Play interactive tourEdit tour
Windows Analysis Report 2GEg45PlG9.exe
Overview
General Information
Detection
Ursnif
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Found malware configuration
Sigma detected: Powershell run code from registry
Multi AV Scanner detection for submitted file
Sigma detected: Encoded IEX
Tries to steal Mail credentials (via file / registry access)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"RSA Public Key": "sruyfTpftU2mx06r6blBkffb54Jg6s7PO470disk6lub1geflsFwdqaQ00vNluRgXne/mvA0mo65LBIwlfHHaSlnGkAcdUa0LDUQI3JL8PJCTVXLqdTc14S+YvdwRhmVNIF3OG0ZAH9LaiKMhchX+hr/6XCcoRJbTazb/h3IFhcYIyrtRQbFDmQB42uVxLqD", "c2_domain": ["yahoo.com", "doreuneruy.store", "qorunegolu.club", "https://doreuneruy.store", "https://qorunegolu.club"], "botnet": "4483", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 59 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
Click to see the 3 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Encoded IEX | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: MSHTA Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag: |
Sigma detected: Mshta Spawning Windows Shell | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Suspicious Csc.exe Source File Folder | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Suspicious Rundll32 Activity | Show sources |
Source: | Author: juju4, Jonhnathan Ribeiro, oscd.community: |
Sigma detected: Non Interactive PowerShell | Show sources |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Sigma detected: T1086 PowerShell Execution | Show sources |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Data Obfuscation: |
---|
Sigma detected: Powershell run code from registry | Show sources |
Source: | Author: Joe Security: |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Compliance: |
---|
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 1_2_0078CBE3 |
Source: | Code function: | 1_2_0078E9AC | |
Source: | Code function: | 1_2_0079999E | |
Source: | Code function: | 1_2_0079A2FE | |
Source: | Code function: | 44_2_0091999E | |
Source: | Code function: | 44_2_0090E9AC | |
Source: | Code function: | 44_2_0091A2FE |
Networking: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: |
Uses nslookup.exe to query domains | Show sources |
Source: | Process created: | ||
Source: | Process created: |
May check the online IP address of the machine | Show sources |
Source: | DNS query: | ||
Source: | DNS query: |
Uses ping.exe to check the status of other devices and networks | Show sources |
Source: | Process created: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | ASN Name: |
Source: | IP Address: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | Code function: | 1_2_020D5988 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Disables SPDY (HTTP compression, likely to perform web injects) | Show sources |
Source: | Registry key value created / modified: |
System Summary: |
---|
Writes or reads registry keys via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Code function: | 1_2_020D836E | |
Source: | Code function: | 1_2_020D7FBE | |
Source: | Code function: | 1_2_020DAFC0 | |
Source: | Code function: | 1_2_0079B006 | |
Source: | Code function: | 1_2_007913FA | |
Source: | Code function: | 1_2_007A2D8C | |
Source: | Code function: | 21_2_00BE59E4 | |
Source: | Code function: | 21_2_00BE7548 | |
Source: | Code function: | 21_2_00BCC3E4 | |
Source: | Code function: | 21_2_00BC9098 | |
Source: | Code function: | 21_2_00BC5420 | |
Source: | Code function: | 21_2_00BD4818 | |
Source: | Code function: | 21_2_00BDC400 | |
Source: | Code function: | 21_2_00BC847C | |
Source: | Code function: | 21_2_00BE0468 | |
Source: | Code function: | 21_2_00BE8448 | |
Source: | Code function: | 21_2_00BD1C44 | |
Source: | Code function: | 21_2_00BC29B0 | |
Source: | Code function: | 21_2_00BE91B0 | |
Source: | Code function: | 21_2_00BC65A8 | |
Source: | Code function: | 21_2_00BDB1D0 | |
Source: | Code function: | 21_2_00BD0DC8 | |
Source: | Code function: | 21_2_00BDCDC4 | |
Source: | Code function: | 21_2_00BD993C | |
Source: | Code function: | 21_2_00BD8974 | |
Source: | Code function: | 21_2_00BE3D68 | |
Source: | Code function: | 21_2_00BCAAB4 | |
Source: | Code function: | 21_2_00BD5AB4 | |
Source: | Code function: | 21_2_00BE9AA8 | |
Source: | Code function: | 21_2_00BD2A90 | |
Source: | Code function: | 21_2_00BDDEE8 | |
Source: | Code function: | 21_2_00BD52D0 | |
Source: | Code function: | 21_2_00BC1638 | |
Source: | Code function: | 21_2_00BC5A1C | |
Source: | Code function: | 21_2_00BD220C | |
Source: | Code function: | 21_2_00BD77A0 | |
Source: | Code function: | 21_2_00BCCFF8 | |
Source: | Code function: | 21_2_00BC9FC4 | |
Source: | Code function: | 21_2_00BE137C | |
Source: | Code function: | 21_2_00BC3764 | |
Source: | Code function: | 21_2_00BE1B4C | |
Source: | Code function: | 31_2_0000023D836459E4 | |
Source: | Code function: | 31_2_0000023D83647548 | |
Source: | Code function: | 31_2_0000023D8363220C | |
Source: | Code function: | 31_2_0000023D83625A1C | |
Source: | Code function: | 31_2_0000023D8363CDC4 | |
Source: | Code function: | 31_2_0000023D83630DC8 | |
Source: | Code function: | 31_2_0000023D8363B1D0 | |
Source: | Code function: | 31_2_0000023D836265A8 | |
Source: | Code function: | 31_2_0000023D836229B0 | |
Source: | Code function: | 31_2_0000023D836491B0 | |
Source: | Code function: | 31_2_0000023D83632A90 | |
Source: | Code function: | 31_2_0000023D83621638 | |
Source: | Code function: | 31_2_0000023D83643D68 | |
Source: | Code function: | 31_2_0000023D83638974 | |
Source: | Code function: | 31_2_0000023D8363993C | |
Source: | Code function: | 31_2_0000023D8363C400 | |
Source: | Code function: | 31_2_0000023D83634818 | |
Source: | Code function: | 31_2_0000023D8362C3E4 | |
Source: | Code function: | 31_2_0000023D8362CFF8 | |
Source: | Code function: | 31_2_0000023D83629FC4 | |
Source: | Code function: | 31_2_0000023D836377A0 | |
Source: | Code function: | 31_2_0000023D83629098 | |
Source: | Code function: | 31_2_0000023D83640468 | |
Source: | Code function: | 31_2_0000023D8362847C | |
Source: | Code function: | 31_2_0000023D83631C44 | |
Source: | Code function: | 31_2_0000023D83648448 | |
Source: | Code function: | 31_2_0000023D83625420 | |
Source: | Code function: | 31_2_0000023D8363DEE8 | |
Source: | Code function: | 31_2_0000023D836352D0 | |
Source: | Code function: | 31_2_0000023D83649AA8 | |
Source: | Code function: | 31_2_0000023D83635AB4 | |
Source: | Code function: | 31_2_0000023D8362AAB4 | |
Source: | Code function: | 31_2_0000023D83623764 | |
Source: | Code function: | 31_2_0000023D8364137C | |
Source: | Code function: | 31_2_0000023D83641B4C | |
Source: | Code function: | 31_2_0000023D8365B5A4 | |
Source: | Code function: | 44_2_0091B006 | |
Source: | Code function: | 44_2_009113FA | |
Source: | Code function: | 44_2_00922D8C |
Source: | Code function: | 1_2_007960AD |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 1_2_00401703 | |
Source: | Code function: | 1_2_00401C90 | |
Source: | Code function: | 1_2_004019A0 | |
Source: | Code function: | 1_2_020D9A0F | |
Source: | Code function: | 1_2_020D9E79 | |
Source: | Code function: | 1_2_020D5CD1 | |
Source: | Code function: | 1_2_020DB1E5 | |
Source: | Code function: | 1_2_00591BF0 | |
Source: | Code function: | 1_2_00795021 | |
Source: | Code function: | 1_2_00790179 | |
Source: | Code function: | 1_2_0078B156 | |
Source: | Code function: | 1_2_007941CB | |
Source: | Code function: | 1_2_007992D7 | |
Source: | Code function: | 1_2_00790BF5 | |
Source: | Code function: | 1_2_007944DF | |
Source: | Code function: | 1_2_007A051D | |
Source: | Code function: | 1_2_0078EED0 | |
Source: | Code function: | 1_2_0078E683 | |
Source: | Code function: | 1_2_0079C779 | |
Source: | Code function: | 1_2_007907E8 | |
Source: | Code function: | 1_2_0079C864 | |
Source: | Code function: | 1_2_007A017E | |
Source: | Code function: | 1_2_00782357 | |
Source: | Code function: | 1_2_0078B347 | |
Source: | Code function: | 1_2_0079FBD1 | |
Source: | Code function: | 1_2_00790465 | |
Source: | Code function: | 1_2_0078840D | |
Source: | Code function: | 1_2_00796C90 | |
Source: | Code function: | 1_2_0078A63D | |
Source: | Code function: | 21_2_00BDB080 | |
Source: | Code function: | 21_2_00BE70F8 | |
Source: | Code function: | 21_2_00BD74E0 | |
Source: | Code function: | 21_2_00BD8078 | |
Source: | Code function: | 21_2_00BD8844 | |
Source: | Code function: | 21_2_00BD3104 | |
Source: | Code function: | 21_2_00BCB964 | |
Source: | Code function: | 21_2_00BDB164 | |
Source: | Code function: | 21_2_00BE4200 | |
Source: | Code function: | 21_2_00BCC3E4 | |
Source: | Code function: | 21_2_00BFB029 | |
