Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 22.0.0 |
Analysis ID: | 609630 |
Start time: | 14:25:30 |
Joe Sandbox Product: | Cloud |
Start date: | 16.07.2018 |
Overall analysis duration: | 0h 8m 57s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | ZrfRZCzOXC.exe |
Cookbook file name: | sysmon.jbs |
Analysis system description: | Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 1 |
Technologies |
|
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal72.evad.winEXE@6/3@11/3 |
EGA Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 72 | 0 - 100 | Report FP / FN |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Analysis Advice |
---|
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior |
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: ZrfRZCzOXC.exe | virustotal: | Perma Link |
Networking: |
---|
Connects to IPs without corresponding DNS lookups | Show sources |
Source: unknown | TCP traffic detected without corresponding DNS query: |
Uses a known web browser user agent for HTTP communication | Show sources |
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: |
Downloads files from webservers via HTTP | Show sources |
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: |
Performs DNS lookups | Show sources |
Source: unknown | DNS traffic detected: |
Urls found in memory or binary data | Show sources |
Source: explorer.exe, 00000002.00000000.10291306634.04E6A000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10291306634.04E6A000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10285365277.02BB0000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10285365277.02BB0000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10285365277.02BB0000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10291033327.04CFF000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10283103260.01F86000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10283103260.01F86000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp | String found in binary or memory: | ||
Source: ZrfRZCzOXC.exe | String found in binary or memory: | ||
Source: ZrfRZCzOXC.exe | String found in binary or memory: | ||
Source: ZrfRZCzOXC.exe | String found in binary or memory: | ||
Source: ZrfRZCzOXC.exe | String found in binary or memory: | ||
Source: ZrfRZCzOXC.exe | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10290767042.04C90000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10285365277.02BB0000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmp | String found in binary or memory: | ||
Source: ZrfRZCzOXC.exe | String found in binary or memory: | ||
Source: ZrfRZCzOXC.exe | String found in binary or memory: | ||
Source: ZrfRZCzOXC.exe | String found in binary or memory: | ||
Source: ZrfRZCzOXC.exe | String found in binary or memory: | ||
Source: ZrfRZCzOXC.exe | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10283123038.01FB0000.00000008.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10290767042.04C90000.00000004.sdmp | String found in binary or memory: | ||
Source: ZrfRZCzOXC.exe | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10291539017.05220000.00000008.sdmp | String found in binary or memory: | ||
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp | String found in binary or memory: | ||
Source: ZrfRZCzOXC.exe | String found in binary or memory: |
System Summary: |
---|
Contains functionality to call native functions | Show sources |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00401B18 | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00401BC5 | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00401C19 |
PE file has an invalid certificate | Show sources |
Source: ZrfRZCzOXC.exe | Static PE information: |
Reads the hosts file | Show sources |
Source: C:\Windows\explorer.exe | File read: | Jump to behavior | ||
Source: C:\Windows\explorer.exe | File read: | Jump to behavior |
Sample file is different than original file name gathered from version info | Show sources |
Source: ZrfRZCzOXC.exe, 00000001.00000002.10346790896.001D0000.00000008.sdmp | Binary or memory string: |
Tries to load missing DLLs | Show sources |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Section loaded: | Jump to behavior | ||
