Play interactive tourEdit tour
Windows Analysis Report lia.exe
Overview
General Information
Detection
Ursnif
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Modifies the import address table of user mode modules (user mode IAT hooks)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"lang_id": "RU, CN", "RSA Public Key": "qIukMm1AgKEd3dDbi+35d6MWl+UVbpPFMmGiIDJDDgacZEK8jS4/5zs7ubFZ5RKJ14yC3bMOc4/MB7Zet4BsfAXbGBTmAWZXgT7koTnek2QEZiZ20WKgDLTyQy6GTUUxk0Lxr770IDyy/BSk6aJtHlPex8y6K+Zfruo7cnUzrkN8zs1jBevHKQWt6llI/Itko98RJ0R0pmGGdCg3N/wJUyo7XGnNMik7BdDxE//CSyU7CGkS06hh8BE+0pne+Py1DXhCspMJHsvHS9ciS0vyjWH7bqpi3HvZcztPPJEdLRwiwxTsC/ZMMvLH6gW4XsTGYqrbBj5INNDf6kLJCXP5iGV+GsvodMKbUJybGxVS5nY=", "c2_domain": ["apr.intooltak.com", "app.querosityproject.com"], "botnet": "1000", "server": "770", "serpent_key": "BwM3bYGWLcupJ1hC", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_2 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_2 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_2 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_2 | Yara detected Ursnif | Joe Security | ||
Click to see the 71 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_2 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_2 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_2 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_2 | Yara detected Ursnif | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: MSHTA Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag: |
Sigma detected: Mshta Spawning Windows Shell | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Suspicious Rundll32 Activity | Show sources |
Source: | Author: juju4, Jonhnathan Ribeiro, oscd.community: |
Sigma detected: Suspicious Csc.exe Source File Folder | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Non Interactive PowerShell | Show sources |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Sigma detected: T1086 PowerShell Execution | Show sources |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Code function: | 1_2_00B17479 |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 1_2_039E8409 |
Source: | Code function: | 1_2_039F2ECF | |
Source: | Code function: | 1_2_039EB9D4 | |
Source: | Code function: | 1_2_039DE91D | |
Source: | Code function: | 44_2_036BE91D | |
Source: | Code function: | 44_2_036CB9D4 | |
Source: | Code function: | 44_2_036D2ECF |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Domain query: |
Uses nslookup.exe to query domains | Show sources |
Source: | Process created: | ||
Source: | Process created: |
May check the online IP address of the machine | Show sources |
Source: | DNS query: | ||
Source: | DNS query: |
Uses ping.exe to check the status of other devices and networks | Show sources |
Source: | Process created: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | ASN Name: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Disables SPDY (HTTP compression, likely to perform web injects) | Show sources |
Source: | Registry key value created / modified: |
Source: | Code function: | 1_2_00B17479 |
System Summary: |
---|
Writes or reads registry keys via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Code function: | 1_2_00B16DD3 | |
Source: | Code function: | 1_2_00B17F60 | |
Source: | Code function: | 1_2_00B16B67 | |
Source: | Code function: | 1_2_039E63BC | |
Source: | Code function: | 1_2_039EA241 | |
Source: | Code function: | 1_2_039D95FE | |
Source: | Code function: | 1_2_039EF1EE | |
Source: | Code function: | 1_2_039D9D64 | |
Source: | Code function: | 1_2_039DC086 | |
Source: | Code function: | 1_2_039D34DC | |
Source: | Code function: | 1_2_039E78F1 | |
Source: | Code function: | 1_2_039D504A | |
Source: | Code function: | 18_2_0054AB44 | |
Source: | Code function: | 18_2_0054B58C | |
Source: | Code function: | 18_2_005386D0 | |
Source: | Code function: | 18_2_00549858 | |
Source: | Code function: | 18_2_00532804 | |
Source: | Code function: | 18_2_0053A808 | |