Source: | Code function: | 31_2_0000023D83644200 | |
Source: | Code function: | 31_2_0000023D8363B164 | |
Source: | Code function: | 31_2_0000023D8365B00B | |
Source: | Code function: | 44_2_00915021 | |
Source: | Code function: | 44_2_00910BF5 | |
Source: | Code function: | 44_2_0092051D | |
Source: | Code function: | 44_2_009107E8 | |
Source: | Code function: | 44_2_0091C864 | |
Source: | Code function: | 44_2_0092017E | |
Source: | Code function: | 44_2_0091FBD1 | |
Source: | Code function: | 44_2_0090B347 | |
Source: | Code function: | 44_2_0090A63D |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: |
Source: | Key value queried: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Code function: | 1_2_020D8F1B |
Source: | Process created: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | |||
Source: | File read: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: |
Source: | Window detected: |
Source: | File opened: | Jump to behavior |
Source: | Key opened: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation: |
---|
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Detected unpacking (changes PE section rights) | Show sources |
Source: | Unpacked PE file: |
Suspicious powershell command line found | Show sources |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 1_2_020DAC09 | |
Source: | Code function: | 1_2_020DE630 | |
Source: | Code function: | 1_2_020DE9B1 | |
Source: | Code function: | 1_2_020DAFBF | |
Source: | Code function: | 1_2_007A2899 | |
Source: | Code function: | 1_2_007A2D8B | |
Source: | Code function: | 1_2_0079FECE | |
Source: | Code function: | 44_2_00922899 | |
Source: | Code function: | 44_2_00922D8B | |
Source: | Code function: | 44_2_0091FECE |
Source: | Code function: | 1_2_00401264 |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Hooks registry keys query functions (used to hide registry keys) | Show sources |
Source: | IAT, EAT, inline or SSDT hook detected: |
Self deletion via cmd delete | Show sources |
Source: | Process created: | ||
Source: | Process created: |
Modifies the export address table of user mode modules (user mode EAT hooks) | Show sources |
Source: | IAT of a user mode module has changed: |
Modifies the prolog of user mode functions (user mode inline hooks) | Show sources |
Source: | User mode code has changed: |
Modifies the import address table of user mode modules (user mode IAT hooks) | Show sources |
Source: | EAT of a user mode module has changed: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Uses ping.exe to sleep | Show sources |
Source: | Process created: | ||
Source: | Process created: |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread delayed: | Jump to behavior |
Source: | Code function: | 1_2_0078CBE3 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 1_2_0078E9AC | |
Source: | Code function: | 1_2_0079999E | |
Source: | Code function: | 1_2_0079A2FE | |
Source: | Code function: | 44_2_0091999E | |
Source: | Code function: | 44_2_0090E9AC | |
Source: | Code function: | 44_2_0091A2FE |
Source: | Code function: | 1_2_00401264 |
Source: | Code function: | 1_2_0059092B | |
Source: | Code function: | 1_2_00590D90 |
Source: | Code function: | 1_2_00790A0E | |
Source: | Code function: | 44_2_00910A0E |
HIPS / PFW / Operating System Protection Evasion: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: |
Maps a DLL or memory area into another process | Show sources |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: |
Allocates memory in foreign processes | Show sources |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | |||
Source: | Memory allocated: | |||
Source: | Memory allocated: | |||
Source: | Memory allocated: | |||
Source: | Memory allocated: |
Creates a thread in another existing process (thread injection) | Show sources |
Source: | Thread created: | Jump to behavior | ||
Source: | Thread created: | Jump to behavior | ||
Source: | Thread created: | |||
Source: | Thread created: | |||
Source: | Thread created: | |||
Source: | Thread created: | |||
Source: | Thread created: |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: |
Changes memory attributes in foreign processes to executable or writable | Show sources |
Source: | Memory protected: | Jump to behavior | ||
Source: | Memory protected: | Jump to behavior | ||
Source: | Memory protected: | Jump to behavior | ||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: |
Injects code into the Windows Explorer (explorer.exe) | Show sources |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Modifies the context of a thread in another process (thread injection) | Show sources |
Source: | Thread register set: | Jump to behavior | ||
Source: | Thread register set: | Jump to behavior | ||
Source: | Thread register set: | Jump to behavior | ||
Source: | Thread register set: | Jump to behavior | ||
Source: | Thread register set: | |||
Source: | Thread register set: | |||
Source: | Thread register set: | |||
Source: | Thread register set: | |||
Source: | Thread register set: |
Source: | Process created: |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | |||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 1_2_020D7A2E |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 1_2_00401E22 |
Source: | Code function: | 1_2_020D7A2E |
Source: | Code function: | 1_2_0079DF1C |
Source: | Code function: | 1_2_00401752 |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to steal Mail credentials (via file / registry access) | Show sources |
Source: | Key opened: | ||
Source: | Key opened: |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts1 | Windows Management Instrumentation2 | Valid Accounts1 | Valid Accounts1 | Obfuscated Files or Information2 | OS Credential Dumping1 | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Ingress Tool Transfer4 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Access Token Manipulation1 | Software Packing23 | Credential API Hooking3 | Account Discovery1 | Remote Desktop Protocol | Data from Local System1 | Exfiltration Over Bluetooth | Encrypted Channel11 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Command and Scripting Interpreter1 | Logon Script (Windows) | Process Injection813 | File Deletion1 | Security Account Manager | File and Directory Discovery3 | SMB/Windows Admin Shares | Email Collection11 | Automated Exfiltration | Non-Application Layer Protocol3 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | PowerShell1 | Logon Script (Mac) | Logon Script (Mac) | Rootkit4 | NTDS | System Information Discovery26 | Distributed Component Object Model | Credential API Hooking3 | Scheduled Transfer | Application Layer Protocol14 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading1 | LSA Secrets | Security Software Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Valid Accounts1 | Cached Domain Credentials | Virtualization/Sandbox Evasion21 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Access Token Manipulation1 | DCSync | Process Discovery3 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Virtualization/Sandbox Evasion21 | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Process Injection813 | /etc/passwd and /etc/shadow | System Owner/User Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Rundll321 | Network Sniffing | Remote System Discovery11 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact | ||
Compromise Software Dependencies and Development Tools | Windows Command Shell | Cron | Cron | Right-to-Left Override | Input Capture | System Network Configuration Discovery3 | Replication Through Removable Media | Remote Data Staging | Exfiltration Over Physical Medium | Mail Protocols | Service Stop |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
53% | ReversingLabs | Win32.Trojan.Lockbit | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen7 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
new-fp-shed.wg1.b.yahoo.com | 87.248.100.215 | true | false | high | |
myip.opendns.com | 84.17.52.63 | true | false | high | |
lycos.com | 209.202.254.90 | true | false | high | |
resolver1.opendns.com | 208.67.222.222 | true | false | high | |
doreuneruy.store | 89.45.4.117 | true | true | unknown | |
ds-ats.member.g02.yahoodns.net | 212.82.100.140 | true | false | unknown | |
yahoo.com | 98.137.11.164 | true | false | high | |
edge.gycpi.b.yahoodns.net | 87.248.118.23 | true | false | unknown | |
www.lycos.com | 209.202.254.90 | true | false | high | |
www.yahoo.com | unknown | unknown | false | high | |
mail.yahoo.com | unknown | unknown | false | high | |
222.222.67.208.in-addr.arpa | unknown | unknown | true | unknown | |
login.yahoo.com | unknown | unknown | false | high |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false | high | ||