Source: C:\Windows\explorer.exe | Section loaded: | Jump to behavior | ||
Source: C:\Windows\explorer.exe | Section loaded: | Jump to behavior | ||
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe | Section loaded: | Jump to behavior |
Classification label | Show sources |
Source: classification engine | Classification label: |
Creates files inside the user directory | Show sources |
Source: C:\Windows\explorer.exe | File created: | Jump to behavior |
Reads ini files | Show sources |
Source: C:\Windows\explorer.exe | File read: | Jump to behavior |
Reads software policies | Show sources |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Key opened: | Jump to behavior |
Sample is known by Antivirus | Show sources |
Source: ZrfRZCzOXC.exe | virustotal: |
Spawns processes | Show sources |
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: C:\Windows\System32\taskeng.exe | Process created: | Jump to behavior | ||
Source: C:\Windows\System32\cmd.exe | Process created: | Jump to behavior |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Windows\explorer.exe | Key value queried: | Jump to behavior |
Found graphical window changes (likely an installer) | Show sources |
Source: Window Recorder | Window detected: |
Data Obfuscation: |
---|
PE file contains an invalid checksum | Show sources |
Source: dtevaaaa.exe.2.dr | Static PE information: | ||
Source: ZrfRZCzOXC.exe | Static PE information: |
PE file contains sections with non-standard names | Show sources |
Source: ZrfRZCzOXC.exe | Static PE information: | ||
Source: dtevaaaa.exe.2.dr | Static PE information: |
Uses code obfuscation techniques (call, push, ret) | Show sources |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00403E4B | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00405E0D | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_004038FE | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_004046F2 | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_004050AE | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00405D45 | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00405142 | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00406755 | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00401147 | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_0040393C | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00405140 | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00403FD4 | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_004037FA | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00402A90 | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00404600 | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00404982 | |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Code function: | 1_2_00405B9D |
Persistence and Installation Behavior: |
---|
Drops PE files | Show sources |
Source: C:\Windows\explorer.exe | File created: | Jump to dropped file |
Boot Survival: |
---|
Creates a start menu entry (Start Menu\Programs\Startup) | Show sources |
Source: C:\Windows\explorer.exe | File created: | Jump to behavior |
Stores files to the Windows start menu directory | Show sources |
Source: C:\Windows\explorer.exe | File created: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Windows\explorer.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\explorer.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\explorer.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Tries to detect sandboxes and other dynamic analysis tools (process name or module) | Show sources |
Source: explorer.exe, 00000002.00000000.10281837375.004ED000.00000004.sdmp | Binary or memory string: |
Contains capabilities to detect virtual machines | Show sources |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe | Registry key queried: | Jump to behavior |
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) | Show sources |
Source: C:\Windows\explorer.exe | Window / User API: | Jump to behavior | ||
Source: C:\Windows\explorer.exe | Window / User API: | Jump to behavior | ||
Source: C:\Windows\explorer.exe | Window / User API: | Jump to behavior | ||
Source: C:\Windows\explorer.exe | Window / User API: | Jump to behavior | ||
Source: C:\Windows\explorer.exe | Window / User API: | Jump to behavior |
