | OS Credential Dumping | 3 File and Directory Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | 1 Scheduled Task/Job | 1 Windows Service | 1 Access Token Manipulation | 1 Obfuscated Files or Information | LSASS Memory | 5 System Information Discovery | Remote Desktop Protocol | 1 Clipboard Data | Exfiltration Over Bluetooth | 11 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | 1 Scheduled Task/Job | 1 Windows Service | 1 DLL Side-Loading | Security Account Manager | 221 Security Software Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Standard Port | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | 1 Registry Run Keys / Startup Folder | 111 Process Injection | 1 Masquerading | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 2 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | 1 Scheduled Task/Job | 131 Virtualization/Sandbox Evasion | LSA Secrets | 131 Virtualization/Sandbox Evasion | SSH | Keylogging | Data Transfer Size Limits | 113 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | 1 Registry Run Keys / Startup Folder | 1 Access Token Manipulation | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 111 Process Injection | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 Hidden Files and Directories | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
10% | Virustotal | Browse | ||
5% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Metadefender | Browse | ||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | Metadefender | Browse | ||
0% | ReversingLabs | |||
0% | Metadefender | Browse | ||
0% | ReversingLabs | |||
3% | Metadefender | Browse | ||
0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
drive.google.com | 172.217.168.14 | true | false | high | |
googlehosted.l.googleusercontent.com | 172.217.168.33 | true | false | high | |
8476.hopto.org | 91.193.75.131 | true | false | unknown | |
doc-0c-as-docs.googleusercontent.com | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
172.217.168.14 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
172.217.168.33 | googlehosted.l.googleusercontent.com | United States | 15169 | GOOGLEUS | false | |
91.193.75.131 | 8476.hopto.org | Serbia | 209623 | DAVID_CRAIGGG | false |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 632155 |
Start date and time: 23/05/202211:44:25 | 2022-05-23 11:44:25 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 13m 16s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 72EED30398363-0983BNDJ0398763536.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Run name: | Suspected Instruction Hammering |
Number of analysed new started processes analysed: | 22 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal96.troj.evad.winEXE@15/20@40/3 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
- TCP Packets have been reduced to 100
- Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, wdcpalt.microsoft.com, client.wns.windows.com, wdcp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, dns.msftncsi.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
11:46:19 | API Interceptor | |
11:46:57 | Autostart | |
11:47:01 | Task Scheduler | |
11:47:01 | API Interceptor | |
11:47:06 | Autostart |
Process: | C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
File Type: | |
Category: | modified |
Size (bytes): | 20 |
Entropy (8bit): | 3.6841837197791887 |
Encrypted: | false |
SSDEEP: | 3:QHXMKas:Q3Las |
MD5: | B3AC9D09E3A47D5FD00C37E075A70ECB |
SHA1: | AD14E6D0E07B00BD10D77A06D68841B20675680B |
SHA-256: | 7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432 |
SHA-512: | 09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1141532 |
Entropy (8bit): | 7.738210346713319 |
Encrypted: | false |
SSDEEP: | 24576:LY8XnAQGPnlkfWFUK0jqyUEcq7mGLtxSdrHYZ8OI6LG5P4dNg:EHQGNYWFUJuyUA6tdTnO5i5wdu |
MD5: | D75048D7C81C5A1FD4F3E5475391AD15 |
SHA1: | 59FBC0C3D7F9830EFD94A2B56B1F61D9232EA8D9 |
SHA-256: | 6D9DCE7BB0DB3C8649A0308029A397D6BB42E5C13358FB4C49FC176805625372 |
SHA-512: | 48E71D7AC510A554279738BC39C79020798FBE701F06B935EBFECC112B2043A39557A3ACD8EB6F3D46546904649A199450ECBD7BA6E2A0F5B05A78722F1B6F11 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 188 |
Entropy (8bit): | 5.284749695608875 |
Encrypted: | false |
SSDEEP: | 3:ejHERMQnFkViJS4RKbuviyiboBz5/Wo0WcL0yEyQEmkQV+Y7aMAUKl+HJDuMBXFQ:ejHyaVic4subiWzFWo1DhkQwY7hAUKms |
MD5: | A1D0F1E580E02348560D8D7CB2A5A773 |
SHA1: | 62A3B544C463CD164077BF00CFDDE45A92C8CDFA |
SHA-256: | 9E99E7F8983E7AFA447808263F0D539092DDCC9BD2D08DEC3955456DE3D82F0B |
SHA-512: | 69962F2E8201089F25EEC027443AC20DDB7F512ECAF65CC8964F68710FBD8CED2789EA946E30E3EB7ABA8FDD3A9B90842A6861D3F14F8EA96F9BE9D556EAAE9D |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 9184 |
Entropy (8bit): | 7.883950548629578 |
Encrypted: | false |
SSDEEP: | 192:oXRe/9ug6TLD7hE6T18DBHuJMlvNGi7aWCndwcKMwVof4aBLodMI:KRe/UfD1E658DFucGi2tdEILodMI |
MD5: | 8DF53262DD7366ACC7CA948D11197771 |
SHA1: | 3902822B1E93424F83731C8FE0FCC0C6B25E5CA7 |
SHA-256: | 744D858D6C6A7B6E771A5B2D09A0DE81DF56BA28DCC15BA803871A97513C345C |
SHA-512: | 0BD2C0D7CC5A82EABABA1A9820C4D1905ABD00416B20C995AD26869B3A38246A9808BA879FA90435C559AC574793FB4E79785C6E023CE0A242DD90BA4FE29578 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 20920 |