false |
| unknown | |
false | high | ||
false | high | ||
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
true |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
209.202.254.90 | lycos.com | United States | 6354 | LYCOSUS | false | |
89.45.4.117 | doreuneruy.store | Romania | 9009 | M247GB | true | |
87.248.118.23 | edge.gycpi.b.yahoodns.net | United Kingdom | 203220 | YAHOO-DEBDE | false | |
87.248.100.215 | new-fp-shed.wg1.b.yahoo.com | United Kingdom | 34010 | YAHOO-IRDGB | false | |
98.137.11.164 | yahoo.com | United States | 36647 | YAHOO-GQ1US | false | |
212.82.100.140 | ds-ats.member.g02.yahoodns.net | United Kingdom | 34010 | YAHOO-IRDGB | false |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 528165 |
Start date: | 24.11.2021 |
Start time: | 20:19:07 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 14m 27s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | 2GEg45PlG9.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 40 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 6 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.bank.troj.spyw.evad.winEXE@33/22@11/6 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
20:21:08 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
209.202.254.90 | Get hash | malicious | Browse |
| |
87.248.118.23 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
new-fp-shed.wg1.b.yahoo.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
YAHOO-DEBDE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
M247GB | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
LYCOSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
57f3642b4e37e28f5cbe3020c9331b4c | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11606 |
Entropy (8bit): | 4.883977562702998 |
Encrypted: | false |
SSDEEP: | 192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr |
MD5: | 1F1446CE05A385817C3EF20CBD8B6E6A |
SHA1: | 1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D |
SHA-256: | 2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE |
SHA-512: | 252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 64 |
Entropy (8bit): | 0.9260988789684415 |
Encrypted: | false |
SSDEEP: | 3:Nlllulb/lj:NllUb/l |
MD5: | 13AF6BE1CB30E2FB779EA728EE0A6D67 |
SHA1: | F33581AC2C60B1F02C978D14DC220DCE57CC9562 |
SHA-256: | 168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F |
SHA-512: | 1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\cmd.exe |
File Type: | |
Category: | modified |
Size (bytes): | 117 |
Entropy (8bit): | 4.51228797597229 |
Encrypted: | false |
SSDEEP: | 3:cPaRhARtt7TSjjhThARtnJI1/v:oMWbtChWbng/v |
MD5: | A45E1F430E5F27F3800271EA643136A0 |
SHA1: | 26F5310FA0B49B1568413BC590BE8B974EC12987 |
SHA-256: | E459FD7C19DE215CD06D71D6D4449C402DC4058A3A7FCF752B77C291655CC8F9 |
SHA-512: | BA6B86ED4B359E4EF3412E00DB274201D93F5B22B91AD02DFE0894D0C2CAD15032F8F92630DD20A4E0C995E9C87E79555FD0F9CD56722220F56A336946F2CEC2 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.101388776293656 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryDak7YnqqvPN5Dlq5J:+RI+ycuZhNRakSvPNnqX |
MD5: | 3A0EA2E920DE7A5CE448CE73F92B665B |
SHA1: | EC518278A5DCF4FBA10BDD5A43CB59239B101ABE |
SHA-256: | 606547161CA048F4C7BC7D28A9037D7BE5F959B9C0341A3ABEC5E82A7A174587 |
SHA-512: | 253D243364E5308C33C6AE8C942A6F678317D921B816E38BED72E46EFCBA8B68A682AFD4DB0AFAF04CDEC34EA1E65D8F268A84A896E7EF59BE7F2FEC7346BD15 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.119907233227931 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grydhClYak7Ynqq2hClNPN5Dlq5J:+RI+ycuZhNUGakSFXPNnqX |
MD5: | 7C1DDCFC43D98C735E049F63177EC03C |
SHA1: | 3FA576484B572061D1636B91963476AF8473C49E |
SHA-256: | C96FF25CB1247C5D124CE3B66694C69175BDE97B663EE1617DA94C23CE189CAD |
SHA-512: | 5D86D02F3499FECA0AD5ED90B6C795E67DC51DB423E7DD1BDF44F247166AD97D7812A1CD011E8C68AA1FB9E71BA5782C5D9F9B758646955DAB8B151288CBE3BF |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1320 |
Entropy (8bit): | 3.977326786462311 |
Encrypted: | false |
SSDEEP: | 24:HKnW9ryhHGIQhKdNWI+ycuZhNRakSvPNnq9hgd:cWWaKd41ulRa3tq9y |
MD5: | 3715824683820FB38604EDB8FF2CB6FB |
SHA1: | D9884D8A3BEF79628C6087CC7D0A44D9829DCC5B |
SHA-256: | 57779A1959800275B24763199A1F048CAED7DF453F5B9E37BB20855F2E947D45 |
SHA-512: | 2C41C664B78BEB7C97D743782B2BE1EA55EA42CF31A28A478147EE952287E275999F6618037B6CA9E13D3318D5202C19F62FC5BFEF7D4FA69FF6538C45710D5A |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1320 |
Entropy (8bit): | 3.9748392387392317 |
Encrypted: | false |
SSDEEP: | 24:HMnW9rOBShHVhKdNWI+ycuZhNUGakSFXPNnq9hgd:KWO0jKd41ulUGa3FFq9y |
MD5: | 8095DB52FB6B6972A976FA542A1137C8 |
SHA1: | B4714AF78A03A5264A9D4312899F8739E8215E67 |
SHA-256: | 2D1AEA37D93934C10F2F9886128CDAE99C2866CED39A3988D7EFAB4D726A9037 |
SHA-512: | 3D484E17F8B417A574BB69B4A4F5EB28CB0D0C5389BFC9DD307C0976C8CC8878A4B4FFC6110C64E854AA53085405C99EF51F51F857BA734CDFCAB5AD049D6202 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 414 |
Entropy (8bit): | 5.012387590489786 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJc0H/VMRSR7a1gPc9OopxkSRa+rVSSRnA/fFOlN218zPQy:V/DTLDfuPH/ly/xv9rV5nA/NwSQQy |
MD5: | E458C9B10EE5485711E8601EC2A9F7E7 |
SHA1: | 52EBD94DA80BD5538C113C1A73BA0F773B3207F4 |
SHA-256: | 10D6C8D84A31080F063B2FF734D3EC20DA046B698298723676C722C80D932683 |
SHA-512: | 98F83BF02C6E41CDB284BC764B9F31231BA7936A086679333D8AA8A459448BCAE8A77765E3709EBB493FF274BF55F01282FB0EDA20391FC943E4BC0F184CF0E9 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 351 |
Entropy (8bit): | 5.254648969245037 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fVzxs7+AEszIWXp+N23fQn:p37Lvkmb6KHdWZE84n |
MD5: | 408B6601D6173A8D9D40DC8FEFCE7CC4 |
SHA1: | D27260892EDEC5D1A862625341A7FD2E34388A96 |
SHA-256: | 28B21F38813BECBEBB681E4968A382DD77CFF2849E55DF091EDE3F38D8E8F691 |
SHA-512: | 354629BCC27139CC87C0D5829EADA618A343CEF63813A450A35DE065F188E65C3B77E83E2A75371C4294B488883C42504B669AC356C9A5E4F148DC96CD45C950 |
Malicious: | true |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.629221221598805 |
Encrypted: | false |
SSDEEP: | 24:etGSL8+mUE7R85lwCk3tQJ3pS3864OFtkZfbP13DZ0WI+ycuZhNRakSvPNnq:6JXE7S5lwhLjwJbP1TZX1ulRa3tq |
MD5: | 69A3822C0C57D3B283E996B4046B5548 |
SHA1: | 77025C6A5E648F962A0FF619644C8B2749691B34 |
SHA-256: | 82E05F33E632AE41D4B49643538B50842F268ADF2C707A78BC2431EFF13FE322 |
SHA-512: | AD064F68EB45F651472A478262017C78F195EC172796A08E8E3552FC8735A899266907448DEE0791664FB7AAE795D299E5BBDC21B27687AEAA87FAFFF9EFE3BA |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 848 |
Entropy (8bit): | 5.328244784531375 |
Encrypted: | false |
SSDEEP: | 12:xKIR37Lvkmb6KHdWZE84uKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KHyE8tKaM5DqBVKVrdFAMBJTH |
MD5: | 448FEE98ACAF0CE93149FBA934428789 |
SHA1: | EA0B61B6D33C3CD81C0D0A5647859422C0E65D90 |
SHA-256: | 6C49261A321A320554A52B8A0E39CB0754A51B7C94D374A82FC3F506ABEA10A7 |
SHA-512: | A2FF0F51401DADD02B30DDEA63012F215750A4A851A3623522373600CA1D3AA3CC2EC7B85FBEF8A82AFFC69C1058CF7588D10BE58DC6F009FC1EF5CD7EC59029 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 426 |
Entropy (8bit): | 5.033139906052158 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJ3eIVMRSRa+eNMjSSRrtXuSRHq1zyaRMseeBVtEvwy:V/DTLDfuRXl9eg5rtVuzyleBKwy |
MD5: | 4D67B4EE9B0124EA3067CCCC7F44B80F |
SHA1: | 2FE1AFC564476F305A0E2D3F57FC067E3C08E594 |
SHA-256: | 5F263A0DD8E22A4DE11BC5870D10AE9B8D6DFD3CF5CBE915ACE34F747E88C225 |
SHA-512: | 6CA77C9F0D56A036715ABD769E54236F66E7F8FE25CA1B3979DA81976E25AE7B655781A4D141B5C87CFBD5195BB2DC71D1B9D15B875C244FE8EEBDA72624E137 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 351 |
Entropy (8bit): | 5.2763274655395485 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fzp6L/+zxs7+AEszIWXp+N23fzp6P:p37Lvkmb6KHW/+WZE8WV9 |
MD5: | EF1BC153AA2FD8FBB2119B8E0F985045 |
SHA1: | 578D08BA6BFD54ADCC78C2F65D12F96DBD7F8781 |
SHA-256: | E8503F7C93444FCB77FE77D15064D7CDF6698979E04B596D9134E8851C3EDDC8 |
SHA-512: | 2ECDB85CA9F68C5DDECB9323D41B5B91EE902DBF8FB40D1F5BC0E6D51363877A340F6AABB371F2E3D980F814B96B5CDF03DF027C553784194AE13A62B5DFD787 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.6664247492462287 |
Encrypted: | false |
SSDEEP: | 48:6ZYSMTBdlX4tJ/KDWjwJDZl1ulUGa3FFq:dSYBdl4tJ/KqjV+GKF |
MD5: | 1D937208FB47745163AEE505285D3E36 |
SHA1: | EC90BF5F1CBC0A16BAB37A7B6772B9B50138272C |
SHA-256: | F83FD4448E42C78A624C3BA1ABE58C939073A40E99C62C04D1DC833FBCAB6A5F |
SHA-512: | 65077EDBB6869A37666579CE5A6FCB4EE9C5454BE369EBFFECF305D29D8D6BA1730457A00BB2D8C50B1BA163A52E76BD4B93BF1EE75F53141E5606C15D1A60EC |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 848 |
Entropy (8bit): | 5.329836798741789 |
Encrypted: | false |
SSDEEP: | 24:AId3ka6KHW//E8WaKaM5DqBVKVrdFAMBJTH:Akka6AW//E8WaKxDcVKdBJj |