Queries a list of all running processes | Show sources |
Source: C:\Windows\explorer.exe | Process information queried: | Jump to behavior |
Anti Debugging: |
---|
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\Windows\System32\taskeng.exe | System information queried: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion: |
---|
Benign windows process drops PE files | Show sources |
Source: C:\Windows\explorer.exe | File created: | Jump to dropped file |
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: C:\Windows\explorer.exe | Network Connect: | Jump to behavior |
Maps a DLL or memory area into another process | Show sources |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Section loaded: | Jump to behavior |
Creates a process in suspended mode (likely to inject code) | Show sources |
Source: C:\Windows\System32\taskeng.exe | Process created: | Jump to behavior | ||
Source: C:\Windows\System32\cmd.exe | Process created: | Jump to behavior |
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: explorer.exe, 00000002.00000000.10282089541.00860000.00000002.sdmp, taskeng.exe, 00000003.00000002.10574796883.00E00000.00000002.sdmp | Binary or memory string: | ||
Source: explorer.exe, 00000002.00000000.10282089541.00860000.00000002.sdmp, taskeng.exe, 00000003.00000002.10574796883.00E00000.00000002.sdmp | Binary or memory string: | ||
Source: explorer.exe, 00000002.00000000.10282089541.00860000.00000002.sdmp, taskeng.exe, 00000003.00000002.10574796883.00E00000.00000002.sdmp | Binary or memory string: | ||
Source: explorer.exe, 00000002.00000000.10281837375.004ED000.00000004.sdmp | Binary or memory string: |
Language, Device and Operating System Detection: |
---|
Queries the volume information (name, serial number etc) of a device | Show sources |
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe | Queries volume information: | Jump to behavior | ||
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe | Queries volume information: | Jump to behavior |
Queries the cryptographic machine GUID | Show sources |
Source: C:\Windows\System32\taskeng.exe | Key value queried: | Jump to behavior |
Behavior Graph |
---|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
14:26:22 | API Interceptor | 602x Sleep call for process: explorer.exe modified |
14:26:52 | Task Scheduler | Run new task: Opera scheduled Autoupdate 211371202 path: C:\Windows\system32\cmd.exe s>/c start "" "C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe" |
14:30:00 | API Interceptor | 3x Sleep call for process: taskeng.exe modified |
14:30:01 | Autostart | Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chviwehv.lnk |
Antivirus Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
74% | virustotal | Browse |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | virustotal | Browse | ||
0% | virustotal | Browse | ||
0% | virustotal | Browse |
URLs |
---|
No Antivirus matches |
---|
Yara Overview |
---|
Initial Sample |
---|
No yara matches |
---|
PCAP (Network Traffic) |
---|
No yara matches |
---|
Dropped Files |
---|
No yara matches |
---|
Memory Dumps |
---|
No yara matches |
---|
Unpacked PEs |
---|
No yara matches |
---|
Screenshots |
---|
Startup |
---|
|
Created / dropped Files |
---|
Process: | C:\Windows\explorer.exe |
File Type: | |
Size (bytes): | 1026 |
Entropy (8bit): | 4.423097878654493 |
Encrypted: | false |
MD5: | F0EA0125513E3E79F55D3D7964374E72 |
SHA1: | 98C214D021AAA5638093E52A47ACF73A33943F14 |
SHA-256: | 110D2DFD5612584042F3775FC33FE5C88CEF14D040F3796983F5945CDC8382DC |
SHA-512: | AC61C5EA05A522D3B9B0DA82CE1F42DE388DC16466A509DA026ADB3B3B52D30AAD80EA475D0A900D7566324526BE7A21F8C5A4039E2A7963F877ECE4B84E2CAF |
Malicious: | false |
Reputation: | low |
Process: | C:\Windows\explorer.exe |
File Type: | |
Size (bytes): | 242888 |
Entropy (8bit): | 3.770967533024012 |
Encrypted: | false |
MD5: | 2C99759A02CA32D1A7E8AFA09130633F |
SHA1: | DDF98971664EB7B554C86B4AB2E2BA7D469F893C |
SHA-256: | B65806521AA662BFF2C655C8A7A3B6C8E598D709E35F3390DF880A70C3FDED40 |
SHA-512: | 89DF4E78C583F409BEB3DDE03A4E439BA52676DC8ECACD02271D2C30E3FC151C677446652CB7EC7A080C4C00DFC80D63FBDFB369B25DEACE1752D77B93310DCC |
Malicious: | false |
Reputation: | low |
Process: | C:\Windows\explorer.exe |
