analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BLTools v2.2 [CRACKED BY INJUAN].zip

Full analysis: https://app.any.run/tasks/938e4436-fa9c-434f-a78c-e9bb8b00b97a
Verdict: Malicious activity
Threats:

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Analysis date: April 01, 2023, 18:33:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
redline
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

362C04480065325558DA753AF4879D43

SHA1:

0D577DE150307C0F92991F3695B9CAAE0F05EB6D

SHA256:

D2A468812E558977DBF2382B6388EB825FB4EAE4FB27B4E9462A42A4BF43E760

SSDEEP:

49152:wyBDVKWToHBZ8Vacu+lOAw0oyV4uvKWKfewSGj1HrbWuO1fwWB:H5dTSqVpUAw0PV4u+dBH2z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • BLTools v2.2.exe (PID: 3720)
      • BLTools v2.2.exe (PID: 1816)
      • BLTools v2.2.exe (PID: 3936)
      • BLTools v2.2.exe (PID: 1204)
      • BLTools v2.2.exe (PID: 3120)
      • build.exe (PID: 2964)
      • build.exe (PID: 188)
      • BLTools v2.2.exe (PID: 2304)
    • Create files in the Startup directory

      • wscript.exe (PID: 2368)
    • REDLINE detected by memory dumps

      • build.exe (PID: 2964)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • BLTools v2.2.exe (PID: 1816)
    • The process executes VB scripts

      • BLTools v2.2.exe (PID: 1816)
      • BLTools v2.2.exe (PID: 3120)
    • Reads the Internet Settings

      • BLTools v2.2.exe (PID: 1816)
      • build.exe (PID: 2964)
      • wscript.exe (PID: 2368)
      • BLTools v2.2.exe (PID: 3120)
      • build.exe (PID: 188)
  • INFO

    • Reads the computer name

      • BLTools v2.2.exe (PID: 1816)
      • build.exe (PID: 2964)
      • BLTools v2.2.exe (PID: 1204)
      • BLTools v2.2.exe (PID: 3120)
      • build.exe (PID: 188)
      • BLTools v2.2.exe (PID: 2304)
    • Manual execution by a user

      • BLTools v2.2.exe (PID: 1816)
      • BLTools v2.2.exe (PID: 3720)
      • BLTools v2.2.exe (PID: 3936)
      • BLTools v2.2.exe (PID: 3120)
    • Checks supported languages

      • BLTools v2.2.exe (PID: 1816)
      • BLTools v2.2.exe (PID: 1204)
      • build.exe (PID: 2964)
      • BLTools v2.2.exe (PID: 3120)
      • BLTools v2.2.exe (PID: 2304)
      • build.exe (PID: 188)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2824)
    • The process checks LSA protection

      • BLTools v2.2.exe (PID: 1816)
      • BLTools v2.2.exe (PID: 1204)
      • build.exe (PID: 2964)
      • BLTools v2.2.exe (PID: 3120)
      • BLTools v2.2.exe (PID: 2304)
      • build.exe (PID: 188)
    • Create files in a temporary directory

      • BLTools v2.2.exe (PID: 1816)
    • Reads Environment values

      • build.exe (PID: 2964)
      • build.exe (PID: 188)
    • Reads the machine GUID from the registry

      • build.exe (PID: 2964)
      • BLTools v2.2.exe (PID: 1204)
      • BLTools v2.2.exe (PID: 2304)
      • build.exe (PID: 188)
    • Checks proxy server information