MD5: | 39316B3D4424D3204034D2BC7E5FAA4A |
SHA1: | AD031B58F38F23BF1A6C7FD0582BEF5143943286 |
SHA-256: | 7AE619285979CB590BC1E675B46F1B919C16918486989E5EFB4E8FF1647B889F |
SHA-512: | 8A8AF109C20CB3A8854DAFFD04B8965015F99C399834C9FFEC6F4014166A5BCF634EC9915B6864D720202E44F11AF6EF7300DD61AB7AD3A7A8A67CE25A0E04DD |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\explorer.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11825 |
Entropy (8bit): | 4.492452654271373 |
Encrypted: | false |
SSDEEP: | 48:z7SMiXCKgYtC2WFW2WdTcwp4+rkbUesj5nO1FUVqKupeeeeO6666Qddddh++++3C:zWXCKgYtCPFW2oFi6oKu5++++y |
MD5: | CA0D19BC57446FD4C5599A8E06B96FDE |
SHA1: | 53DAD3C428E06B17C357784E3315C17883771C8B |
SHA-256: | E3EBCA30B184C901A34EB26861C224B093A996DB8D225F7823AE26807492714A |
SHA-512: | FAF13F30D6B6F18EDBE891C5F8B9BC67ECC636409784B2B2F44EDE961CBC0427FC739AAB56648AFF2F09AC75E2D980762F3E46ED242F879EC33679FEB3F9F7ED |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1193 |
Entropy (8bit): | 5.316528431561156 |
Encrypted: | false |
SSDEEP: | 24:BxSAPxvBnD0x2DOXUWOLCHGI4qWFHjeTKKjX4CIym1ZJXtHOLCHGI45nxSAZB:BZJvhD0oORF4tFqDYB1ZtF4dZZB |
MD5: | 35128AB28FE94BC6F942032A5E7F3EBF |
SHA1: | BF76EA25577FE1398D8F4A012D5A3808469B5480 |
SHA-256: | EB3AAF9435D2801A4CF565B5A193A1765436CA3C18B452E69C1D4BD55CF35DCB |
SHA-512: | 52AFEC685FA05A2BEE674EA85EDBF85130BA8EDB074F18E646DC5AA8261E3EC6B59018A7B42CB51CA36275E8620129BCA640D4DCF9103B93061DD2C5BD8860C0 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\explorer.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 147 |
Entropy (8bit): | 5.4184286820644365 |
Encrypted: | false |
SSDEEP: | 3:BHNSW5xAdRLgyKBM2S4HE6iYh183sk/h4EbRso3KRfQ/kWiadbwFsXneZwmM:RNQLgyKBM34HH83F1tu4r9iyeqmM |
MD5: | 886B88DEC3C2B0CB56895A5320625AC8 |
SHA1: | E1676E0E12D018B5157E810A0D078DFF5958599F |
SHA-256: | F6AEE4ABE3224D1421B3296B845581CF8E75C41EC5B100DE2A6D26D83B5E8A07 |
SHA-512: | E0DA803C1775DA800DC108E5E12FEA0B3182BF6A6B36332322145CF4E01368CDE8CC75D3A793891A9689353100648F41168AC5D2607D7C0726B06B1080DC74C4 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\explorer.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 838 |
Entropy (8bit): | 3.073236880282747 |
Encrypted: | false |
SSDEEP: | 12:8glVm/3BVSXvk44X3ojsqzKtnWNaVgiNL4t2Y+xIBjK:8p/BHYVKVWiV57aB |
MD5: | CA1C201059C5BFD5900F5EB2466883CC |
SHA1: | BF3670A8C06A4FABC5C410F368E178B353F9166C |
SHA-256: | E5717E89B0D46C5E89F39410FA7A9DE94AA6A3301F8AC920F84F1A7179554085 |
SHA-512: | 2273AF46D41B9698B23AEADD8EFBEF80017CFD465B4347CFB99C2FEAE371F39A511288AA64AAFA2E35DD2AD883D8E43D70A65E62C18977C6C6D85E3153041D4C |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\nslookup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 28 |
Entropy (8bit): | 4.039148671903071 |
Encrypted: | false |
SSDEEP: | 3:U+6QlBxAN:U+7BW |
MD5: | D796BA3AE0C072AA0E189083C7E8C308 |
SHA1: | ABB1B68758B9C2BF43018A4AEAE2F2E72B626482 |
SHA-256: | EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E |
SHA-512: | BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.515411801846472 |
TrID: |
|
File name: | 2GEg45PlG9.exe |
File size: | 160256 |
MD5: | f100bcf4531fa33e2dd85c321e40abff |
SHA1: | 0599268c78900d3f791b55f3e65401239f5b4309 |
SHA256: | 1effa020a0b9aba59323d36d4c8680fa1bcd34f95e5b223b315053c08f4fb349 |
SHA512: | cd56392454561c1b2e5ca7c055a3683e2a78d20b37df4960e59dc8b92a46fea37e324ffded517e523dce9ce0d83c238b4f3fa15dc3dc3109af16eaa15a76db69 |
SSDEEP: | 3072:TUeBMoaUoWnhoq/8OkUbZlB5qh0LYgt3MhhRuA9RUjST2:RB/aUoWayQUbDBpLRt3MhuKq |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L....Bt_........... |
File Icon |
---|
Icon Hash: | acfc36b6b694c6e2 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x402c8b |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5F7442BC [Wed Sep 30 08:33:00 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 7fa5c9c2dffd615fa15cdafc116d6f16 |
Entrypoint Preview |
---|
Instruction |
---|
call 00007F95948BE575h |
jmp 00007F95948BB9AEh |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
call 00007F95948BBB5Ch |
xchg cl, ch |
jmp 00007F95948BBB44h |
call 00007F95948BBB53h |
fxch st(0), st(1) |
jmp 00007F95948BBB3Bh |
fabs |
fld1 |
mov ch, cl |
xor cl, cl |
jmp 00007F95948BBB31h |
mov byte ptr [ebp-00000090h], FFFFFFFEh |
fabs |
fxch st(0), st(1) |
fabs |
fxch st(0), st(1) |
fpatan |
or cl, cl |
je 00007F95948BBB26h |
fldpi |
fsubrp st(1), st(0) |
or ch, ch |
je 00007F95948BBB24h |
fchs |
ret |
fabs |
fld st(0), st(0) |
fld st(0), st(0) |
fld1 |
fsubrp st(1), st(0) |
fxch st(0), st(1) |
fld1 |
faddp st(1), st(0) |
fmulp st(1), st(0) |
ftst |
wait |
fstsw word ptr [ebp-000000A0h] |
wait |
test byte ptr [ebp-0000009Fh], 00000001h |
jne 00007F95948BBB27h |
xor ch, ch |
fsqrt |
ret |
pop eax |
jmp 00007F95948BE73Fh |
fstp st(0) |
fld tbyte ptr [00418D7Ah] |
ret |
fstp st(0) |
or cl, cl |
je 00007F95948BBB2Dh |
fstp st(0) |
fldpi |
or ch, ch |
je 00007F95948BBB24h |
fchs |
ret |
fstp st(0) |
fldz |
or ch, ch |
je 00007F95948BBB19h |
fchs |
ret |
fstp st(0) |
jmp 00007F95948BE715h |
fstp st(0) |
mov cl, ch |
jmp 00007F95948BBB22h |
call 00007F95948BBAEEh |
jmp 00007F95948BE720h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ebp |
mov ebp, esp |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1ef54 | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x27000 | 0x7578 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x181c0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x19cc8 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x18000 | 0x178 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x164e0 | 0x16600 | False | 0.801708711592 | data | 7.56964472397 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x18000 | 0x780a | 0x7a00 | False | 0.125672387295 | data | 2.07756873037 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x20000 | 0x629c | 0x1800 | False | 0.265625 | data | 2.83900220695 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x27000 | 0x7578 | 0x7600 | False | 0.673530190678 | data | 6.21851590518 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x27360 | 0xea8 | data | Latvian | Lativa |
RT_ICON | 0x28208 | 0x8a8 | data | Latvian | Lativa |
RT_ICON | 0x28ab0 | 0x6c8 | data | Latvian | Lativa |
RT_ICON | 0x29178 | 0x568 | GLS_BINARY_LSB_FIRST | Latvian | Lativa |
RT_ICON | 0x296e0 | 0x25a8 | data | Latvian | Lativa |
RT_ICON | 0x2bc88 | 0x10a8 | data | Latvian | Lativa |
RT_ICON | 0x2cd30 | 0x988 | data | Latvian | Lativa |
RT_ICON | 0x2d6b8 | 0x468 | GLS_BINARY_LSB_FIRST | Latvian | Lativa |
RT_STRING | 0x2dda0 | 0x180 | data | ||
RT_STRING | 0x2df20 | 0x3e4 | data | ||
RT_STRING | 0x2e308 | 0x26e | data | ||
RT_ACCELERATOR | 0x2db98 | 0x40 | data | ||
RT_ACCELERATOR | 0x2dbd8 | 0x18 | data | ||
RT_GROUP_ICON | 0x2db20 | 0x76 | data | Latvian | Lativa |
RT_VERSION | 0x2dbf0 | 0x1b0 | data |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | SetEndOfFile, GetEnvironmentStringsW, WaitForSingleObject, EnumCalendarInfoExW, GetConsoleAliasesA, GetConsoleAliasesLengthA, GlobalAlloc, GetConsoleMode, GetLocaleInfoW, GetFileAttributesA, HeapValidate, GetLocaleInfoA, GetHandleInformation, SetLastError, GetThreadLocale, GetProcAddress, VirtualAlloc, GetFirmwareEnvironmentVariableW, LoadLibraryA, CreateHardLinkW, SetSystemTime, FindNextFileW, GetConsoleTitleW, EnumDateFormatsW, EndUpdateResourceA, CommConfigDialogW, WriteConsoleW, HeapReAlloc, GetStringTypeW, DecodePointer, EncodePointer, GetModuleHandleW, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapAlloc, GetLastError, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, SetFilePointer, EnterCriticalSection, LeaveCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapFree, CloseHandle, LoadLibraryW, WriteFile, GetModuleFileNameW, FreeEnvironmentStringsW, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, Sleep, SetStdHandle, RtlUnwind, WideCharToMultiByte, GetConsoleCP, FlushFileBuffers, HeapSize, RaiseException, IsProcessorFeaturePresent, LCMapStringW, MultiByteToWideChar, CreateFileW |
USER32.dll | SetCaretPos |
ADVAPI32.dll | GetOldestEventLogRecord |
ole32.dll | CoRevokeMallocSpy |
MSIMG32.dll | TransparentBlt |
Version Infos |
---|
Description | Data |
---|---|
InternalName | bomgpiaruci.iwa |
ProductVersion | 13.54.77.27 |
Copyright | Copyrighz (C) 2021, fudkat |
Translation | 0x0114 0x046a |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Latvian | Lativa |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 24, 2021 20:20:30.724430084 CET | 49742 | 443 | 192.168.2.3 | 98.137.11.164 |
Nov 24, 2021 20:20:30.724476099 CET | 443 | 49742 | 98.137.11.164 | 192.168.2.3 |
Nov 24, 2021 20:20:30.728490114 CET | 49742 | 443 | 192.168.2.3 | 98.137.11.164 |
Nov 24, 2021 20:20:30.750240088 CET | 49742 | 443 | 192.168.2.3 | 98.137.11.164 |