File Type: | |
Size (bytes): | 26 |
Entropy (8bit): | 3.9500637564362093 |
Encrypted: | false |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Reputation: | low |
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
a1621.g.akamai.net | 23.10.249.34 | true | false | 0%, virustotal, Browse | high |
a1363.dscg.akamai.net | 23.10.249.18 | true | false | 0%, virustotal, Browse | high |
a1961.g2.akamai.net | 23.10.249.17 | true | false | 0%, virustotal, Browse | high |
18.249.10.23.in-addr.arpa | unknown | unknown | true | unknown | |
www.msftncsi.com | unknown | unknown | false | high | |
252.0.0.224.in-addr.arpa | unknown | unknown | true | unknown | |
34.249.10.23.in-addr.arpa | unknown | unknown | true | unknown | |
17.249.10.23.in-addr.arpa | unknown | unknown | true | unknown | |
8.8.8.8.in-addr.arpa | unknown | unknown | true | unknown | |
68.72.101.95.in-addr.arpa | unknown | unknown | true | unknown | |
ukcompany.top | unknown | unknown | true | unknown | |
ukcompany.pw | unknown | unknown | true | unknown | |
ukcompany.me | unknown | unknown | true | unknown |
Contacted URLs |
---|
Name | Process |
---|---|
Contacted IPs |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 3.770967533024012 |
TrID: |
|
File name: | ZrfRZCzOXC.exe |
File size: | 242888 |
MD5: | 2c99759a02ca32d1a7e8afa09130633f |
SHA1: | ddf98971664eb7b554c86b4ab2e2ba7d469f893c |
SHA256: | b65806521aa662bff2c655c8a7a3b6c8e598d709e35f3390df880a70c3fded40 |
SHA512: | 89df4e78c583f409beb3dde03a4e439ba52676dc8ecacd02271d2c30e3fc151c677446652cb7ec7a080c4c00dfc80d63fbdfb369b25deace1752d77b93310dcc |
File Content Preview: | MZ......................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
File Icon |
---|
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x404773 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED |
DLL Characteristics: | TERMINAL_SERVER_AWARE, NX_COMPAT |
Time Stamp: | 0x56DC0E61 [Sun Mar 6 11:02:57 2016 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 2f71d1b0b8c82759171e7374068065a9 |
Authenticode Signature |
---|
Signature Valid: | false |
Signature Issuer: | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB |
Signature Validation Error: | No signature was present in the subject |
Error Number: | -2146762496 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint: | B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47 |
Serial: | 2E7C87CC0E934A52FE94FD1CB7CD34AF |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
xor ebp, 6Ah |
mov ebp, esp |
add esp, FFFFFF9Ch |
push 00000011h |
push 00423471h |
push 00423464h |
lea eax, dword ptr [004250E0h] |
call dword ptr [eax] |
jmp 5B559529h |
add byte ptr [eax], al |
add byte ptr [edx+11h], ch |
push 00423471h |
push 00423464h |
lea eax, dword ptr [004250E0h] |
call dword ptr [eax] |
push 00000011h |
push 00423471h |
push 00423464h |
lea eax, dword ptr [004250E0h] |
call dword ptr [eax] |
jmp 5B5594F9h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
push 00000011h |
push 00423471h |
push 00423464h |
lea eax, dword ptr [004250E0h] |
call dword ptr [eax] |
jmp 5B55ABC9h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
push 00000011h |
push 00423471h |
push 00423464h |
lea eax, dword ptr [004250E0h] |
call dword ptr [eax] |
push 00000011h |
push 00423471h |
push 00423464h |
lea eax, dword ptr [004250E0h] |
call dword ptr [eax] |
jmp 5B557A17h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x250e8 | 0x8c | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x28000 | 0x1693e | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x39600 | 0x1ec8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x25000 | 0xe8 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x1300 | 0x60 | .text |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x20e9c | 0x21000 | False | 0.313306403883 | ump; data | 3.9974479969 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.itext | 0x22000 | 0x800 | 0x800 | False | 0.01123046875 | ump; data | 0.0 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x23000 | 0x482 | 0x600 | False | 0.0703125 | ump; data | 0.574709138496 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.bss | 0x24000 | 0x1000 | 0x0 | False | 0 | ump; empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.idata | 0x25000 | 0x660 | 0x800 | False | 0.41015625 | ump; data | 4.19350746654 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.tls | 0x26000 | 0x1000 | 0x0 | False | 0 | ump; empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.xml | 0x27000 | 0x18 | 0x200 | False | 0.02734375 | ump; data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x28000 | 0x1693e | 0x16a00 | False | 0.0472634668508 | ump; data | 1.84043873219 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