      • wscript.exe (PID: 2368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(2964) build.exe
US (151)
Environment
UNKNOWN
.
1
cmyredmyit_cmyardmys
my
as21
\
Local State
LocalPrefs.json
Host
Port
:
User
Pass
MANGO
%USEWanaLifeRPROFILE%\AppDaWanaLifeta\LWanaLifeocal
WanaLife
Def
Win
String.Replace
String.Remove
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
BCrypt.BCryptImportKey() failed with status code:{0}
BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
BCrypt.BCryptGetProperty() failed with status code:{0}
-
http://
/
|
Yandex\YaAddon
xiiiolympus.hopto.org:1000
@XIIIOLYMPUS
,
asf
*wallet*
Armory
\Armory
*.wallet
Atomic
\atomic
*
ibnejdfjmmkpcnlpebklmnkoeoihofec
Tronlink
jbdaocneiiinmjbjlgalhcelgbejmnid
NiftyWallet
nkbihfbeogaeaoehlefnkodbefgpgknn
Metamask
afbcbjpbpfadlkmhmclhkeeodmamcflc
MathWallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Coinbase
fhbohimaelbohpjbbldcngcnapndodjp
BinanceChain
odbfpeeihdkbihmopkbjmoonfanlbfcl
BraveWallet
hpglfhgfnhbgpjdenjgmdgoeiappafln
GuardaWallet
blnieiiffboillknjnepogjhkgnoapac
EqualWallet
cjelfplplebdjjenllpjcblmjkfcffne
JaxxxLiberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi
BitAppWallet
kncchdigobghenbbaddojjnnaogfppfj
iWallet
amkmjjmmflddogmhpjloimipbofnfjih
Wombat
UnknownExtension
_
Local Extension Settings
Coinomi
\Coinomi
Profile_
Tel
egram.exe
\Telegram Desktop\tdata
-*.lo--g
1*.1l1d1b
String
Replace
System.UI
File.IO
*.json
string.Replace
Guarda
\Guarda
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPstring.ReplaceROFILE%\Apstring.ReplacepData\Locastring.Replacel
ToString
(
UNIQUE
"
Width
Height
CopyFromScreen
kernel32
user32.dll
GetConsoleWindow
ShowWindow
SELECT * FROM Win32_Processor
Name
NumberOfCores
root\CIMV2
SELECT * FROM Win32_VideoController
AdapterRAM
ROWindowsServiceOT\SecurityCenteWindowsServicer2
ROWindowsServiceOT\SecurWindowsServiceityCenter
AntqueiresivirusProdqueiresuct
AntqueiresiSpyqueiresWareProdqueiresuct
FiqueiresrewallProqueiresduct
WindowsService
SELECT * FROM
queires
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELECT * FROM Win32_DiskDrive
SerialNumber
'
ExecutablePath
[
]
0 Mb or 0
SELECT * FROM Win32_OperatingSystem
TotalVisibleMemorySize
{0} MB or {1}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
Botnet@XIIIOLYMPUS
C2 (1)xiiiolympus.hopto.org:1000
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Ookii.Dialogs.Wpf.dll
ZipUncompressedSize: 105472
ZipCompressedSize: 45202
ZipCRC: 0x1d58dbac
ZipModifyDate: 2021:12:19 09:40:56
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
11
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe bltools v2.2.exe no specs bltools v2.2.exe wscript.exe #REDLINE build.exe no specs bltools v2.2.exe bltools v2.2.exe no specs bltools v2.2.exe wscript.exe no specs build.exe no specs bltools v2.2.exe

Process information

PID
CMD
Path
Indicators
Parent process
2824"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\BLTools v2.2 [CRACKED BY INJUAN].zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3720"C:\Users\admin\Desktop\BLTools v2.2.exe" C:\Users\admin\Desktop\BLTools v2.2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\bltools v2.2.exe
c:\windows\system32\ntdll.dll
1816"C:\Users\admin\Desktop\BLTools v2.2.exe" C:\Users\admin\Desktop\BLTools v2.2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\bltools v2.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2368"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\BLTools.system.vbs" C:\Windows\System32\wscript.exe
BLTools v2.2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2964"C:\Users\admin\AppData\Local\Temp\build.exe" C:\Users\admin\AppData\Local\Temp\build.exe
BLTools v2.2.exe
User:
admin
Integrity Level:
HIGH
Description:
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\build.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
RedLine
(PID) Process(2964) build.exe
US (151)
Environment
UNKNOWN
.
1
cmyredmyit_cmyardmys
my
as21
\
Local State
LocalPrefs.json
Host
Port
:
User
Pass
MANGO
%USEWanaLifeRPROFILE%\AppDaWanaLifeta\LWanaLifeocal
WanaLife
Def
Win
String.Replace
String.Remove
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
BCrypt.BCryptImportKey() failed with status code:{0}
BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
BCrypt.BCryptGetProperty() failed with status code:{0}
-
http://
/
|
Yandex\YaAddon
xiiiolympus.hopto.org:1000
@XIIIOLYMPUS
,
asf
*wallet*
Armory
\Armory
*.wallet
Atomic
\atomic
*
ibnejdfjmmkpcnlpebklmnkoeoihofec
Tronlink
jbdaocneiiinmjbjlgalhcelgbejmnid
NiftyWallet
nkbihfbeogaeaoehlefnkodbefgpgknn
Metamask
afbcbjpbpfadlkmhmclhkeeodmamcflc
MathWallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Coinbase
fhbohimaelbohpjbbldcngcnapndodjp
BinanceChain
odbfpeeihdkbihmopkbjmoonfanlbfcl
BraveWallet
hpglfhgfnhbgpjdenjgmdgoeiappafln
GuardaWallet
blnieiiffboillknjnepogjhkgnoapac
EqualWallet
cjelfplplebdjjenllpjcblmjkfcffne
JaxxxLiberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi
BitAppWallet
kncchdigobghenbbaddojjnnaogfppfj
iWallet
amkmjjmmflddogmhpjloimipbofnfjih
Wombat
UnknownExtension
_
Local Extension Settings
Coinomi
\Coinomi
Profile_
Tel
egram.exe
\Telegram Desktop\tdata
-*.lo--g
1*.1l1d1b
String
Replace
System.UI
File.IO
*.json
string.Replace
Guarda
\Guarda
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPstring.ReplaceROFILE%\Apstring.ReplacepData\Locastring.Replacel
ToString
(
UNIQUE
"
Width
Height
CopyFromScreen
kernel32
user32.dll
GetConsoleWindow
ShowWindow
SELECT * FROM Win32_Processor
Name
NumberOfCores
root\CIMV2
SELECT * FROM Win32_VideoController
AdapterRAM
ROWindowsServiceOT\SecurityCenteWindowsServicer2
ROWindowsServiceOT\SecurWindowsServiceityCenter
AntqueiresivirusProdqueiresuct
AntqueiresiSpyqueiresWareProdqueiresuct
FiqueiresrewallProqueiresduct
WindowsService
SELECT * FROM
queires
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELECT * FROM Win32_DiskDrive
SerialNumber
'
ExecutablePath
[
]
0 Mb or 0
SELECT * FROM Win32_OperatingSystem
TotalVisibleMemorySize
{0} MB or {1}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
Botnet@XIIIOLYMPUS
C2 (1)xiiiolympus.hopto.org:1000
1204"C:\Users\admin\AppData\Local\Temp\BLTools v2.2.exe" C:\Users\admin\AppData\Local\Temp\BLTools v2.2.exe
BLTools v2.2.exe
User:
admin
Integrity Level:
HIGH
Description:
BLTools
Exit code:
3762504530
Version:
2.2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\bltools v2.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
3936"C:\Users\admin\Desktop\BLTools v2.2.exe" C:\Users\admin\Desktop\BLTools v2.2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\bltools v2.2.exe
c:\windows\system32\ntdll.dll
3120"C:\Users\admin\Desktop\BLTools v2.2.exe" C:\Users\admin\Desktop\BLTools v2.2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\bltools v2.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
3232"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\BLTools.system.vbs" C:\Windows\System32\wscript.exeBLTools v2.2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\wscript.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
188"C:\Users\admin\AppData\Local\Temp\build.exe" C:\Users\admin\AppData\Local\Temp\build.exeBLTools v2.2.exe
User:
admin
Integrity Level:
HIGH
Description:
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\build.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
8 052
Read events
7 836
Write events
216
Delete events
0