Nov 24, 2021 20:20:30.750267982 CET | 443 | 49742 | 98.137.11.164 | 192.168.2.3 |
Nov 24, 2021 20:20:31.088500977 CET | 443 | 49742 | 98.137.11.164 | 192.168.2.3 |
Nov 24, 2021 20:20:31.088520050 CET | 443 | 49742 | 98.137.11.164 | 192.168.2.3 |
Nov 24, 2021 20:20:31.090848923 CET | 49742 | 443 | 192.168.2.3 | 98.137.11.164 |
Nov 24, 2021 20:20:31.324388981 CET | 49742 | 443 | 192.168.2.3 | 98.137.11.164 |
Nov 24, 2021 20:20:31.324426889 CET | 443 | 49742 | 98.137.11.164 | 192.168.2.3 |
Nov 24, 2021 20:20:31.324691057 CET | 443 | 49742 | 98.137.11.164 | 192.168.2.3 |
Nov 24, 2021 20:20:31.324836016 CET | 49742 | 443 | 192.168.2.3 | 98.137.11.164 |
Nov 24, 2021 20:20:31.327615976 CET | 49742 | 443 | 192.168.2.3 | 98.137.11.164 |
Nov 24, 2021 20:20:31.368872881 CET | 443 | 49742 | 98.137.11.164 | 192.168.2.3 |
Nov 24, 2021 20:20:31.494282961 CET | 443 | 49742 | 98.137.11.164 | 192.168.2.3 |
Nov 24, 2021 20:20:31.494379044 CET | 443 | 49742 | 98.137.11.164 | 192.168.2.3 |
Nov 24, 2021 20:20:31.494404078 CET | 49742 | 443 | 192.168.2.3 | 98.137.11.164 |
Nov 24, 2021 20:20:31.494426966 CET | 49742 | 443 | 192.168.2.3 | 98.137.11.164 |
Nov 24, 2021 20:20:31.518052101 CET | 49742 | 443 | 192.168.2.3 | 98.137.11.164 |
Nov 24, 2021 20:20:31.518093109 CET | 443 | 49742 | 98.137.11.164 | 192.168.2.3 |
Nov 24, 2021 20:20:31.573668003 CET | 49743 | 443 | 192.168.2.3 | 87.248.100.215 |
Nov 24, 2021 20:20:31.573720932 CET | 443 | 49743 | 87.248.100.215 | 192.168.2.3 |
Nov 24, 2021 20:20:31.576662064 CET | 49743 | 443 | 192.168.2.3 | 87.248.100.215 |
Nov 24, 2021 20:20:31.577241898 CET | 49743 | 443 | 192.168.2.3 | 87.248.100.215 |
Nov 24, 2021 20:20:31.577253103 CET | 443 | 49743 | 87.248.100.215 | 192.168.2.3 |
Nov 24, 2021 20:20:31.662786007 CET | 443 | 49743 | 87.248.100.215 | 192.168.2.3 |
Nov 24, 2021 20:20:31.662909031 CET | 49743 | 443 | 192.168.2.3 | 87.248.100.215 |
Nov 24, 2021 20:20:31.669301033 CET | 49743 | 443 | 192.168.2.3 | 87.248.100.215 |
Nov 24, 2021 20:20:31.669315100 CET | 443 | 49743 | 87.248.100.215 | 192.168.2.3 |
Nov 24, 2021 20:20:31.669585943 CET | 443 | 49743 | 87.248.100.215 | 192.168.2.3 |
Nov 24, 2021 20:20:31.669644117 CET | 49743 | 443 | 192.168.2.3 | 87.248.100.215 |
Nov 24, 2021 20:20:31.670238018 CET | 49743 | 443 | 192.168.2.3 | 87.248.100.215 |
Nov 24, 2021 20:20:31.712869883 CET | 443 | 49743 | 87.248.100.215 | 192.168.2.3 |
Nov 24, 2021 20:20:31.856086969 CET | 443 | 49743 | 87.248.100.215 | 192.168.2.3 |
Nov 24, 2021 20:20:31.856197119 CET | 49743 | 443 | 192.168.2.3 | 87.248.100.215 |
Nov 24, 2021 20:20:31.856205940 CET | 443 | 49743 | 87.248.100.215 | 192.168.2.3 |
Nov 24, 2021 20:20:31.856231928 CET | 443 | 49743 | 87.248.100.215 | 192.168.2.3 |
Nov 24, 2021 20:20:31.856312990 CET | 49743 | 443 | 192.168.2.3 | 87.248.100.215 |
Nov 24, 2021 20:20:31.857570887 CET | 49743 | 443 | 192.168.2.3 | 87.248.100.215 |
Nov 24, 2021 20:20:31.857583046 CET | 443 | 49743 | 87.248.100.215 | 192.168.2.3 |
Nov 24, 2021 20:20:52.047909021 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:52.047950029 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:52.048111916 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:52.048752069 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:52.048764944 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:52.602982998 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:52.603101969 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:52.610651016 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:52.610671043 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:52.610932112 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:52.611001015 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:52.611939907 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:52.652873993 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.014487028 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.014513969 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.014530897 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.015455008 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.015486956 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.015599966 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.015988111 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.016010046 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.016118050 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.016134977 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.017184019 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.192995071 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.193025112 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.193176985 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.193202019 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.194232941 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.194253922 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.194340944 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.194360971 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.194408894 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.195310116 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.195328951 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.195400000 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.195410013 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.195451021 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.370963097 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.370995045 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.371093988 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.371115923 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.372045040 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.372070074 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.372138023 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.372150898 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.372186899 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.373075008 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.373102903 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.373181105 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.373191118 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.373591900 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.374028921 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.374053955 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.374110937 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.374119043 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.374155045 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.375142097 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.375168085 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.375205994 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.375214100 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.375232935 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.375251055 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.376456022 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.376506090 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.376524925 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.376532078 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.376576900 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.376835108 CET | 443 | 49746 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.376863003 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.376877069 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.376919031 CET | 49746 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.657802105 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.657845974 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:53.657931089 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.658637047 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:53.658653975 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.175964117 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.176096916 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.176814079 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.176824093 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.241188049 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.241209984 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.618033886 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.618083000 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.618112087 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.618143082 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.618159056 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.618166924 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.618199110 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.618221998 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.619302988 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.619334936 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.619455099 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.619472980 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.619520903 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.788295031 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.788338900 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.788427114 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.788454056 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.788474083 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.788536072 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.789400101 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.789428949 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.789509058 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.789529085 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.789551020 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.789572954 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.790350914 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.790388107 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.790457964 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.790477037 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.790493965 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.790519953 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.957335949 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.957371950 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.957458019 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.957478046 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.957509041 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.957532883 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.958314896 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.958340883 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.958401918 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.958416939 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.958445072 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.958479881 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.959189892 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.959216118 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.959285021 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.959300995 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.959345102 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.960551023 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.960575104 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.960633993 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.960654020 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.960665941 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.960691929 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.963999033 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.964030027 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.964087963 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.964104891 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.964132071 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.964152098 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.964982033 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.965008020 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.965064049 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.965091944 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.965111017 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.965172052 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.966237068 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.966259003 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.966327906 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.966356039 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:54.966370106 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:54.966398954 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:55.127542973 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:55.127567053 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:55.127707005 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:55.127716064 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:55.127763987 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:55.128592014 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:55.128655910 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:55.128693104 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:55.128706932 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:55.128771067 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:55.128926992 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:55.129028082 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:55.129455090 CET | 49748 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:55.129472971 CET | 443 | 49748 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:55.480325937 CET | 49749 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:55.480374098 CET | 443 | 49749 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:55.480453968 CET | 49749 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:55.481121063 CET | 49749 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:55.481134892 CET | 443 | 49749 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:55.992372990 CET | 443 | 49749 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:55.992484093 CET | 49749 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:55.993783951 CET | 49749 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:55.993799925 CET | 443 | 49749 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:56.002995014 CET | 49749 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:56.003012896 CET | 443 | 49749 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:56.229451895 CET | 443 | 49749 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:56.229468107 CET | 443 | 49749 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:56.229569912 CET | 49749 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:56.229593039 CET | 443 | 49749 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:56.229645014 CET | 49749 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:56.229844093 CET | 49749 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:56.229898930 CET | 443 | 49749 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:56.229955912 CET | 443 | 49749 | 89.45.4.117 | 192.168.2.3 |
Nov 24, 2021 20:20:56.230005026 CET | 49749 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:20:56.230019093 CET | 49749 | 443 | 192.168.2.3 | 89.45.4.117 |
Nov 24, 2021 20:23:15.377150059 CET | 49813 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.377188921 CET | 443 | 49813 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:15.377285004 CET | 49813 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.379432917 CET | 49813 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.379456997 CET | 443 | 49813 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:15.724076033 CET | 443 | 49813 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:15.724176884 CET | 49813 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.760001898 CET | 49813 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.760030031 CET | 443 | 49813 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:15.760173082 CET | 49813 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.760183096 CET | 443 | 49813 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:15.760389090 CET | 443 | 49813 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:15.760457993 CET | 49813 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.868980885 CET | 443 | 49813 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:15.869066954 CET | 49813 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.869095087 CET | 443 | 49813 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:15.869117022 CET | 443 | 49813 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:15.869157076 CET | 49813 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.869173050 CET | 49813 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.874034882 CET | 49813 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.874064922 CET | 443 | 49813 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:15.897701025 CET | 49814 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.897752047 CET | 443 | 49814 