Source: | Code function: | 18_2_0053B008 | |
Source: | Code function: | 18_2_00548820 | |
Source: | Code function: | 18_2_00538024 | |
Source: | Code function: | 18_2_00535828 | |
Source: | Code function: | 18_2_005268FC | |
Source: | Code function: | 18_2_005340E8 | |
Source: | Code function: | 18_2_00523890 | |
Source: | Code function: | 18_2_00524080 | |
Source: | Code function: | 18_2_00545954 | |
Source: | Code function: | 18_2_0052B154 | |
Source: | Code function: | 18_2_0053194B | |
Source: | Code function: | 18_2_005231D4 | |
Source: | Code function: | 18_2_00536190 | |
Source: | Code function: | 18_2_005352CC | |
Source: | Code function: | 18_2_005212BC | |
Source: | Code function: | 18_2_00542330 | |
Source: | Code function: | 18_2_00537BFC | |
Source: | Code function: | 18_2_00542BA0 | |
Source: | Code function: | 18_2_00523BA4 | |
Source: | Code function: | 18_2_0053BC10 | |
Source: | Code function: | 18_2_0052C49C | |
Source: | Code function: | 18_2_005344B4 | |
Source: | Code function: | 18_2_0052DCA8 | |
Source: | Code function: | 18_2_0053CCA8 | |
Source: | Code function: | 18_2_00530544 | |
Source: | Code function: | 18_2_00547D6C | |
Source: | Code function: | 18_2_0053751C | |
Source: | Code function: | 18_2_00544530 | |
Source: | Code function: | 18_2_00529DF0 | |
Source: | Code function: | 18_2_0054C588 | |
Source: | Code function: | 18_2_00548DA0 | |
Source: | Code function: | 18_2_00531618 | |
Source: | Code function: | 18_2_00543E2C | |
Source: | Code function: | 18_2_0052A6D0 | |
Source: | Code function: | 18_2_00547EA0 | |
Source: | Code function: | 18_2_00539740 | |
Source: | Code function: | 18_2_0052CF44 | |
Source: | Code function: | 18_2_0053FF4C | |
Source: | Code function: | 18_2_00527F64 | |
Source: | Code function: | 18_2_005437D0 | |
Source: | Code function: | 18_2_00548FA8 | |
Source: | Code function: | 34_2_00000215F47F86D0 | |
Source: | Code function: | 34_2_00000215F480AB44 | |
Source: | Code function: | 34_2_00000215F4808820 | |
Source: | Code function: | 34_2_00000215F47E3BA4 | |
Source: | Code function: | 34_2_00000215F4809858 | |
Source: | Code function: | 34_2_00000215F4802BA0 | |
Source: | Code function: | 34_2_00000215F4808FA8 | |
Source: | Code function: | 34_2_00000215F47F5828 | |
Source: | Code function: | 34_2_00000215F47F8024 | |
Source: | Code function: | 34_2_00000215F48037D0 | |
Source: | Code function: | 34_2_00000215F47FBC10 | |
Source: | Code function: | 34_2_00000215F47FB008 | |
Source: | Code function: | 34_2_00000215F47FA808 | |
Source: | Code function: | 34_2_00000215F47F2804 | |
Source: | Code function: | 34_2_00000215F47F7BFC | |
Source: | Code function: | 34_2_00000215F47F40E8 | |
Source: | Code function: | 34_2_00000215F4804530 | |
Source: | Code function: | 34_2_00000215F47F44B4 | |
Source: | Code function: | 34_2_00000215F47EDCA8 | |
Source: | Code function: | 34_2_00000215F47EC49C | |
Source: | Code function: | 34_2_00000215F4805954 | |
Source: | Code function: | 34_2_00000215F47E3890 | |
Source: | Code function: | 34_2_00000215F47E4080 | |
Source: | Code function: | 34_2_00000215F4807D6C | |
Source: | Code function: | 34_2_00000215F47EB154 | |
Source: | Code function: | 34_2_00000215F47F194B | |
Source: | Code function: | 34_2_00000215F47F0544 | |
Source: | Code function: | 34_2_00000215F47FCCA8 | |
Source: | Code function: | 34_2_00000215F47F751C | |
Source: | Code function: | 34_2_00000215F47E68FC | |
Source: | Code function: | 34_2_00000215F47E9DF0 | |
Source: | Code function: | 34_2_00000215F47E31D4 | |
Source: | Code function: | 34_2_00000215F4803E2C | |
Source: | Code function: | 34_2_00000215F47F6190 | |
Source: | Code function: | 34_2_00000215F480C588 | |
Source: | Code function: | 34_2_00000215F480B58C | |
Source: | Code function: | 34_2_00000215F4808DA0 | |
Source: | Code function: | 34_2_00000215F47F1618 | |
Source: | Code function: | 34_2_00000215F47EA6D0 | |
Source: | Code function: | 34_2_00000215F47F52CC | |
Source: | Code function: | 34_2_00000215F47E12BC | |