Modification events

(PID) Process:(2824) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
18
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
1816BLTools v2.2.exeC:\Users\admin\AppData\Local\Temp\BLTools.system.vbstext
MD5:1D47083014CB1060DD1B0B48A41DDBB2
SHA256:D8685C158551DB15F9D732CA7FA288AD4C9094EB0BE663789D20BA15B799C951
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2824.3015\BLTools v2.2.exeexecutable
MD5:C5F00AD1E40B07A62D44A6E03856249F
SHA256:35059D9250CE74D1048175F7ABEA89B0946B57050E51E24B52DD1891A69064F6
1816BLTools v2.2.exeC:\Users\admin\AppData\Local\Temp\build.exeexecutable
MD5:B398A04CCDF336280B1F5ACD9C103053
SHA256:B5EDAA5E18900C54E32BE21DDCBA01D97F830BBDA7C5679D9DE4F13ECAAC5B4A
2368wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BLTools.system.vbstext
MD5:1D47083014CB1060DD1B0B48A41DDBB2
SHA256:D8685C158551DB15F9D732CA7FA288AD4C9094EB0BE663789D20BA15B799C951
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2824.3015\BouncyCastle.Crypto.dllexecutable
MD5:3CF6BF0E0A27F3665EDD6362D137E4CC
SHA256:1985B85BB44BE6C6EAF35E02EF11E23A890E809B8EC2E53210A4AD5A85B26C70
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2824.3015\AlphaFS.dllexecutable
MD5:F2F6F6798D306D6D7DF4267434B5C5F9
SHA256:837F2CEAB6BBD9BC4BF076F1CB90B3158191888C3055DD2B78A1E23F1C3AAFDD
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2824.3015\Settings.initext
MD5:AC450A5117532D56F9C117F2F2825B26
SHA256:AD09D32E5BB4968039A5BC0C365AFF05760DE27B6E20642514A419B4025C8AA8
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2824.3015\RandomUserAgent.dllexecutable
MD5:839CD4CE1930EEE45F55F6259468D649
SHA256:53331BFF5E585C471FAD6789313A2A8A687A586CC0A8D006B24085B91ED7FC9A
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2824.3015\Extreme.Net.dllexecutable
MD5:F79F0E3A0361CAC000E2D3553753CD68
SHA256:8A6518AB7419FBEC3AC9875BAA3AFB410AD1398C7AA622A09CD9084EC6CADFCD
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2824.3015\Ookii.Dialogs.Wpf.dllexecutable
MD5:932EBB3F9E7113071C6A17818342B7CC
SHA256:285AA8225732DDBCF211B1158BD6CFF8BF3ACBEEAB69617F4BE85862B7105AB5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
900
WerFault.exe
104.208.16.93:443
watson.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious

DNS requests

Domain
IP
Reputation
xiiiolympus.hopto.org
malicious
watson.microsoft.com
  • 104.208.16.93
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
No debug info