TRED | 0x28100 | 0x6000 | ump; data | ||
RT_ICON | 0x2e116 | 0x10828 | ump; data | ||
RT_GROUP_ICON | 0x2e100 | 0x16 | ump; MS Windows icon resource - 1 icon |
Imports |
---|
DLL | Import |
---|---|
odbctrac.dll | TraceSQLCancel, TraceSQLFetch, TraceSQLBindCol |
dbnmpntw.dll | ConnectionVer, ConnectionError, ConnectionRead, ConnectionClose, ConnectionWrite |
user32.dll | PeekMessageA, wsprintfW, GetDlgItemTextW, GetMessageW, GetClassInfoW, DialogBoxParamW, CharToOemW, IsIconic, LoadStringW, MessageBoxA, PostMessageW, IsCharLowerA |
wtsapi32.dll | WTSEnumerateProcessesA, WTSQuerySessionInformationA, WTSOpenServerW, WTSVirtualChannelOpen, WTSVirtualChannelQuery, WTSEnumerateSessionsW, WTSFreeMemory, WTSVirtualChannelPurgeInput, WTSVirtualChannelClose, WTSQueryUserToken, WTSUnRegisterSessionNotification |
kernel32.dll | CreateFileA, CreateDirectoryW, GetDiskFreeSpaceA, GetCommandLineA, LoadLibraryA, lstrcmpi, CreateSemaphoreA, GetProcAddress, GetFileAttributesA, GetStartupInfoA, GetDriveTypeA, GetFileSize, GetLastError, GetModuleFileNameA, ReadFile, CreateFileMappingA, HeapAlloc, GetLocaleInfoA, CopyFileW, SetCurrentDirectoryW, GetModuleHandleA, QueryDosDeviceA |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 16, 2018 14:26:24.905462027 MESZ | 55175 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:24.916542053 MESZ | 65476 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:24.917490959 MESZ | 52882 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:24.932554960 MESZ | 53 | 55175 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:24.940689087 MESZ | 53 | 65476 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:24.943067074 MESZ | 53 | 52882 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:26.160932064 MESZ | 49841 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:26.206634998 MESZ | 53 | 49841 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:26.230596066 MESZ | 53667 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:26.266649008 MESZ | 53 | 53667 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:26.386177063 MESZ | 51748 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:26.426289082 MESZ | 53 | 51748 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:26.429572105 MESZ | 53199 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:26.466010094 MESZ | 53 | 53199 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:28.278844118 MESZ | 54134 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:28.288492918 MESZ | 59582 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:28.302697897 MESZ | 62941 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:28.312007904 MESZ | 53 | 54134 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:28.313796997 MESZ | 53 | 59582 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:28.327927113 MESZ | 53 | 62941 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:28.331676006 MESZ | 53271 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:28.372262955 MESZ | 53 | 53271 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:30.408819914 MESZ | 49168 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:30.434210062 MESZ | 53 | 49168 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:36.471602917 MESZ | 63129 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:36.496046066 MESZ | 53 | 63129 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:57.929929018 MESZ | 65457 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:57.965293884 MESZ | 53 | 65457 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:57.984416008 MESZ | 62062 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:58.009413958 MESZ | 53 | 62062 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:58.012358904 MESZ | 49171 | 80 | 192.168.1.81 | 23.10.249.17 |