Source: | Code function: | 34_2_00000215F4802330 | |
Source: | Code function: | 34_2_00000215F47FFF4C | |
Source: | Code function: | 34_2_00000215F47E7F64 | |
Source: | Code function: | 34_2_00000215F4807EA0 | |
Source: | Code function: | 34_2_00000215F47ECF44 | |
Source: | Code function: | 34_2_00000215F47F9740 | |
Source: | Code function: | 44_2_036C63BC | |
Source: | Code function: | 44_2_036CA241 | |
Source: | Code function: | 44_2_036CF1EE | |
Source: | Code function: | 44_2_036B504A | |
Source: | Code function: | 44_2_036C78F1 | |
Source: | Code function: | 44_2_036BC086 | |
Source: | Code function: | 44_2_036CCF97 | |
Source: | Code function: | 44_2_036B9D64 | |
Source: | Code function: | 44_2_036B95FE | |
Source: | Code function: | 44_2_036D5430 | |
Source: | Code function: | 44_2_036B34DC |
Source: | Code function: | 1_2_039DE6B9 |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Code function: | 1_2_0040140F | |
Source: | Code function: | 1_2_0040182F | |
Source: | Code function: | 1_2_00401ABC | |
Source: | Code function: | 1_2_00B160A0 | |
Source: | Code function: | 1_2_00B15D85 | |
Source: | Code function: | 1_2_00B1231E | |
Source: | Code function: | 1_2_00B18185 | |
Source: | Code function: | 1_2_039EB38D | |
Source: | Code function: | 1_2_039DD317 | |
Source: | Code function: | 1_2_039ECEED | |
Source: | Code function: | 1_2_039F1AE3 | |
Source: | Code function: | 1_2_039D76E3 | |
Source: | Code function: | 1_2_039DD274 | |
Source: | Code function: | 1_2_039F29E0 | |
Source: | Code function: | 1_2_039E2931 | |
Source: | Code function: | 1_2_039E7523 | |
Source: | Code function: | 1_2_039D317C | |
Source: | Code function: | 1_2_039D696A | |
Source: | Code function: | 1_2_039D8C10 | |
Source: | Code function: | 1_2_039D3F97 | |
Source: | Code function: | 1_2_039E0B30 | |
Source: | Code function: | 1_2_039E7EEF | |
Source: | Code function: | 1_2_039D1641 | |
Source: | Code function: | 1_2_039D155B | |
Source: | Code function: | 1_2_039F389B | |
Source: | Code function: | 1_2_039EE4D5 | |
Source: | Code function: | 1_2_039D483A | |
Source: | Code function: | 18_2_00526140 | |
Source: | Code function: | 18_2_00539994 | |
Source: | Code function: | 18_2_00521B84 | |
Source: | Code function: | 18_2_0053AC44 | |
Source: | Code function: | 18_2_00543C1C | |
Source: | Code function: | 18_2_0054B58C | |
Source: | Code function: | 18_2_00540E70 | |
Source: | Code function: | 18_2_0052E614 | |
Source: | Code function: | 18_2_0052FF60 | |
Source: | Code function: | 18_2_00521FBC | |
Source: | Code function: | 18_2_0055F003 | |
Source: | Code function: | 34_2_00000215F47E1B84 | |
Source: | Code function: | 34_2_00000215F47FAC44 | |
Source: | Code function: | 34_2_00000215F481F003 | |
Source: | Code function: | 44_2_036BD274 | |
Source: | Code function: | 44_2_036D1AE3 | |
Source: | Code function: | 44_2_036D29E0 | |
Source: | Code function: | 44_2_036C7523 | |
Source: | Code function: | 44_2_036B1641 | |
Source: | Code function: | 44_2_036C7EEF | |
Source: | Code function: | 44_2_036B155B | |
Source: | Code function: | 44_2_036CE4D5 |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: |
Source: | Key value queried: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Code function: | 1_2_00B11141 |
Source: | Process created: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | |||
Source: | File read: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: |
Source: | Window detected: |
Source: | File opened: | Jump to behavior |
Source: | Key opened: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 1_2_00B1B6BF | |
Source: | Code function: | 1_2_00B1B808 | |
Source: | Code function: | 1_2_00B17BE9 | |
Source: | Code function: | 1_2_00B1B734 | |
Source: | Code function: | 1_2_00B17F5F | |
Source: | Code function: | 1_2_039F542F | |
Source: | Code function: | 18_2_00547302 | |
Source: | Code function: | 34_2_00000215F4807302 | |
Source: | Code function: | 44_2_036D5079 | |
Source: | Code function: | 44_2_036D3D43 | |
Source: | Code function: | 44_2_036D542F |
Source: | Code function: | 1_2_004012E6 |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Hooks registry keys query functions (used to hide registry keys) | Show sources |
Source: | IAT, EAT, inline or SSDT hook detected: |
Self deletion via cmd delete | Show sources |
Source: | Process created: | ||
Source: | Process created: |
Modifies the export address table of user mode modules (user mode EAT hooks) | Show sources |
Source: | IAT of a user mode module has changed: |
Modifies the prolog of user mode functions (user mode inline hooks) | Show sources |
Source: | User mode code has changed: |
Modifies the import address table of user mode modules (user mode IAT hooks) | Show sources |
Source: | EAT of a user mode module has changed: |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Uses ping.exe to sleep | Show sources |
Source: | Process created: | ||
Source: | Process created: |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Evasive API call chain: | ||
Source: | Evasive API call chain: |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | API coverage: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread delayed: | Jump to behavior |
Source: | Code function: | 1_2_039E8409 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 1_2_039F2ECF | |
Source: | Code function: | 1_2_039EB9D4 | |
Source: | Code function: | 1_2_039DE91D | |
Source: | Code function: | 44_2_036BE91D | |
Source: | Code function: | 44_2_036CB9D4 | |
Source: | Code function: | 44_2_036D2ECF |
Source: | Code function: | 1_2_004012E6 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 1_2_039D16AF | |
Source: | Code function: | 44_2_036B16AF |
HIPS / PFW / Operating System Protection Evasion: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Domain query: |
Maps a DLL or memory area into another process | Show sources |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: |
Allocates memory in foreign processes | Show sources |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | |||
Source: | Memory allocated: | |||
Source: | Memory allocated: | |||
Source: | Memory allocated: | |||
Source: | Memory allocated: |
Creates a thread in another existing process (thread injection) | Show sources |
Source: | Thread created: | Jump to behavior | ||
Source: | Thread created: | Jump to behavior | ||
Source: | Thread created: | |||
Source: | Thread created: | |||
Source: | Thread created: | |||
Source: | Thread created: |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: | |||
Source: | Memory written: |
Changes memory attributes in foreign processes to executable or writable | Show sources |
Source: | Memory protected: | Jump to behavior | ||
Source: | Memory protected: | Jump to behavior | ||
Source: | Memory protected: | Jump to behavior | ||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: | |||
Source: | Memory protected: |
Injects code into the Windows Explorer (explorer.exe) | Show sources |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Modifies the context of a thread in another process (thread injection) | Show sources |
Source: | Thread register set: | Jump to behavior | ||
Source: | Thread register set: | Jump to behavior | ||
Source: | Thread register set: | Jump to behavior | ||
Source: | Thread register set: | Jump to behavior | ||
Source: | Thread register set: | |||
Source: | Thread register set: | |||
Source: | Thread register set: | |||
Source: | Thread register set: | |||
Source: | Thread register set: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | |||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 1_2_00401AFE |
Source: | Key value queried: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 1_2_00B142A6 |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 1_2_00401C44 |
Source: | Code function: | 1_2_00B142A6 |
Source: | Code function: | 1_2_039EC557 |