Entropy (8bit): | 6.270129738401503 |
Encrypted: | false |
SSDEEP: | 384:35kgh9IGJLE8rIYcnuYPBkvDG/Ghu4aX9lw:pkM9IG9EWIYyusqDGehuDXvw |
MD5: | 22ACDFF46574615C4EBF05E223A15899 |
SHA1: | 45A3ACFE2D98A8AED780F0A323DA8B2BE366D2B6 |
SHA-256: | 3089869E2C5691A16E1CF677BAB0A9148B688FBC6B69BB9AF949DD5AC009B063 |
SHA-512: | 9D689705A5737F557B8FCC84DB49E1B36EE8E527D8150DA5E8766BA50298CA0791224E90C7DADF9D930EFD4D0E113E387496F03F672C865E6A5785D12C7859BE |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 63104 |
Entropy (8bit): | 5.896544515767483 |
Encrypted: | false |
SSDEEP: | 1536:gmnKEGwDMO8sr1HmWaCoTcmfN/YYFH0CUYyFB6yhvfQvDYXX:LnKEGMDAcmfUF3Q7YXX |
MD5: | BA1836B308145CB718436BDB13AEEE22 |
SHA1: | DB1058FB7CF495F41DE09EE7B851C6689498AB71 |
SHA-256: | CCD5DE1DB4C4BAA22EAC952A83CEC144A1038556959255E5EB202E0C8C1C4C66 |
SHA-512: | 3F06969280877BE4828A5070BB43461AE63B9110A6192BAD3A9C9390A12AF47E44024D06A7E5243A5FD5F659910199F8D5157055C15C605EFA8287E9075D1AFF |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 782753 |
Entropy (8bit): | 7.972739118836816 |
Encrypted: | false |
SSDEEP: | 12288:1xE6g9kiViGNq+W6nQNIDO0tVGb34eaR6fUnMlkTFztQywzV0jyB4Dl9l+qfkwPN:7E6G3VibpHIdebodR6jlKFtQVUv+iP8S |
MD5: | E269DECCAC13CF01A0377872E79BC676 |
SHA1: | 54D196FDE9529310F9E5A3EBA6548DAB4F179542 |
SHA-256: | 255874E0A6A5CA862CBAE5C783D582729B343C70C5697062D7F1E587F15F25EC |
SHA-512: | 08ADAD38BE3472CF8814C40F99D6DCFDA313C2FED765B872AA30C0995B027F2BEDABF75DB625F3C40F003A8EFC3F41169CBA4AF706EC637018DEEF02EC92F6CC |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 96538 |
Entropy (8bit): | 7.127885129617323 |
Encrypted: | false |
SSDEEP: | 1536:QLcub+0B+L4nRYjPjhDxPA0Z8sHmIYnlklScwN2hUrVMr01Rt:QXb+U5nRYjLl5A0RHInlpcN2Eo |
MD5: | BE404281EAEDF107215373147BD63124 |
SHA1: | 21677AF0A0E1C95E1F5444DB62858E022F7A625F |
SHA-256: | 676542C7435A8B1D2984027E2B10D47A3403179BA355D6BA2761D056754B4226 |
SHA-512: | 678725B6869F362A85E0000EA7F5669145F1CFE20990CB78E20F3E0BE156FA3C8A315CEE257E765783C3FDCC44B152B944E5FC31F3BF8F7AF8C5363B97DE92BB |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 319 |
Entropy (8bit): | 4.594821675408072 |
Encrypted: | false |
SSDEEP: | 6:TMVBd/6o8GUYl/n7S3mc4slLlNkRIhFYV4vtAlaRI1stAlaRIH32tAlBC:TMHdPnnl/nu3tlnTPvWlzyWlzH32WlM |
MD5: | 494915A7B4C3DFA64D1F4CD789C8CC97 |
SHA1: | 5873C59C31EF784AAE90D8EE0EBCD5BB2FCFB673 |
SHA-256: | 8E229CFBC1B7D593409310662867493B644FA07C68CA60F64018B1CDBC7FAC04 |
SHA-512: | 11BD7CF250A2F45E0FB79906478B3B2AABC8032622A2ED898EDE6E5AB077FDF6ED55DFA1B9EE54BF8E36BB7EC7BD7E533D2F8143DA15E8F7DA9EB9360F4B282B |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 28712 |
Entropy (8bit): | 5.958396786343478 |
Encrypted: | false |
SSDEEP: | 384:Jw9WI09pPemQKLJO8WwTB4NTRFRz2X9f512mG5dKlLnyrVU9XhGfZyhq:e9WIcGlgJWsZbH3DyiXmyh |
MD5: | 1438E9F76917193C424B15094683D2EB |
SHA1: | 85EED842A0F06CBBA53A08A231AF8CBE66BB89DB |
SHA-256: | 84FFF6EA83E615D85D6BE156A2443AC966A7172A2C5C50727B0D75AE99822EDD |
SHA-512: | F8A522814B9277674BDC7B118FE9133CEC3BF521FBD617103565E8EBF5CEF11D66E1C84734000D7DB0441480BD5EEED6AB8D776319D80CE57DCAB46F5D77C44A |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 104272 |
Entropy (8bit): | 4.543275874610095 |
Encrypted: | false |
SSDEEP: | 3072:yw4+Ma1g2FYhTaV2NTzgbevXKrmFqYyfZ:y43VqsTT |
MD5: | DB49F13C9928754DEAEBBF869638897D |
SHA1: | A97B054292DF83EC70697C740955E837B3573653 |
SHA-256: | B42A530B4DCACA8E43AD71A7E6383273DB29D3660AC0F84FE26AABEC69724EBE |
SHA-512: | 0CB79A2396A683B8B4CFE634B5CB99F17239CE828174A1B623183A3E1BBB458BD4B77121C019E00444923D97F53ECEC4011AAD86D624BCC6084E64AE7B220B90 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 244 |
Entropy (8bit): | 6.758520539988057 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPys81g2WMTrmv2GxdaTKUWdXhcorhOZXd5bvn0LGp:6v/7c1ZWarYvDa+UWdxcor87bv0g |
MD5: | 4FD7AA500BD09F4AE3D4D0951D56B095 |
SHA1: | 215730E32EE69DBA4A8CCF190D16903C51803C3C |
SHA-256: | B34B352C04C4578B1130C979A3571DBF058BC939CDC45723E479BCE27D80B7A5 |
SHA-512: | B4EEA2408A0A717EE79DB3BD66DFDA455A67058CF707F5638DF786DADFFEBE0E9DFF508DA6ED235AE5AD73EE82656C1338590910850A046B66ECB82AEE19B036 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 195 |
Entropy (8bit): | 6.430880464743636 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPysmh8PfdN0KGI78rYLxrXDvSIKyVirp:6v/7G2PX0Xh8xKIlk |
MD5: | DA925495872960113430706C4C2EC1D7 |
SHA1: | 4B32A4996BA978F85E59A6F680BD7284FA5CEF25 |
SHA-256: | 6163611AC321BBD145F39CA05A7B55F38C54D22D9A5E0898DA72E6E1200FA26B |
SHA-512: | 3F9FAC6703682550CC259CD2A2EEEF47CAF2C87A851D08B89C4C0CB4D9829652B9851EB71F62D8B27CD079BDFCC2B683368D14A12A3D94C32290D8C80B71D089 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1260 |
Entropy (8bit): | 4.838834785988535 |
Encrypted: | false |
SSDEEP: | 24:t4CpQOpbZmi4vxMgThS3UunhEXJaTAjpw4AeWrGMyWd3vCmLyxmhwLsBBL03PhXB:2yOxMgTihkWAjG4Ae3MZtOmh+4BLtYxH |
MD5: | 03A35EC7CB5A202A491FB84A5EACE46E |
SHA1: | 476405E7FAEE6B36C7F955CFA09FE304E50BD6D3 |
SHA-256: | C5154D6254D127A9DF95CAC18364FE23E124BC9D66A84B59CC269FA51CEC18B9 |
SHA-512: | 7439E4020259B4850F4EC208B0EFB10611479DE4F80619D47DCD4E9F94DF1FCB1BBC2B416DC084D44D06E30ADF30A2A16B3E66C9D374FFBC7B49920EC6F91E1C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | modified |
Size (bytes): | 12288 |
Entropy (8bit): | 5.814115788739565 |
Encrypted: | false |
SSDEEP: | 192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr |
MD5: | CFF85C549D536F651D4FB8387F1976F2 |
SHA1: | D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E |
SHA-256: | 8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8 |
SHA-512: | 531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 327 |
Entropy (8bit): | 7.015504476308313 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPyshpTgb5VYwsMgZx9dumoUd+g2n7dbfMdHegZQy2SxpqliJv/Ct5r1qt7p:6v/7Mb52YKdUTgZQlRv5m |
MD5: | B23317C72FF4A53029CEBBA876561AE1 |
SHA1: | 5127AF4C76241B78CF253AF98DF35594B0693B2D |
SHA-256: | 07488F4DCE56A1DE0ED909541581A63B0498663DDF532707BFD01D77224A1D31 |
SHA-512: | CE4E5C61EBB736688E437330B65192E4A53703128299B067569E5E56281284A8592FD8C0C88B1CE4052CFB8F2C2BD6A129074BAA649D06DBF7F314C4ADB32091 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1319 |
Entropy (8bit): | 5.131285242271578 |
Encrypted: | false |
SSDEEP: | 24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mnJxtn:cbk4oL600QydbQxIYODOLedq3ZJj |
MD5: | 497F298FC157762F192A7C42854C6FB6 |
SHA1: | 04BEC630F5CC64EA17C0E3E780B3CCF15A35C6E0 |
SHA-256: | 3462CBE62FBB64FC53A0FCF97E43BAAFE9DD9929204F586A86AFE4B89D8048A6 |
SHA-512: | C7C6FD3097F4D1CCD313160FEDF7CB031644E0836B8C3E25481095E5F4B003759BC84FC6EA9421E3A090E66DC2FF875FEC2F394A386691AB178CB164733411B2 |
Malicious: | true |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8 |
Entropy (8bit): | 3.0 |
Encrypted: | false |
SSDEEP: | 3:MBl:Mj |
MD5: | 645B7D50949D430B13D70E082E91DE68 |
SHA1: | A8896786BFAB83DC37CD4B8D04BF7C276633FDE0 |
SHA-256: | 783E18B553CFA64457DEB68F47A05B24A8102200C9E1B1F5DA5C7A43E8441344 |
SHA-512: | 0FE723E3EB767136326F10DAD9A368D370402A8CB9A96424F6794D89AA0DFC76AD856C73AAFD0AD02F9FE59E58324B0BF45340DD5EE27C4CE88E1C5679958C34 |
Malicious: | true |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 56 |
Entropy (8bit): | 4.745141646068962 |
Encrypted: | false |
SSDEEP: | 3:oMty8WbSmm:oMLWumm |
MD5: | F781103B538E4159A8F01E3BE09B1F8D |
SHA1: | 27992585DE22A095BABCFD75E8F96710DD921C37 |
SHA-256: | BEA91983791C26C19AA411B2870E89AFC250EAF9855B6E1CE7BEA02B74E7F368 |
SHA-512: | D50AE0A01E74FC263B704FADE17CDF4993B61E34FD498827D546F090CE2DA5E8F24D4D34FBF360AE7EE5C5E7E3F032F3DDA8AD0C2A2CF0E1DAFEED61258AB4CA |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 182 |
Entropy (8bit): | 5.07060597644582 |
Encrypted: | false |
SSDEEP: | 3:RGXKRjN3Mxm8d/AjhclROXDD9jmKXVM8/FOoDamd9xraWMZ4MKLJFcLEWgJya7:zx3M7ucLOdBXVNYmd9NaWM6MKnH5JyY |
MD5: | B08826036A3E81B44E7D8C1284381013 |
SHA1: | 96CF7E6BC1B55C69CE33BEC3B78FFF4EB8839B87 |
SHA-256: | E7AD5092F56BB2ACA26262C361FE5F83171D21AB134D4E5D2EF47E9BF641B549 |
SHA-512: | EB9908F6FB6398EDCE4F3B18AA64ABEE8774D1CA3A5B533617C97AAC5E795627CCB8B1176BE64371E6BEF6352004FC2B4862A388D61A6103D05B5B2D02CD0481 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.738214112700285 |
TrID: |
|
File name: | 72EED30398363-0983BNDJ0398763536.exe |
File size: | 1141532 |
MD5: | 511ad0297cd3e268e8d0c53c1207dc95 |
SHA1: | aa466a3c5fb1a4c3ae77835fc3d592e8f7a0679b |
SHA256: | c527fc06df0bca1fe6ef47ff82e1a858af8b50877d97446c7898e5d1a80146a3 |
SHA512: | 1667daacf36e47caf1a061fc9725a0692317def2b0c2c0017ebf5ca75046501dc107ec94a0ddd74ac11c7d9bbbe7c5cc16c163ba5aac5879ba6c8469ba079924 |
SSDEEP: | 24576:kY8XnAQGPnlkfWFUK0jqyUEcq7mGLtxSdrHYZ8OI6LG5P4dNg:tHQGNYWFUJuyUA6tdTnO5i5wdu |
TLSH: | 85351261B336C40FD442E93D1B5FD3994AABAC502F69CDD63210AB8FAE346046F497B4 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*..... |
Icon Hash: | 78f8a4d9f47eb95a |
Entrypoint: | 0x403640 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 61259b55b8912888e90f516ca08dc514 |
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 000003F4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [ebp-14h], ebx |
mov dword ptr [ebp-04h], 0040A230h |
mov dword ptr [ebp-10h], ebx |
call dword ptr [004080C8h] |
mov esi, dword ptr [004080CCh] |
lea eax, dword ptr [ebp-00000140h] |
push eax |
mov dword ptr [ebp-0000012Ch], ebx |
mov dword ptr [ebp-2Ch], ebx |
mov dword ptr [ebp-28h], ebx |
mov dword ptr [ebp-00000140h], 0000011Ch |
call esi |
test eax, eax |
jne 00007F2E14403A9Ah |
lea eax, dword ptr [ebp-00000140h] |
mov dword ptr [ebp-00000140h], 00000114h |
push eax |
call esi |
mov ax, word ptr [ebp-0000012Ch] |
mov ecx, dword ptr [ebp-00000112h] |
sub ax, 00000053h |
add ecx, FFFFFFD0h |
neg ax |
sbb eax, eax |
mov byte ptr [ebp-26h], 00000004h |
not eax |
and eax, ecx |
mov word ptr [ebp-2Ch], ax |
cmp dword ptr [ebp-0000013Ch], 0Ah |
jnc 00007F2E14403A6Ah |
and word ptr [ebp-00000132h], 0000h |
mov eax, dword ptr [ebp-00000134h] |
movzx ecx, byte ptr [ebp-00000138h] |
mov dword ptr [0042A318h], eax |
xor eax, eax |
mov ah, byte ptr [ebp-0000013Ch] |
movzx eax, ax |
or eax, ecx |
xor ecx, ecx |
mov ch, byte ptr [ebp-2Ch] |
movzx ecx, cx |
shl eax, 10h |
or eax, ecx |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8504 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x74000 | 0x28488 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6676 | 0x6800 | False | 0.656813401442 | data | 6.41745998719 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x139a | 0x1400 | False | 0.4498046875 | data | 5.14106681717 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x20378 | 0x600 | False | 0.509765625 | data | 4.11058212765 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.ndata | 0x2b000 | 0x49000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x74000 | 0x28488 | 0x28600 | False | 0.342685758514 | data | 4.39207892807 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x74358 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0x84b80 | 0x94a8 | data | English | United States |
RT_ICON | 0x8e028 | 0x5488 | data | English | United States |
RT_ICON | 0x934b0 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 8454136, next used block 4294967167 | English | United States |
RT_ICON | 0x976d8 | 0x25a8 | data | English | United States |
RT_ICON | 0x99c80 | 0x10a8 | data | English | United States |
RT_ICON | 0x9ad28 | 0x988 | data | English | United States |
RT_ICON | 0x9b6b0 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_DIALOG | 0x9bb18 | 0x100 | data | English | United States |
RT_DIALOG | 0x9bc18 | 0x11c | data | English | United States |
RT_DIALOG | 0x9bd38 | 0xc4 | data | English | United States |
RT_DIALOG | 0x9be00 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x9be60 | 0x76 | data | English | United States |
RT_VERSION | 0x9bed8 | 0x270 | data | English | United States |
RT_MANIFEST | 0x9c148 | 0x33e | XML 1.0 document, ASCII text, with very long lines, with no line terminators | English | United States |
DLL | Import |
---|---|
ADVAPI32.dll | RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW |
SHELL32.dll | SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW |
ole32.dll | OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree |
COMCTL32.dll | ImageList_Create, ImageList_Destroy, ImageList_AddMasked |
USER32.dll | GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu |
GDI32.dll | SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject |
KERNEL32.dll | GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW |
Description | Data |
---|---|
LegalCopyright | Copyright 2018 Google LLC |
FileVersion | 1.3.36 |
CompanyName | Google LLC |
LegalTrademarks | |
Comments | |
ProductName | Google Update |
FileDescription | Google Update Setup |
Translation | 0x0409 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 23, 2022 11:46:58.736882925 CEST | 49760 | 443 | 192.168.11.20 | 172.217.168.14 |
May 23, 2022 11:46:58.736958027 CEST | 443 | 49760 | 172.217.168.14 | 192.168.11.20 |
May 23, 2022 11:46:58.737170935 CEST | 49760 | 443 | 192.168.11.20 | 172.217.168.14 |
May 23, 2022 11:46:58.762644053 CEST | 49760 | 443 | 192.168.11.20 | 172.217.168.14 |
May 23, 2022 11:46:58.762698889 CEST | 443 | 49760 | 172.217.168.14 | 192.168.11.20 |
May 23, 2022 11:46:58.827276945 CEST | 443 | 49760 | 172.217.168.14 | 192.168.11.20 |
May 23, 2022 11:46:58.827460051 CEST | 49760 | 443 | 192.168.11.20 | 172.217.168.14 |
May 23, 2022 11:46:58.827502966 CEST | 49760 | 443 | 192.168.11.20 | 172.217.168.14 |
May 23, 2022 11:46:58.829781055 CEST | 443 | 49760 | 172.217.168.14 | 192.168.11.20 |
May 23, 2022 11:46:58.829988003 CEST | 49760 | 443 | 192.168.11.20 | 172.217.168.14 |
May 23, 2022 11:46:58.947675943 CEST | 49760 | 443 | 192.168.11.20 | 172.217.168.14 |
May 23, 2022 11:46:58.947736979 CEST | 443 | 49760 | 172.217.168.14 | 192.168.11.20 |
May 23, 2022 11:46:58.948388100 CEST | 443 | 49760 | 172.217.168.14 | 192.168.11.20 |
May 23, 2022 11:46:58.948518991 CEST | 49760 | 443 | 192.168.11.20 | 172.217.168.14 |
May 23, 2022 11:46:58.952002048 CEST | 49760 | 443 | 192.168.11.20 | 172.217.168.14 |
May 23, 2022 11:46:58.994551897 CEST | 443 | 49760 | 172.217.168.14 | 192.168.11.20 |
May 23, 2022 11:46:59.569569111 CEST | 443 | 49760 | 172.217.168.14 | 192.168.11.20 |
May 23, 2022 11:46:59.569772005 CEST | 49760 | 443 | 192.168.11.20 | 172.217.168.14 |
May 23, 2022 11:46:59.569847107 CEST | 443 | 49760 | 172.217.168.14 | 192.168.11.20 |
May 23, 2022 11:46:59.569927931 CEST | 443 | 49760 | 172.217.168.14 | 192.168.11.20 |
May 23, 2022 11:46:59.570023060 CEST | 49760 | 443 | 192.168.11.20 | 172.217.168.14 |
May 23, 2022 11:46:59.570092916 CEST | 49760 | 443 | 192.168.11.20 | 172.217.168.14 |
May 23, 2022 11:46:59.571511030 CEST | 49760 | 443 | 192.168.11.20 | 172.217.168.14 |
May 23, 2022 11:46:59.571576118 CEST | 443 | 49760 | 172.217.168.14 | 192.168.11.20 |
May 23, 2022 11:46:59.735853910 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:46:59.735873938 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:46:59.736056089 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:46:59.736459017 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:46:59.736474037 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:46:59.798150063 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:46:59.798346043 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:46:59.800285101 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:46:59.800522089 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:46:59.804003954 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:46:59.804023027 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:46:59.804420948 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:46:59.804608107 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:46:59.804939985 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:46:59.846579075 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.089596033 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.089874029 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.090276957 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.090537071 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.091192961 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.091459036 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.093643904 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.094187975 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.094284058 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.094628096 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.098661900 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.098916054 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.099826097 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.100028992 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.100097895 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.100303888 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.100353956 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.100606918 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.100651026 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.100939035 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.100960016 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.101017952 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.101190090 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.101233006 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.101594925 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.101794004 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.101840019 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.102124929 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.102329969 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.102540016 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.102591991 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.102833033 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.103143930 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.103415966 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.103471041 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.103691101 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.104005098 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.104207993 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.104254007 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.104516029 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.105127096 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.105292082 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.105351925 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.105647087 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.105869055 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.106085062 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.106126070 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.106383085 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.106437922 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.106583118 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.106751919 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.106976032 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.107326984 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.107542992 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.107589006 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.107842922 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.108155012 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.108429909 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.108484030 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
May 23, 2022 11:47:00.108726025 CEST | 49761 | 443 | 192.168.11.20 | 172.217.168.33 |
May 23, 2022 11:47:00.108977079 CEST | 443 | 49761 | 172.217.168.33 | 192.168.11.20 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 23, 2022 11:46:57.714590073 CEST | 58993 | 53 | 192.168.11.20 | 1.1.1.1 |
May 23, 2022 11:46:58.719346046 CEST | 58993 | 53 | 192.168.11.20 | 9.9.9.9 |
May 23, 2022 11:46:58.726953983 CEST | 53 | 58993 | 9.9.9.9 | 192.168.11.20 |
May 23, 2022 11:46:59.698004961 CEST | 53968 | 53 | 192.168.11.20 | 9.9.9.9 |
May 23, 2022 11:46:59.733742952 CEST | 53 | 53968 | 9.9.9.9 | 192.168.11.20 |