Jul 16, 2018 14:26:58.024348974 MESZ | 80 | 49171 | 23.10.249.17 | 192.168.1.81 |
Jul 16, 2018 14:26:58.024512053 MESZ | 49171 | 80 | 192.168.1.81 | 23.10.249.17 |
Jul 16, 2018 14:26:58.025387049 MESZ | 49171 | 80 | 192.168.1.81 | 23.10.249.17 |
Jul 16, 2018 14:26:58.036992073 MESZ | 80 | 49171 | 23.10.249.17 | 192.168.1.81 |
Jul 16, 2018 14:26:58.037357092 MESZ | 80 | 49171 | 23.10.249.17 | 192.168.1.81 |
Jul 16, 2018 14:26:58.223989964 MESZ | 49645 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:58.255578041 MESZ | 53 | 49645 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:58.263539076 MESZ | 80 | 49171 | 23.10.249.17 | 192.168.1.81 |
Jul 16, 2018 14:26:58.263663054 MESZ | 49171 | 80 | 192.168.1.81 | 23.10.249.17 |
Jul 16, 2018 14:26:59.330351114 MESZ | 50512 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:59.355695009 MESZ | 53 | 50512 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:27:00.549827099 MESZ | 63229 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:27:00.582915068 MESZ | 53 | 63229 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:27:02.985342026 MESZ | 53332 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:27:03.011266947 MESZ | 53 | 53332 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:27:14.699872971 MESZ | 80 | 49164 | 23.42.27.27 | 192.168.1.81 |
Jul 16, 2018 14:27:14.700234890 MESZ | 49164 | 80 | 192.168.1.81 | 23.42.27.27 |
Jul 16, 2018 14:27:18.239494085 MESZ | 49171 | 80 | 192.168.1.81 | 23.10.249.17 |
Jul 16, 2018 14:27:18.251550913 MESZ | 80 | 49171 | 23.10.249.17 | 192.168.1.81 |
Jul 16, 2018 14:27:18.479299068 MESZ | 80 | 49171 | 23.10.249.17 | 192.168.1.81 |
Jul 16, 2018 14:27:18.479406118 MESZ | 49171 | 80 | 192.168.1.81 | 23.10.249.17 |
Jul 16, 2018 14:28:17.881387949 MESZ | 49171 | 80 | 192.168.1.81 | 23.10.249.17 |
Jul 16, 2018 14:28:23.197154045 MESZ | 58012 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:28:23.221857071 MESZ | 53 | 58012 | 8.8.8.8 | 192.168.1.81 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 16, 2018 14:26:24.905462027 MESZ | 55175 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:24.916542053 MESZ | 65476 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:24.917490959 MESZ | 52882 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:24.932554960 MESZ | 53 | 55175 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:24.940689087 MESZ | 53 | 65476 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:24.943067074 MESZ | 53 | 52882 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:26.160932064 MESZ | 49841 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:26.206634998 MESZ | 53 | 49841 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:26.230596066 MESZ | 53667 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:26.266649008 MESZ | 53 | 53667 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:26.386177063 MESZ | 51748 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:26.426289082 MESZ | 53 | 51748 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:26.429572105 MESZ | 53199 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:26.466010094 MESZ | 53 | 53199 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:28.278844118 MESZ | 54134 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:28.288492918 MESZ | 59582 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:28.302697897 MESZ | 62941 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:28.312007904 MESZ | 53 | 54134 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:28.313796997 MESZ | 53 | 59582 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:28.327927113 MESZ | 53 | 62941 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:28.331676006 MESZ | 53271 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:28.372262955 MESZ | 53 | 53271 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:30.408819914 MESZ | 49168 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:30.434210062 MESZ | 53 | 49168 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:36.471602917 MESZ | 63129 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:36.496046066 MESZ | 53 | 63129 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:57.929929018 MESZ | 65457 