Windows
Analysis Report
250427-ve97pavsas.bin.dll
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
loaddll32.exe (PID: 7816 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\250 427-ve97pa vsas.bin.d ll" MD5: 51E6071F9CBA48E79F10C84515AAE618) conhost.exe (PID: 7824 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 7868 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\250 427-ve97pa vsas.bin.d ll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) rundll32.exe (PID: 7884 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\2504 27-ve97pav sas.bin.dl l",#1 MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • HIPS / PFW / Operating System Protection Evasion
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Networking |
---|
Source: | DNS query: | ||
Source: | DNS query: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Boot Survival |
---|
Source: | Key value created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process created: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Rundll32 | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 1 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 Registry Run Keys / Startup Folder | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 11 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 Registry Run Keys / Startup Folder | 11 Process Injection | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
80% | Virustotal | Browse | ||
75% | ReversingLabs | Win32.Trojan.Kerproc | ||
100% | Avira | TR/Downloader.Gen |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
plunix.3322.org | unknown | unknown | true | unknown | |
w1802.3322.org | unknown | unknown | true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1675549 |
Start date and time: | 2025-04-27 19:05:43 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 52s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 250427-ve97pavsas.bin.dll |
Detection: | MAL |
Classification: | mal64.troj.winDLL@6/0@24/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, s ppsvc.exe, WMIADAP.exe, SIHCli ent.exe, SgrmBroker.exe, conho st.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 184.85.78.223, 20. 109.210.53 - Excluded domains from analysis
(whitelisted): c2a9c95e369881 c67228a6591cac2686.clo.footpri ntdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.updat e.microsoft.com, ctldl.windows update.com, c.pki.goog, fe3cr. delivery.mp.microsoft.com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtQueryValueKey calls found.
File type: | |
Entropy (8bit): | 6.019264494741159 |
TrID: |
|
File name: | 250427-ve97pavsas.bin.dll |
File size: | 26'624 bytes |
MD5: | d949604205db41a0391ded5215d70806 |
SHA1: | f979238f9b8f5045e63424042c0a849b24a0e1fd |
SHA256: | 1e8c98e08eda259d4ace14dd657375c8c1ce9c6a7c2076bcb54c3cabcd33e741 |
SHA512: | e46b55c98dc2ebc6a2d4783ea831d35f99a2e94f566d7308124eb0bbee729b37524ab4a0ea53c294f2d1ee5aa87dbd8248dc39694b9d21206b44ea74a9df9f7a |
SSDEEP: | 384:keyKDQgcSnTuIJKRQ8qgnS/l4yJNYQHYYuR11dYaPFUFl4IzgvwEvJ3Tte:pDv/C8xgnS/lTHYYuR1TFF/IMIERTt |
TLSH: | 69C22B1277C109E4DB2E1A30749F177A897AA6A106E519C3AF72EC789437377E637103 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ud..1...1...1...1...2...S...;...^...3.......3...^...5...^...3...1...z....#..2....#..5.......0....%..0...Rich1.................. |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x1000540b |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL |
DLL Characteristics: | |
Time Stamp: | 0x48E581C7 [Fri Oct 3 02:21:59 2008 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | d20a71558bf51c0f03e653a52a39389d |
Instruction |
---|
push ebp |
mov ebp, esp |
push ebx |
mov ebx, dword ptr [ebp+08h] |
push esi |
mov esi, dword ptr [ebp+0Ch] |
push edi |
mov edi, dword ptr [ebp+10h] |
test esi, esi |
jne 00007F7310E0C97Bh |
cmp dword ptr [1000758Ch], 00000000h |
jmp 00007F7310E0C998h |
cmp esi, 01h |
je 00007F7310E0C977h |
cmp esi, 02h |
jne 00007F7310E0C994h |
mov eax, dword ptr [10007010h] |
test eax, eax |
je 00007F7310E0C97Bh |
push edi |
push esi |
push ebx |
call eax |
test eax, eax |
je 00007F7310E0C97Eh |
push edi |
push esi |
push ebx |
call 00007F7310E0C88Ah |
test eax, eax |
jne 00007F7310E0C976h |
xor eax, eax |
jmp 00007F7310E0C9C0h |
push edi |
push esi |
push ebx |
call 00007F7310E0C59Ah |
cmp esi, 01h |
mov dword ptr [ebp+0Ch], eax |
jne 00007F7310E0C97Eh |
test eax, eax |
jne 00007F7310E0C9A9h |
push edi |
push eax |
push ebx |
call 00007F7310E0C866h |
test esi, esi |
je 00007F7310E0C977h |
cmp esi, 03h |
jne 00007F7310E0C998h |
push edi |
push esi |
push ebx |
call 00007F7310E0C855h |
test eax, eax |
jne 00007F7310E0C975h |
and dword ptr [ebp+0Ch], eax |
cmp dword ptr [ebp+0Ch], 00000000h |
je 00007F7310E0C983h |
mov eax, dword ptr [10007010h] |
test eax, eax |
je 00007F7310E0C97Ah |
push edi |
push esi |
push ebx |
call eax |
mov dword ptr [ebp+0Ch], eax |
mov eax, dword ptr [ebp+0Ch] |
pop edi |
pop esi |
pop ebx |
pop ebp |
retn 000Ch |
jmp dword ptr [100060C8h] |