May 23, 2022 11:47:02.381093025 CEST | 65035 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:47:02.391139030 CEST | 53 | 65035 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:47:09.086580038 CEST | 51210 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:47:09.098932981 CEST | 53 | 51210 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:47:22.835086107 CEST | 64010 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:47:22.855329990 CEST | 53 | 64010 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:47:47.882106066 CEST | 54216 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:47:47.890250921 CEST | 53 | 54216 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:47:54.154962063 CEST | 56019 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:47:54.163404942 CEST | 53 | 56019 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:48:00.473187923 CEST | 55150 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:48:00.480863094 CEST | 53 | 55150 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:48:25.431503057 CEST | 62709 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:48:25.441343069 CEST | 53 | 62709 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:48:31.652231932 CEST | 65050 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:48:31.664566994 CEST | 53 | 65050 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:48:38.062896013 CEST | 53824 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:48:38.072735071 CEST | 53 | 53824 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:49:03.305607080 CEST | 56281 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:49:03.318289995 CEST | 53 | 56281 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:49:09.537339926 CEST | 59776 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:49:09.548010111 CEST | 53 | 59776 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:49:15.777554989 CEST | 60623 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:49:15.788270950 CEST | 53 | 60623 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:49:40.670224905 CEST | 55912 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:49:40.680655003 CEST | 53 | 55912 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:49:46.903182030 CEST | 61270 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:49:46.916208029 CEST | 53 | 61270 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:49:53.121006012 CEST | 61057 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:49:53.131108046 CEST | 53 | 61057 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:50:18.036883116 CEST | 59845 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:50:18.049410105 CEST | 53 | 59845 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:50:24.277122021 CEST | 58042 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:50:24.289326906 CEST | 53 | 58042 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:50:30.503006935 CEST | 53086 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:50:30.515665054 CEST | 53 | 53086 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:50:55.390180111 CEST | 62686 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:50:55.400388956 CEST | 53 | 62686 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:51:01.668912888 CEST | 60985 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:51:01.678932905 CEST | 53 | 60985 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:51:07.901110888 CEST | 55036 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:51:07.913681984 CEST | 53 | 55036 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:51:34.238714933 CEST | 54222 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:51:34.249434948 CEST | 53 | 54222 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:51:40.440494061 CEST | 63218 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:51:40.450985909 CEST | 53 | 63218 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:51:46.674710035 CEST | 55853 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:51:46.685156107 CEST | 53 | 55853 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:52:11.527514935 CEST | 56576 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:52:11.539603949 CEST | 53 | 56576 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:52:17.767606974 CEST | 57144 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:52:17.776474953 CEST | 53 | 57144 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:52:24.008966923 CEST | 56180 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:52:24.017558098 CEST | 53 | 56180 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:52:48.895647049 CEST | 65300 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:52:48.908235073 CEST | 53 | 65300 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:52:55.143579006 CEST | 56630 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:52:55.155625105 CEST | 53 | 56630 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:53:01.386588097 CEST | 62729 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:53:01.395365000 CEST | 53 | 62729 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:53:26.292299986 CEST | 59986 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:53:26.303169966 CEST | 53 | 59986 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:53:32.478359938 CEST | 61417 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:53:32.489136934 CEST | 53 | 61417 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:53:38.713068008 CEST | 55215 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:53:38.725174904 CEST | 53 | 55215 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:54:03.627757072 CEST | 55625 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:54:03.726109028 CEST | 53 | 55625 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:54:09.939173937 CEST | 60284 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:54:09.951195955 CEST | 53 | 60284 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:54:16.174067974 CEST | 55590 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:54:16.193367004 CEST | 53 | 55590 | 8.8.8.8 | 192.168.11.20 |