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:57.965293884 MESZ | 53 | 65457 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:57.984416008 MESZ | 62062 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:58.009413958 MESZ | 53 | 62062 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:58.223989964 MESZ | 49645 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:58.255578041 MESZ | 53 | 49645 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:26:59.330351114 MESZ | 50512 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:26:59.355695009 MESZ | 53 | 50512 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:27:00.549827099 MESZ | 63229 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:27:00.582915068 MESZ | 53 | 63229 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:27:02.985342026 MESZ | 53332 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:27:03.011266947 MESZ | 53 | 53332 | 8.8.8.8 | 192.168.1.81 |
Jul 16, 2018 14:28:23.197154045 MESZ | 58012 | 53 | 192.168.1.81 | 8.8.8.8 |
Jul 16, 2018 14:28:23.221857071 MESZ | 53 | 58012 | 8.8.8.8 | 192.168.1.81 |
ICMP Packets |
---|
Timestamp | Source IP | Dest IP | Checksum | Code | Type |
---|---|---|---|---|---|
Jul 16, 2018 14:26:25.249877930 MESZ | 192.168.1.2 | 192.168.1.81 | 80ec | (Port unreachable) | Destination Unreachable |
Jul 16, 2018 14:26:26.883707047 MESZ | 192.168.1.2 | 192.168.1.81 | 80ec | (Port unreachable) | Destination Unreachable |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jul 16, 2018 14:26:24.905462027 MESZ | 192.168.1.81 | 8.8.8.8 | 0x4d3c | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Jul 16, 2018 14:26:24.916542053 MESZ | 192.168.1.81 | 8.8.8.8 | 0x6dfa | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Jul 16, 2018 14:26:28.278844118 MESZ | 192.168.1.81 | 8.8.8.8 | 0x3744 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Jul 16, 2018 14:26:28.288492918 MESZ | 192.168.1.81 | 8.8.8.8 | 0xa8be | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Jul 16, 2018 14:26:30.408819914 MESZ | 192.168.1.81 | 8.8.8.8 | 0x6106 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Jul 16, 2018 14:26:57.929929018 MESZ | 192.168.1.81 | 8.8.8.8 | 0x90f3 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 16, 2018 14:26:57.984416008 MESZ | 192.168.1.81 | 8.8.8.8 | 0x4742 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 16, 2018 14:26:58.223989964 MESZ | 192.168.1.81 | 8.8.8.8 | 0xe650 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 16, 2018 14:26:59.330351114 MESZ | 192.168.1.81 | 8.8.8.8 | 0x8237 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Jul 16, 2018 14:27:00.549827099 MESZ | 192.168.1.81 | 8.8.8.8 | 0x79ec | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 16, 2018 14:27:02.985342026 MESZ | 192.168.1.81 | 8.8.8.8 | 0xdca4 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jul 16, 2018 14:26:24.932554960 MESZ | 8.8.8.8 | 192.168.1.81 | 0x4d3c | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Jul 16, 2018 14:26:24.940689087 MESZ | 8.8.8.8 | 192.168.1.81 | 0x6dfa | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Jul 16, 2018 14:26:26.206634998 MESZ | 8.8.8.8 | 192.168.1.81 | 0x7f01 | No error (0) | 23.10.249.18 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:26.206634998 MESZ | 8.8.8.8 | 192.168.1.81 | 0x7f01 | No error (0) | 23.10.249.25 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:26.266649008 MESZ | 8.8.8.8 | 192.168.1.81 | 0x288 | No error (0) | 23.10.249.18 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:26.266649008 MESZ | 8.8.8.8 | 192.168.1.81 | 0x288 | No error (0) | 23.10.249.25 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:26.426289082 MESZ | 8.8.8.8 | 192.168.1.81 | 0xeebd | No error (0) | ctldl.windowsupdate.com.edgesuite.net | CNAME (Canonical name) | IN (0x0001) | ||
Jul 16, 2018 14:26:26.426289082 MESZ | 8.8.8.8 | 192.168.1.81 | 0xeebd | No error (0) | 23.10.249.34 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:26.426289082 MESZ | 8.8.8.8 | 192.168.1.81 | 0xeebd | No error (0) | 23.10.249.19 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:26.466010094 MESZ | 8.8.8.8 | 192.168.1.81 | 0x67fe | No error (0) | ctldl.windowsupdate.com.edgesuite.net | CNAME (Canonical name) | IN (0x0001) | ||