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:15.897838116 CET | 49814 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.898128986 CET | 49814 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:15.898159981 CET | 443 | 49814 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.239465952 CET | 443 | 49814 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.239690065 CET | 49814 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.243671894 CET | 49814 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.243711948 CET | 443 | 49814 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.243787050 CET | 49814 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.243805885 CET | 443 | 49814 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.244123936 CET | 443 | 49814 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.246160030 CET | 49814 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.362653017 CET | 443 | 49814 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.362721920 CET | 443 | 49814 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.362745047 CET | 49814 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.362771988 CET | 49814 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.363007069 CET | 49814 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.363023996 CET | 443 | 49814 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.363045931 CET | 49814 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.363076925 CET | 49814 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.363612890 CET | 49815 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.363651991 CET | 443 | 49815 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.363727093 CET | 49815 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.364044905 CET | 49815 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.364065886 CET | 443 | 49815 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.698169947 CET | 443 | 49815 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.698391914 CET | 49815 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.698967934 CET | 49815 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.698981047 CET | 443 | 49815 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.700031042 CET | 49815 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.700046062 CET | 443 | 49815 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.842761040 CET | 443 | 49815 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.842876911 CET | 443 | 49815 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.842940092 CET | 49815 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.842964888 CET | 443 | 49815 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.842978954 CET | 49815 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.843065977 CET | 49815 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.843803883 CET | 443 | 49815 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.843918085 CET | 443 | 49815 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:16.844023943 CET | 49815 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.944380045 CET | 49815 | 443 | 192.168.2.3 | 209.202.254.90 |
Nov 24, 2021 20:23:16.944416046 CET | 443 | 49815 | 209.202.254.90 | 192.168.2.3 |
Nov 24, 2021 20:23:17.499277115 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.499326944 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.499449968 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.499845028 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.499867916 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.545928001 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.546025038 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.547385931 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.547491074 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.552546978 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.552567005 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.552733898 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.552743912 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.553009987 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.553098917 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.604748964 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.604846001 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.605000019 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.605000019 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.605050087 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.605071068 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.605081081 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.605110884 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.605120897 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.605142117 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.605174065 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.605202913 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.609133005 CET | 49816 | 443 | 192.168.2.3 | 87.248.118.23 |
Nov 24, 2021 20:23:17.609174967 CET | 443 | 49816 | 87.248.118.23 | 192.168.2.3 |
Nov 24, 2021 20:23:17.633255005 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.633322001 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.633865118 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.633908987 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.633922100 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.762319088 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.762573957 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.762594938 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.762712955 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.767395973 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.767410994 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.767592907 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.767601967 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.767795086 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.769351959 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.853540897 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.853595972 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.853642941 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.853661060 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.853729010 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.892874956 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.892967939 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.892995119 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.893063068 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.893085003 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.893117905 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.893156052 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.932080984 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.932147026 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.932234049 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
Nov 24, 2021 20:23:17.932276964 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.932328939 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.932843924 CET | 49817 | 443 | 192.168.2.3 | 212.82.100.140 |
Nov 24, 2021 20:23:17.932867050 CET | 443 | 49817 | 212.82.100.140 | 192.168.2.3 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 24, 2021 20:20:30.658610106 CET | 58045 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 24, 2021 20:20:30.677985907 CET | 53 | 58045 | 8.8.8.8 | 192.168.2.3 |
Nov 24, 2021 20:20:31.552371025 CET | 57459 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 24, 2021 20:20:31.571638107 CET | 53 | 57459 | 8.8.8.8 | 192.168.2.3 |
Nov 24, 2021 20:20:52.022425890 CET | 54154 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 24, 2021 20:20:52.045479059 CET | 53 | 54154 | 8.8.8.8 | 192.168.2.3 |
Nov 24, 2021 20:23:02.491050959 CET | 56236 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 24, 2021 20:23:02.510446072 CET | 53 | 56236 | 8.8.8.8 | 192.168.2.3 |
Nov 24, 2021 20:23:02.514533043 CET | 56237 | 53 | 192.168.2.3 | 208.67.222.222 |
Nov 24, 2021 20:23:02.532485008 CET | 53 | 56237 | 208.67.222.222 | 192.168.2.3 |
Nov 24, 2021 20:23:02.534013033 CET | 56238 | 53 | 192.168.2.3 | 208.67.222.222 |
Nov 24, 2021 20:23:02.553025007 CET | 53 | 56238 | 208.67.222.222 | 192.168.2.3 |
Nov 24, 2021 20:23:02.588870049 CET | 56239 | 53 | 192.168.2.3 | 208.67.222.222 |
Nov 24, 2021 20:23:02.606173992 CET | 53 | 56239 | 208.67.222.222 | 192.168.2.3 |
Nov 24, 2021 20:23:15.353218079 CET | 56527 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 24, 2021 20:23:15.373545885 CET | 53 | 56527 | 8.8.8.8 | 192.168.2.3 |