jmp dword ptr [100060C4h] |
jmp dword ptr [100060BCh] |
jmp dword ptr [10006140h] |
jmp dword ptr [10006138h] |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push 00005118h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x6910 | 0x32 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6500 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x8000 | 0x360 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x9000 | 0x3e4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x6000 | 0x148 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4846 | 0x4a00 | 7bd375e1f4d439122ee954fcab3dfb40 | False | 0.49588260135135137 | data | 6.277053745313518 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x6000 | 0x942 | 0xa00 | 6263914dc9bd0c8851e0f24f038d5643 | False | 0.410546875 | data | 4.125311615838973 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x7000 | 0x59c | 0x600 | 16b7682d25b40450369f3e1850a5034c | False | 0.607421875 | Matlab v4 mat-file (little endian) \310\360, numeric, rows 0, columns 0 | 5.255872438338646 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x8000 | 0x360 | 0x400 | ae6db61c5104be57ac818c5e0f0bd2d9 | False | 0.380859375 | data | 2.62885010204959 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x9000 | 0x4a0 | 0x600 | 93354129e6f53d8891fec21e78579fc0 | False | 0.58984375 | data | 4.912469921422045 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_STRING | 0x8318 | 0x44 | data | Chinese | China | 0.7794117647058824 |
RT_VERSION | 0x80a0 | 0x274 | data | Chinese | China | 0.46496815286624205 |
DLL | Import |
---|---|
MFC42.DLL | |
MSVCRT.dll | _adjust_fdiv, _initterm, free, ?terminate@@YAXXZ, _except_handler3, strstr, malloc, strchr, atoi, rand, strncpy, __CxxFrameHandler, time, sprintf, srand |
KERNEL32.dll | GetVersionExA, GetTempPathA, GetSystemDirectoryA, CreateMutexA, WinExec, ExitThread, CreateThread, GetLastError, Sleep |
USER32.dll | wsprintfA |
ADVAPI32.dll | RegQueryValueExA, RegCloseKey, RegOpenKeyExA, RegSetValueExA |
SHELL32.dll | ShellExecuteA |
urlmon.dll | URLDownloadToFileA |
WS2_32.dll | setsockopt, select, closesocket, recv, send, WSAStartup, connect, inet_addr, htons, socket, inet_ntoa, gethostbyname, __WSAFDIsSet |
Description | Data |
---|---|
Comments | |
CompanyName | |
FileDescription | |
FileVersion | |
InternalName | |
LegalCopyright | |
LegalTrademarks | |
OriginalFilename | |
PrivateBuild | |
ProductName | |
ProductVersion | |
SpecialBuild | |
Translation | 0x0804 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | China |
Download Network PCAP: filtered – full
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 27, 2025 19:06:32.623028040 CEST | 58147 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:06:32.769664049 CEST | 60890 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:06:32.938177109 CEST | 53 | 58147 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:06:33.068926096 CEST | 53 | 60890 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:06:37.949034929 CEST | 54726 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:06:38.260787964 CEST | 53 | 54726 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:06:43.297544003 CEST | 52255 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:06:43.607287884 CEST | 53 | 52255 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:06:48.621123075 CEST | 62365 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:06:48.922725916 CEST | 53 | 62365 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:06:53.982332945 CEST | 51539 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:06:54.132534981 CEST | 53 | 51539 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:06:59.308096886 CEST | 62491 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:06:59.456839085 CEST | 53 | 62491 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:07:04.471088886 CEST | 53954 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:07:04.617582083 CEST | 53 | 53954 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:07:09.729707956 CEST | 59098 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:07:09.879362106 CEST | 53 | 59098 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:07:14.886003017 CEST | 63172 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:07:15.052705050 CEST | 53 | 63172 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:07:20.057915926 CEST | 52228 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:07:20.369846106 CEST | 53 | 52228 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:07:25.390296936 CEST | 65423 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:07:25.552836895 CEST | 53 | 65423 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:07:30.559889078 CEST | 55455 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:07:30.704516888 CEST | 53 | 55455 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:07:35.715038061 CEST | 55839 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:07:36.008804083 CEST | 53 | 55839 