Jul 16, 2018 14:26:26.466010094 MESZ | 8.8.8.8 | 192.168.1.81 | 0x67fe | No error (0) | 23.10.249.34 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:26.466010094 MESZ | 8.8.8.8 | 192.168.1.81 | 0x67fe | No error (0) | 23.10.249.19 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:28.312007904 MESZ | 8.8.8.8 | 192.168.1.81 | 0x3744 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Jul 16, 2018 14:26:28.313796997 MESZ | 8.8.8.8 | 192.168.1.81 | 0xa8be | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Jul 16, 2018 14:26:28.327927113 MESZ | 8.8.8.8 | 192.168.1.81 | 0x6dc1 | No error (0) | 95.101.72.68 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:28.327927113 MESZ | 8.8.8.8 | 192.168.1.81 | 0x6dc1 | No error (0) | 95.101.72.17 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:28.372262955 MESZ | 8.8.8.8 | 192.168.1.81 | 0xef49 | No error (0) | 23.10.249.18 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:28.372262955 MESZ | 8.8.8.8 | 192.168.1.81 | 0xef49 | No error (0) | 23.10.249.25 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:30.434210062 MESZ | 8.8.8.8 | 192.168.1.81 | 0x6106 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Jul 16, 2018 14:26:57.965293884 MESZ | 8.8.8.8 | 192.168.1.81 | 0x90f3 | No error (0) | www.msftncsi.com.edgesuite.net | CNAME (Canonical name) | IN (0x0001) | ||
Jul 16, 2018 14:26:57.965293884 MESZ | 8.8.8.8 | 192.168.1.81 | 0x90f3 | No error (0) | 23.10.249.17 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:57.965293884 MESZ | 8.8.8.8 | 192.168.1.81 | 0x90f3 | No error (0) | 23.10.249.40 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:58.009413958 MESZ | 8.8.8.8 | 192.168.1.81 | 0x4742 | No error (0) | www.msftncsi.com.edgesuite.net | CNAME (Canonical name) | IN (0x0001) | ||
Jul 16, 2018 14:26:58.009413958 MESZ | 8.8.8.8 | 192.168.1.81 | 0x4742 | No error (0) | 23.10.249.17 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:58.009413958 MESZ | 8.8.8.8 | 192.168.1.81 | 0x4742 | No error (0) | 23.10.249.40 | A (IP address) | IN (0x0001) | ||
Jul 16, 2018 14:26:58.255578041 MESZ | 8.8.8.8 | 192.168.1.81 | 0xe650 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Jul 16, 2018 14:26:59.355695009 MESZ | 8.8.8.8 | 192.168.1.81 | 0x8237 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Jul 16, 2018 14:27:03.011266947 MESZ | 8.8.8.8 | 192.168.1.81 | 0xdca4 | Name error (3) | none | none | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.1.81 | 49171 | 23.10.249.17 | 80 | C:\Windows\explorer.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jul 16, 2018 14:26:58.025387049 MESZ | 19 | OUT | |
Jul 16, 2018 14:26:58.037357092 MESZ | 20 | IN | |
Jul 16, 2018 14:26:58.263539076 MESZ | 20 | IN | |
Jul 16, 2018 14:27:18.239494085 MESZ | 21 | OUT | |
Jul 16, 2018 14:27:18.251550913 MESZ | 21 | IN | |
Jul 16, 2018 14:27:18.479299068 MESZ | 22 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 14:26:21 |
Start date: | 16/07/2018 |
Path: | C:\Users\user\Desktop\ZrfRZCzOXC.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 242888 bytes |
MD5 hash: | 2C99759A02CA32D1A7E8AFA09130633F |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:26:22 |
Start date: | 16/07/2018 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x30000 |
File size: | 2972672 bytes |
MD5 hash: | 6DDCA324434FFA506CF7DC4E51DB7935 |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:30:00 |
Start date: | 16/07/2018 |
Path: | C:\Windows\System32\taskeng.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xdd0000 |
File size: | 192000 bytes |
MD5 hash: | 4F2659160AFCCA990305816946F69407 |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:30:00 |
Start date: | 16/07/2018 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x4a060000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:30:01 |
Start date: | 16/07/2018 |
Path: | C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 242888 bytes |
MD5 hash: | 2C99759A02CA32D1A7E8AFA09130633F |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 4.3% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 100% |
Total number of Nodes: | 16 |
Total number of Limit Nodes: | 0 |
Graph
Executed Functions |
---|
Control-flow Graph |
---|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|