May 23, 2022 11:54:41.043123960 CEST | 50729 | 53 | 192.168.11.20 | 8.8.8.8 |
May 23, 2022 11:54:41.053447962 CEST | 53 | 50729 | 8.8.8.8 | 192.168.11.20 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
May 23, 2022 11:46:57.714590073 CEST | 192.168.11.20 | 1.1.1.1 | 0xe52f | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:46:58.719346046 CEST | 192.168.11.20 | 9.9.9.9 | 0xe52f | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:46:59.698004961 CEST | 192.168.11.20 | 9.9.9.9 | 0x8d6c | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:47:02.381093025 CEST | 192.168.11.20 | 8.8.8.8 | 0x140f | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:47:09.086580038 CEST | 192.168.11.20 | 8.8.8.8 | 0xb4f5 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:47:22.835086107 CEST | 192.168.11.20 | 8.8.8.8 | 0xba8c | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:47:47.882106066 CEST | 192.168.11.20 | 8.8.8.8 | 0xdd81 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:47:54.154962063 CEST | 192.168.11.20 | 8.8.8.8 | 0x53e0 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:48:00.473187923 CEST | 192.168.11.20 | 8.8.8.8 | 0x7fa6 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:48:25.431503057 CEST | 192.168.11.20 | 8.8.8.8 | 0x3f47 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:48:31.652231932 CEST | 192.168.11.20 | 8.8.8.8 | 0x232a | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:48:38.062896013 CEST | 192.168.11.20 | 8.8.8.8 | 0xac68 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:49:03.305607080 CEST | 192.168.11.20 | 8.8.8.8 | 0xa090 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:49:09.537339926 CEST | 192.168.11.20 | 8.8.8.8 | 0x8397 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:49:15.777554989 CEST | 192.168.11.20 | 8.8.8.8 | 0x1ae4 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:49:40.670224905 CEST | 192.168.11.20 | 8.8.8.8 | 0xf60a | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:49:46.903182030 CEST | 192.168.11.20 | 8.8.8.8 | 0x2052 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:49:53.121006012 CEST | 192.168.11.20 | 8.8.8.8 | 0x78e5 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:50:18.036883116 CEST | 192.168.11.20 | 8.8.8.8 | 0x2ebe | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:50:24.277122021 CEST | 192.168.11.20 | 8.8.8.8 | 0xedff | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:50:30.503006935 CEST | 192.168.11.20 | 8.8.8.8 | 0x9ac1 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:50:55.390180111 CEST | 192.168.11.20 | 8.8.8.8 | 0x9a2 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:51:01.668912888 CEST | 192.168.11.20 | 8.8.8.8 | 0x83e2 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:51:07.901110888 CEST | 192.168.11.20 | 8.8.8.8 | 0xcf71 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:51:34.238714933 CEST | 192.168.11.20 | 8.8.8.8 | 0xb685 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:51:40.440494061 CEST | 192.168.11.20 | 8.8.8.8 | 0x3652 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:51:46.674710035 CEST | 192.168.11.20 | 8.8.8.8 | 0xbe8e | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:52:11.527514935 CEST | 192.168.11.20 | 8.8.8.8 | 0xb75e | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:52:17.767606974 CEST | 192.168.11.20 | 8.8.8.8 | 0x355e | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:52:24.008966923 CEST | 192.168.11.20 | 8.8.8.8 | 0x71f5 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:52:48.895647049 CEST | 192.168.11.20 | 8.8.8.8 | 0xdfd4 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:52:55.143579006 CEST | 192.168.11.20 | 8.8.8.8 | 0xc8f | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:53:01.386588097 CEST | 192.168.11.20 | 8.8.8.8 | 0x45bf | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:53:26.292299986 CEST | 192.168.11.20 | 8.8.8.8 | 0x589a | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:53:32.478359938 CEST | 192.168.11.20 | 8.8.8.8 | 0x5a10 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:53:38.713068008 CEST | 192.168.11.20 | 8.8.8.8 | 0xfd99 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:54:03.627757072 CEST | 192.168.11.20 | 8.8.8.8 | 0xb20b | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:54:09.939173937 CEST | 192.168.11.20 | 8.8.8.8 | 0x7c1e | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:54:16.174067974 CEST | 192.168.11.20 | 8.8.8.8 | 0xdda6 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 23, 2022 11:54:41.043123960 CEST | 192.168.11.20 | 8.8.8.8 | 0x8236 | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
May 23, 2022 11:46:58.726953983 CEST | 9.9.9.9 | 192.168.11.20 | 0xe52f | No error (0) | 172.217.168.14 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:46:59.733742952 CEST | 9.9.9.9 | 192.168.11.20 | 0x8d6c | No error (0) | googlehosted.l.googleusercontent.com | CNAME (Canonical name) | IN (0x0001) | ||
May 23, 2022 11:46:59.733742952 CEST | 9.9.9.9 | 192.168.11.20 | 0x8d6c | No error (0) | 172.217.168.33 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:47:02.391139030 CEST | 8.8.8.8 | 192.168.11.20 | 0x140f | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:47:09.098932981 CEST | 8.8.8.8 | 192.168.11.20 | 0xb4f5 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:47:22.855329990 CEST | 8.8.8.8 | 192.168.11.20 | 0xba8c | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:47:47.890250921 CEST | 8.8.8.8 | 192.168.11.20 | 0xdd81 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:47:54.163404942 CEST | 8.8.8.8 | 192.168.11.20 | 0x53e0 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:48:00.480863094 CEST | 8.8.8.8 | 192.168.11.20 | 0x7fa6 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:48:25.441343069 CEST | 8.8.8.8 | 192.168.11.20 | 0x3f47 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:48:31.664566994 CEST | 8.8.8.8 | 192.168.11.20 | 0x232a | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:48:38.072735071 CEST | 8.8.8.8 | 192.168.11.20 | 0xac68 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:49:03.318289995 CEST | 8.8.8.8 | 192.168.11.20 | 0xa090 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:49:09.548010111 CEST | 8.8.8.8 | 192.168.11.20 | 0x8397 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:49:15.788270950 CEST | 8.8.8.8 | 192.168.11.20 | 0x1ae4 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:49:40.680655003 CEST | 8.8.8.8 | 192.168.11.20 | 0xf60a | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:49:46.916208029 CEST | 8.8.8.8 | 192.168.11.20 | 0x2052 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:49:53.131108046 CEST | 8.8.8.8 | 192.168.11.20 | 0x78e5 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:50:18.049410105 CEST | 8.8.8.8 | 192.168.11.20 | 0x2ebe | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:50:24.289326906 CEST | 8.8.8.8 | 192.168.11.20 | 0xedff | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:50:30.515665054 CEST | 8.8.8.8 | 192.168.11.20 | 0x9ac1 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:50:55.400388956 CEST | 8.8.8.8 | 192.168.11.20 | 0x9a2 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:51:01.678932905 CEST | 8.8.8.8 | 192.168.11.20 | 0x83e2 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:51:07.913681984 CEST | 8.8.8.8 | 192.168.11.20 | 0xcf71 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:51:34.249434948 CEST | 8.8.8.8 | 192.168.11.20 | 0xb685 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:51:40.450985909 CEST | 8.8.8.8 | 192.168.11.20 | 0x3652 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:51:46.685156107 CEST | 8.8.8.8 | 192.168.11.20 | 0xbe8e | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:52:11.539603949 CEST | 8.8.8.8 | 192.168.11.20 | 0xb75e | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:52:17.776474953 CEST | 8.8.8.8 | 192.168.11.20 | 0x355e | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:52:24.017558098 CEST | 8.8.8.8 | 192.168.11.20 | 0x71f5 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:52:48.908235073 CEST | 8.8.8.8 | 192.168.11.20 | 0xdfd4 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:52:55.155625105 CEST | 8.8.8.8 | 192.168.11.20 | 0xc8f | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:53:01.395365000 CEST | 8.8.8.8 | 192.168.11.20 | 0x45bf | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:53:26.303169966 CEST | 8.8.8.8 | 192.168.11.20 | 0x589a | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:53:32.489136934 CEST | 8.8.8.8 | 192.168.11.20 | 0x5a10 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:53:38.725174904 CEST | 8.8.8.8 | 192.168.11.20 | 0xfd99 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:54:03.726109028 CEST | 8.8.8.8 | 192.168.11.20 | 0xb20b | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:54:09.951195955 CEST | 8.8.8.8 | 192.168.11.20 | 0x7c1e | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:54:16.193367004 CEST | 8.8.8.8 | 192.168.11.20 | 0xdda6 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) | ||
May 23, 2022 11:54:41.053447962 CEST | 8.8.8.8 | 192.168.11.20 | 0x8236 | No error (0) | 91.193.75.131 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.11.20 | 49760 | 172.217.168.14 | 443 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-05-23 09:46:58 UTC | 0 | OUT | |
2022-05-23 09:46:59 UTC | 0 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.11.20 | 49761 | 172.217.168.33 | 443 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-05-23 09:46:59 UTC | 1 | OUT | |
2022-05-23 09:47:00 UTC | 1 | IN |