Nov 24, 2021 20:23:15.875829935 CET | 49559 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 24, 2021 20:23:15.897099018 CET | 53 | 49559 | 8.8.8.8 | 192.168.2.3 |
Nov 24, 2021 20:23:17.479113102 CET | 52650 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 24, 2021 20:23:17.498366117 CET | 53 | 52650 | 8.8.8.8 | 192.168.2.3 |
Nov 24, 2021 20:23:17.611757994 CET | 63297 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 24, 2021 20:23:17.631037951 CET | 53 | 63297 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Nov 24, 2021 20:20:30.658610106 CET | 192.168.2.3 | 8.8.8.8 | 0x55f9 | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 24, 2021 20:20:31.552371025 CET | 192.168.2.3 | 8.8.8.8 | 0x43a1 | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 24, 2021 20:20:52.022425890 CET | 192.168.2.3 | 8.8.8.8 | 0x5c51 | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 24, 2021 20:23:02.491050959 CET | 192.168.2.3 | 8.8.8.8 | 0xc06b | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 24, 2021 20:23:02.514533043 CET | 192.168.2.3 | 208.67.222.222 | 0x1 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Nov 24, 2021 20:23:02.534013033 CET | 192.168.2.3 | 208.67.222.222 | 0x2 | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 24, 2021 20:23:02.588870049 CET | 192.168.2.3 | 208.67.222.222 | 0x3 | Standard query (0) | 28 | IN (0x0001) | |
Nov 24, 2021 20:23:15.353218079 CET | 192.168.2.3 | 8.8.8.8 | 0x9bff | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 24, 2021 20:23:15.875829935 CET | 192.168.2.3 | 8.8.8.8 | 0xee94 | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 24, 2021 20:23:17.479113102 CET | 192.168.2.3 | 8.8.8.8 | 0xcb87 | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 24, 2021 20:23:17.611757994 CET | 192.168.2.3 | 8.8.8.8 | 0xdba9 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Nov 24, 2021 20:20:30.677985907 CET | 8.8.8.8 | 192.168.2.3 | 0x55f9 | No error (0) | 98.137.11.164 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:20:30.677985907 CET | 8.8.8.8 | 192.168.2.3 | 0x55f9 | No error (0) | 74.6.143.26 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:20:30.677985907 CET | 8.8.8.8 | 192.168.2.3 | 0x55f9 | No error (0) | 74.6.231.21 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:20:30.677985907 CET | 8.8.8.8 | 192.168.2.3 | 0x55f9 | No error (0) | 74.6.143.25 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:20:30.677985907 CET | 8.8.8.8 | 192.168.2.3 | 0x55f9 | No error (0) | 74.6.231.20 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:20:30.677985907 CET | 8.8.8.8 | 192.168.2.3 | 0x55f9 | No error (0) | 98.137.11.163 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:20:31.571638107 CET | 8.8.8.8 | 192.168.2.3 | 0x43a1 | No error (0) | new-fp-shed.wg1.b.yahoo.com | CNAME (Canonical name) | IN (0x0001) | ||
Nov 24, 2021 20:20:31.571638107 CET | 8.8.8.8 | 192.168.2.3 | 0x43a1 | No error (0) | 87.248.100.215 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:20:31.571638107 CET | 8.8.8.8 | 192.168.2.3 | 0x43a1 | No error (0) | 87.248.100.216 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:20:52.045479059 CET | 8.8.8.8 | 192.168.2.3 | 0x5c51 | No error (0) | 89.45.4.117 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:23:02.510446072 CET | 8.8.8.8 | 192.168.2.3 | 0xc06b | No error (0) | 208.67.222.222 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:23:02.532485008 CET | 208.67.222.222 | 192.168.2.3 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Nov 24, 2021 20:23:02.532485008 CET | 208.67.222.222 | 192.168.2.3 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Nov 24, 2021 20:23:02.532485008 CET | 208.67.222.222 | 192.168.2.3 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Nov 24, 2021 20:23:02.553025007 CET | 208.67.222.222 | 192.168.2.3 | 0x2 | No error (0) | 84.17.52.63 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:23:15.373545885 CET | 8.8.8.8 | 192.168.2.3 | 0x9bff | No error (0) | 209.202.254.90 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:23:15.897099018 CET | 8.8.8.8 | 192.168.2.3 | 0xee94 | No error (0) | 209.202.254.90 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:23:17.498366117 CET | 8.8.8.8 | 192.168.2.3 | 0xcb87 | No error (0) | edge.gycpi.b.yahoodns.net | CNAME (Canonical name) | IN (0x0001) | ||
Nov 24, 2021 20:23:17.498366117 CET | 8.8.8.8 | 192.168.2.3 | 0xcb87 | No error (0) | 87.248.118.23 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:23:17.498366117 CET | 8.8.8.8 | 192.168.2.3 | 0xcb87 | No error (0) | 87.248.118.22 | A (IP address) | IN (0x0001) | ||
Nov 24, 2021 20:23:17.631037951 CET | 8.8.8.8 | 192.168.2.3 | 0xdba9 | No error (0) | ds-ats.member.g02.yahoodns.net | CNAME (Canonical name) | IN (0x0001) | ||
Nov 24, 2021 20:23:17.631037951 CET | 8.8.8.8 | 192.168.2.3 | 0xdba9 | No error (0) | 212.82.100.140 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTPS Proxied Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49742 | 98.137.11.164 | 443 | C:\Users\user\Desktop\2GEg45PlG9.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-24 19:20:31 UTC | 0 | OUT | |
2021-11-24 19:20:31 UTC | 0 | IN | |
2021-11-24 19:20:31 UTC | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49743 | 87.248.100.215 | 443 | C:\Users\user\Desktop\2GEg45PlG9.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-24 19:20:31 UTC | 1 | OUT | |
2021-11-24 19:20:31 UTC | 1 | IN | |
2021-11-24 19:20:31 UTC | 2 | IN | |
2021-11-24 19:20:31 UTC | 3 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.3 | 49746 | 89.45.4.117 | 443 | C:\Users\user\Desktop\2GEg45PlG9.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-24 19:20:52 UTC | 4 | OUT | |
2021-11-24 19:20:53 UTC | 4 | IN | |
2021-11-24 19:20:53 UTC | 5 | IN | |
2021-11-24 19:20:53 UTC | 20 | IN | |
2021-11-24 19:20:53 UTC | 36 | IN | |
2021-11-24 19:20:53 UTC | 52 | IN | |
2021-11-24 19:20:53 UTC | 68 | IN | |
2021-11-24 19:20:53 UTC | 84 | IN | |
2021-11-24 19:20:53 UTC | 100 | IN | |
2021-11-24 19:20:53 UTC | 116 | IN | |
2021-11-24 19:20:53 UTC | 132 | IN | |
2021-11-24 19:20:53 UTC | 148 | IN | |
2021-11-24 19:20:53 UTC | 164 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.3 | 49748 | 89.45.4.117 | 443 | C:\Users\user\Desktop\2GEg45PlG9.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-24 19:20:54 UTC | 179 | OUT | |
2021-11-24 19:20:54 UTC | 180 | IN | |
2021-11-24 19:20:54 UTC | 180 | IN | |
2021-11-24 19:20:54 UTC | 196 | IN | |
2021-11-24 19:20:54 UTC | 212 | IN | |
2021-11-24 19:20:54 UTC | 228 | IN | |
2021-11-24 19:20:54 UTC | 244 | IN | |
2021-11-24 19:20:54 UTC | 260 | IN | |
2021-11-24 19:20:54 UTC | 276 | IN | |
2021-11-24 19:20:54 UTC | 292 | IN | |
2021-11-24 19:20:54 UTC | 308 | IN | |
2021-11-24 19:20:54 UTC | 324 | IN | |
2021-11-24 19:20:54 UTC | 340 | IN | |
2021-11-24 19:20:54 UTC | 356 | IN | |
2021-11-24 19:20:55 UTC | 372 | IN | |
2021-11-24 19:20:55 UTC | 388 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.3 | 49749 | 89.45.4.117 | 443 | C:\Users\user\Desktop\2GEg45PlG9.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-24 19:20:55 UTC | 402 | OUT | |
2021-11-24 19:20:56 UTC | 403 | IN | |
2021-11-24 19:20:56 UTC | 403 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
5 | 192.168.2.3 | 49813 | 209.202.254.90 | 443 | C:\Windows\explorer.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-24 19:23:15 UTC | 405 | OUT | |
2021-11-24 19:23:15 UTC | 405 | IN | |
2021-11-24 19:23:15 UTC | 406 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
6 | 192.168.2.3 | 49814 | 209.202.254.90 | 443 | C:\Windows\explorer.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-24 19:23:16 UTC | 407 | OUT | |
2021-11-24 19:23:16 UTC | 407 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
7 | 192.168.2.3 | 49815 | 209.202.254.90 | 443 | C:\Windows\explorer.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-24 19:23:16 UTC | 408 | OUT | |
2021-11-24 19:23:16 UTC | 408 | IN | |
2021-11-24 19:23:16 UTC | 408 | IN | |
2021-11-24 19:23:16 UTC | 408 | IN | |
2021-11-24 19:23:16 UTC | 421 | IN | |
2021-11-24 19:23:16 UTC | 421 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
8 | 192.168.2.3 | 49816 | 87.248.118.23 | 443 | C:\Windows\explorer.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-24 19:23:17 UTC | 421 | OUT | |
2021-11-24 19:23:17 UTC | 421 | IN | |
2021-11-24 19:23:17 UTC | 422 | IN | |
2021-11-24 19:23:17 UTC | 424 | IN | |
2021-11-24 19:23:17 UTC | 427 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
9 | 192.168.2.3 | 49817 | 212.82.100.140 | 443 | C:\Windows\explorer.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-24 19:23:17 UTC | 427 | OUT | |
2021-11-24 19:23:17 UTC | 428 | IN |