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:07:41.011472940 CEST | 65014 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:07:41.162478924 CEST | 53 | 65014 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:07:46.172811031 CEST | 63971 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:07:46.468578100 CEST | 53 | 63971 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:07:51.495846033 CEST | 51106 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:07:51.789588928 CEST | 53 | 51106 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:07:56.792870998 CEST | 52800 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:07:56.934115887 CEST | 53 | 52800 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:08:01.949115038 CEST | 56203 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:08:02.105421066 CEST | 53 | 56203 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:08:07.154072046 CEST | 54652 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:08:07.303347111 CEST | 53 | 54652 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:08:12.309233904 CEST | 51121 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:08:12.449671984 CEST | 53 | 51121 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:08:17.464756012 CEST | 60471 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:08:17.612675905 CEST | 53 | 60471 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:08:22.620681047 CEST | 53324 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:08:22.940134048 CEST | 53 | 53324 | 1.1.1.1 | 192.168.2.5 |
Apr 27, 2025 19:08:27.949099064 CEST | 55427 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 27, 2025 19:08:28.120117903 CEST | 53 | 55427 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 27, 2025 19:06:32.623028040 CEST | 192.168.2.5 | 1.1.1.1 | 0x2b29 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:06:32.769664049 CEST | 192.168.2.5 | 1.1.1.1 | 0x5aea | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:06:37.949034929 CEST | 192.168.2.5 | 1.1.1.1 | 0x84eb | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:06:43.297544003 CEST | 192.168.2.5 | 1.1.1.1 | 0xe21e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:06:48.621123075 CEST | 192.168.2.5 | 1.1.1.1 | 0x810 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:06:53.982332945 CEST | 192.168.2.5 | 1.1.1.1 | 0x577f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:06:59.308096886 CEST | 192.168.2.5 | 1.1.1.1 | 0x35d9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:07:04.471088886 CEST | 192.168.2.5 | 1.1.1.1 | 0xa957 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:07:09.729707956 CEST | 192.168.2.5 | 1.1.1.1 | 0xc23e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:07:14.886003017 CEST | 192.168.2.5 | 1.1.1.1 | 0x5739 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:07:20.057915926 CEST | 192.168.2.5 | 1.1.1.1 | 0x96c3 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:07:25.390296936 CEST | 192.168.2.5 | 1.1.1.1 | 0x29c4 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:07:30.559889078 CEST | 192.168.2.5 | 1.1.1.1 | 0xca77 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:07:35.715038061 CEST | 192.168.2.5 | 1.1.1.1 | 0xfa30 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:07:41.011472940 CEST | 192.168.2.5 | 1.1.1.1 | 0xe892 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:07:46.172811031 CEST | 192.168.2.5 | 1.1.1.1 | 0xa608 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:07:51.495846033 CEST | 192.168.2.5 | 1.1.1.1 | 0xc71b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:07:56.792870998 CEST | 192.168.2.5 | 1.1.1.1 | 0x3e17 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:08:01.949115038 CEST | 192.168.2.5 | 1.1.1.1 | 0x21d6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:08:07.154072046 CEST | 192.168.2.5 | 1.1.1.1 | 0x6a9b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:08:12.309233904 CEST | 192.168.2.5 | 1.1.1.1 | 0x14a6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:08:17.464756012 CEST | 192.168.2.5 | 1.1.1.1 | 0x1e57 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:08:22.620681047 CEST | 192.168.2.5 | 1.1.1.1 | 0x87d3 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 27, 2025 19:08:27.949099064 CEST | 192.168.2.5 | 1.1.1.1 | 0xda00 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 13:06:31 |
Start date: | 27/04/2025 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x280000 |
File size: | 126'464 bytes |
MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 1 |
Start time: | 13:06:31 |
Start date: | 27/04/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e2000000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 13:06:32 |
Start date: | 27/04/2025 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x220000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 13:06:32 |
Start date: | 27/04/2025 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x600000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |