analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | seturp.eexe |
| Full analysis: | https://app.any.run/tasks/f6f70ffb-f41d-43c4-8aca-29678b0f5c7a |
| Verdict: | Malicious activity |
| Threats: | RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. |
| Analysis date: | December 05, 2022, 17:15:51 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 7F1487FA907C5A79FCF65F427720F24F |
| SHA1: | 49FFE1A3095D039F3E7916AA7E6BF1CFD1B9031C |
| SHA256: | EF74EF280C190108E1673030DC74D358D88D75EB201D6F1CD5A07CF6AB255D58 |
| SSDEEP: | 393216:hxsX4B8eD3F+oI9KtC9fcfZLxsaZf4nT7cNGUNY9c7F:hGI9FQqfZLSPc3iK7F |
MALICIOUS
Writes to the Start menu file
- vbc.exe (PID: 2932)
REDLINE detected by memory dumps
- vbc.exe (PID: 4036)
SUSPICIOUS
Reads the Internet Settings
- seturp.eexe.exe (PID: 2812)
- vbc.exe (PID: 2932)
Application launched itself
- nig1r21312312.exe (PID: 1820)
INFO
Checks supported languages
- animecool.exe (PID: 3684)
- poxuipluspoxui.exe (PID: 3580)
- seturp.eexe.exe (PID: 2812)
- vbc.exe (PID: 4036)
- vbc.exe (PID: 2932)
- nig1r21312312.exe (PID: 1820)
- MisakaMikoto213213.exe (PID: 708)
- vbc.exe (PID: 2404)
- nig1r21312312.exe (PID: 2264)
Reads the computer name
- seturp.eexe.exe (PID: 2812)
- vbc.exe (PID: 4036)
- vbc.exe (PID: 2932)
- vbc.exe (PID: 2404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
RedLine
(PID) Process(4036) vbc.exe
US (183)
LEnvironmentogiEnvironmentn DatEnvironmenta
Environment
WSystem.Texteb DatSystem.Texta
System.Text
CoCryptographyokieCryptographys
Cryptography
ExtGenericension CooGenerickies
Generic
OFileInfopeFileInfora GFileInfoX StabFileInfole
FileInfo
OpLinqera GLinqX
Linq
ApGenericpDaGenericta\RGenericoamiGenericng\
Network
Extension
UNKNOWN
cFileStreamredFileStreamit_cFileStreamardFileStreams
FileStream
\
Network\
Host
Port
:
User
Pass
cookies.sqlite
GetDirectories
Entity12
EnumerateDirectories
String.Replace
String.Remove
bcrFileStream.IOypt.dFileStream.IOll
FileStream.IO
BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder
string.Empty
BCruintyptCloseAlgorituinthmProvuintider
uint
BCrUnmanagedTypeyptDecrUnmanagedTypeypt
UnmanagedType
BCrhKeyyptDeshKeytroyKhKeyey
hKey
BCpszPropertyryptGepszPropertytPropepszPropertyrty
pszProperty
BCEncodingryptSEncodingetPrEncodingoperEncodingty
Encoding
BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey
bMasterKey
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
-
{0}
net.tcp://
/
localhost
cf75908d75b4508135a38c8679c86f6e
Authorization
ns1
UNKNWON
BTsEVz8iJhgqGQ1cIww2eyErCUcFLlJb
5350206221
Hoofs
Yandex\YaAddon
asf
*wallet*
ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtu...
_
T
e
l
gr
am
.
ex
\TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata
1
String
Replace
string.Replace
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl
serviceInterface.Extension
ProldCharotonVoldCharPN
oldChar
nSystem.CollectionspvoSystem.Collections*
System.Collections
(
UNIQUE
cstringmstringd
string
/ProcessC Process
Process
|
"
Armenia
Azerbaijan
Belarus
Kazakhstan
Kyrgyzstan
Moldova
Tajikistan
Uzbekistan
Ukraine
Russia
https://api.ip.sb/ip
80
81
0.0.0.0
SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor
System.Windows.Forms
roSystem.Linqot\CISystem.LinqMV2
System.Linq
SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller
AdapterRAM
Name
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente
System.Management
SerialNumber
SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId='
System.Text.RegularExpressions
'
FileSystem
SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId='
System.
ExecutablePath
[
]
Concat0 MConcatb oConcatr Concat0
Concat
SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem
Memory
{0}{1}{2}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
The entered value cannot be less than 1 or greater than 20.
#F25D59
Segoe UI
#FFFFFF
#323A3D
Tahoma
#696969
#A0A0A0
−
Marlett
2
#C75050
⨉
#72767F
#FAFAFA
#DE5954
#F46662
#F68F84
#292C3D
#3C3F50
#747881
#2B3043
#7F838C
#AAABB0
Microsoft Sans Serif
Auth_valuecf75908d75b4508135a38c8679c86f6e
Err_msg
Botnet5350206221
C2 (1)195.20.17.174:80
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 2022-Mar-03 13:15:57 |
| Detected languages: |
|
| Debug artifacts: |
|
DOS Header
| e_magic: | MZ |
|---|---|
| e_cblp: | 144 |
| e_cp: | 3 |
| e_crlc: | - |
| e_cparhdr: | 4 |
| e_minalloc: | - |
| e_maxalloc: | 65535 |
| e_ss: | - |
| e_sp: | 184 |
| e_csum: | - |
| e_ip: | - |
| e_cs: | - |
| e_ovno: | - |
| e_oemid: | - |
| e_oeminfo: | - |
| e_lfanew: | 272 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| NumberofSections: | 6 |
| TimeDateStamp: | 2022-Mar-03 13:15:57 |
| PointerToSymbolTable: | - |
| NumberOfSymbols: | - |
| SizeOfOptionalHeader: | 224 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 4096 | 203740 | 203776 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.71296 |
.rdata | 208896 | 44736 | 45056 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.26161 |
.data | 253952 | 149280 | 4096 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.38746 |
.didat | 405504 | 400 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.33273 |
.rsrc | 409600 | 21003 | 21504 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.25259 |
.reloc | 434176 | 9020 | 9216 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.62301 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 4.27817 | 2216 | UNKNOWN | English - United States | RT_ICON |
7 | 3.1586 | 482 | UNKNOWN | English - United States | RT_STRING |
8 | 3.11685 | 460 | UNKNOWN | English - United States | RT_STRING |
9 | 3.11236 | 440 | UNKNOWN | English - United States | RT_STRING |
10 | 2.99727 | 326 | UNKNOWN | English - United States | RT_STRING |
11 | 3.21979 | 1132 | UNKNOWN | English - United States | RT_STRING |
12 | 3.12889 | 358 | UNKNOWN | English - United States | RT_STRING |
13 | 3.01704 | 338 | UNKNOWN | English - United States | RT_STRING |
14 | 2.94627 | 266 | UNKNOWN | English - United States | RT_STRING |
15 | 2.83619 | 188 | UNKNOWN | English - United States | RT_STRING |
Imports
KERNEL32.dll |
OLEAUT32.dll |
USER32.dll (delay-loaded) |
gdiplus.dll |
Total processes
49
Monitored processes
11
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2812 | "C:\Users\admin\Desktop\seturp.eexe.exe" | C:\Users\admin\Desktop\seturp.eexe.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3684 | "C:\Users\admin\AppData\Local\Temp\animecool.exe" /animecool.exe | C:\Users\admin\AppData\Local\Temp\animecool.exe | — | seturp.eexe.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3580 | "C:\Users\admin\AppData\Local\Temp\poxuipluspoxui.exe" /poxuipluspoxui.exe | C:\Users\admin\AppData\Local\Temp\poxuipluspoxui.exe | — | seturp.eexe.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2932 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | poxuipluspoxui.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 12.0.51209.34209 Modules
| |||||||||||||||
| 4036 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | animecool.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Version: 12.0.51209.34209 Modules
RedLine(PID) Process(4036) vbc.exe US (183) LEnvironmentogiEnvironmentn DatEnvironmenta Environment WSystem.Texteb DatSystem.Texta System.Text CoCryptographyokieCryptographys Cryptography ExtGenericension CooGenerickies Generic OFileInfopeFileInfora GFileInfoX StabFileInfole FileInfo OpLinqera GLinqX Linq ApGenericpDaGenericta\RGenericoamiGenericng\ Network Extension UNKNOWN cFileStreamredFileStreamit_cFileStreamardFileStreams FileStream \ Network\ Host Port : User Pass cookies.sqlite GetDirectories Entity12 EnumerateDirectories String.Replace String.Remove bcrFileStream.IOypt.dFileStream.IOll FileStream.IO BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder string.Empty BCruintyptCloseAlgorituinthmProvuintider uint BCrUnmanagedTypeyptDecrUnmanagedTypeypt UnmanagedType BCrhKeyyptDeshKeytroyKhKeyey hKey BCpszPropertyryptGepszPropertytPropepszPropertyrty pszProperty BCEncodingryptSEncodingetPrEncodingoperEncodingty Encoding BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey bMasterKey windows-1251 AES Microsoft Primitive Provider ChainingModeGCM AuthTagLength ChainingMode ObjectLength KeyDataBlob - {0} net.tcp:// / localhost cf75908d75b4508135a38c8679c86f6e Authorization ns1 UNKNWON BTsEVz8iJhgqGQ1cIww2eyErCUcFLlJb 5350206221 Hoofs Yandex\YaAddon asf *wallet* ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtu... _ T e l gr am . ex \TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata 1 String Replace string.Replace %USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng File.Write Handler npvo* %USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl serviceInterface.Extension ProldCharotonVoldCharPN oldChar nSystem.CollectionspvoSystem.Collections* System.Collections ( UNIQUE cstringmstringd string /ProcessC Process Process | " Armenia Azerbaijan Belarus Kazakhstan Kyrgyzstan Moldova Tajikistan Uzbekistan Ukraine Russia https://api.ip.sb/ip 80 81 0.0.0.0 SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor System.Windows.Forms roSystem.Linqot\CISystem.LinqMV2 System.Linq SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller AdapterRAM Name SOFTWARE\WOW6432Node\Clients\StartMenuInternet SOFTWARE\Clients\StartMenuInternet shell\open\command Unknown Version SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente System.Management SerialNumber SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId=' System.Text.RegularExpressions ' FileSystem SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId=' System. ExecutablePath [ ] Concat0 MConcatb oConcatr Concat0 Concat SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem Memory {0}{1}{2} x32 x64 x86 SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName CSDVersion Unknown _[ The entered value cannot be less than 1 or greater than 20. #F25D59 Segoe UI #FFFFFF #323A3D Tahoma #696969 #A0A0A0 − Marlett 2 #C75050 ⨉ #72767F #FAFAFA #DE5954 #F46662 #F68F84 #292C3D #3C3F50 #747881 #2B3043 #7F838C #AAABB0 Microsoft Sans Serif Auth_valuecf75908d75b4508135a38c8679c86f6e Err_msg Botnet5350206221 C2 (1)195.20.17.174:80 | |||||||||||||||
| 2688 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" " | C:\Windows\system32\cmd.exe | — | vbc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1820 | nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat | C:\Users\admin\AppData\Local\Temp\nig1r21312312.exe | — | cmd.exe | |||||||||||
User: admin Company: NirSoft Integrity Level: MEDIUM Description: NirCmd Exit code: 0 Version: 2.86 Modules
| |||||||||||||||
| 2264 | nig1r21312312.exe exec hide cock123123444.bat | C:\Users\admin\AppData\Local\Temp\nig1r21312312.exe | — | nig1r21312312.exe | |||||||||||
User: admin Company: NirSoft Integrity Level: MEDIUM Description: NirCmd Exit code: 0 Version: 2.86 Modules
| |||||||||||||||
| 3128 | C:\Windows\system32\cmd.exe /c cock123123444.bat | C:\Windows\system32\cmd.exe | — | nig1r21312312.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 708 | MisakaMikoto213213.exe | C:\Users\admin\AppData\Local\Temp\MisakaMikoto213213.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
1 723
Read events
1 707
Write events
16
Delete events
0
Modification events
| (PID) Process: | (2812) seturp.eexe.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2812) seturp.eexe.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2812) seturp.eexe.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2812) seturp.eexe.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2932) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2932) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2932) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2932) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
0
Suspicious files
0
Text files
2
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2812 | seturp.eexe.exe | C:\Users\admin\AppData\Local\Temp\nig1r21312312.exe | — | |
MD5:— | SHA256:— | |||
| 2812 | seturp.eexe.exe | C:\Users\admin\AppData\Local\Temp\poxuipluspoxui.exe | — | |
MD5:— | SHA256:— | |||
| 2812 | seturp.eexe.exe | C:\Users\admin\AppData\Local\Temp\animecool.exe | — | |
MD5:— | SHA256:— | |||
| 2812 | seturp.eexe.exe | C:\Users\admin\AppData\Local\Temp\cockcreator.exe | — | |
MD5:— | SHA256:— | |||
| 2812 | seturp.eexe.exe | C:\Users\admin\AppData\Local\Temp\MisakaMikoto213213.exe | — | |
MD5:— | SHA256:— | |||
| 2932 | vbc.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\poxuipluspoxui.exe | — | |
MD5:— | SHA256:— | |||
| 2404 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp9868.tmp.dat | sqlite | |
MD5:8BB736AB1E4300EF81B27CDBF26D78B0 | SHA256:7059AEA2275152A5390580485A2180143879F721C88A4CB0D7702A832751A952 | |||
| 2812 | seturp.eexe.exe | C:\Users\admin\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat | text | |
MD5:1DA7FAC267BC777990BE9CFE816DABAD | SHA256:1C2EAC4863B51371C56606C5D6FA449C863920DD1D60184E1DC43B2DDC72D5E7 | |||
| 2812 | seturp.eexe.exe | C:\Users\admin\AppData\Local\Temp\cock123123444.bat | text | |
MD5:2A48B826A710B2C47581FBCFEF047333 | SHA256:B9DFBD3E668EA3099A88D65D8D3A6DC03396CECA1A0E4535EF4F23A597727744 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4036 | vbc.exe | 195.20.17.174:80 | — | — | — | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
dns.msftncsi.com |
| shared |