Source: | Code function: | 1_2_004017A0 |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to steal Mail credentials (via file / registry access) | Show sources |
Source: | Key opened: | ||
Source: | Key opened: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts1 | Windows Management Instrumentation2 | Valid Accounts1 | Valid Accounts1 | Obfuscated Files or Information1 | Credential API Hooking3 | System Time Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Data Encrypted for Impact1 |
Default Accounts | Native API2 | Boot or Logon Initialization Scripts | Access Token Manipulation1 | Software Packing1 | LSASS Memory | Account Discovery1 | Remote Desktop Protocol | Email Collection11 | Exfiltration Over Bluetooth | Encrypted Channel2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Command and Scripting Interpreter1 | Logon Script (Windows) | Process Injection813 | File Deletion1 | Security Account Manager | File and Directory Discovery3 | SMB/Windows Admin Shares | Credential API Hooking3 | Automated Exfiltration | Non-Application Layer Protocol3 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Rootkit4 | NTDS | System Information Discovery46 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol13 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading1 | LSA Secrets | Query Registry1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Valid Accounts1 | Cached Domain Credentials | Security Software Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Access Token Manipulation1 | DCSync | Virtualization/Sandbox Evasion21 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Virtualization/Sandbox Evasion21 | Proc Filesystem | Process Discovery3 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Process Injection813 | /etc/passwd and /etc/shadow | Application Window Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Rundll321 | Network Sniffing | System Owner/User Discovery1 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact | ||
Compromise Software Dependencies and Development Tools | Windows Command Shell | Cron | Cron | Right-to-Left Override | Input Capture | Remote System Discovery11 | Replication Through Removable Media | Remote Data Staging | Exfiltration Over Physical Medium | Mail Protocols | Service Stop | ||
Compromise Software Supply Chain | Unix Shell | Launchd | Launchd | Rename System Utilities | Keylogging | System Network Configuration Discovery3 | Component Object Model and Distributed COM | Screen Capture | Exfiltration over USB | DNS | Inhibit System Recovery |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
64% | Virustotal | Browse | ||
74% | ReversingLabs | Win32.Trojan.Ursnif | ||
100% | Avira | TR/Crypt.ZPACK.Gen | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.ZPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.ZPACK.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
myip.opendns.com | 102.129.143.64 | true | false | high | |
resolver1.opendns.com | 208.67.222.222 | true | false | high | |
io.immontyr.com | 185.189.12.123 | true | true | unknown | |
apr.intooltak.com | 185.189.12.123 | true | true | unknown | |
222.222.67.208.in-addr.arpa | unknown | unknown | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false | high |
Contacted IPs |
---|
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 551720 |
Start date: | 12.01.2022 |
Start time: | 13:23:02 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 14m 12s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | lia.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 41 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 5 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.bank.troj.spyw.evad.winEXE@34/19@9/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
13:24:28 | API Interceptor | |
13:24:42 | API Interceptor | |
13:25:47 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
185.189.12.123 | Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
resolver1.opendns.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
myip.opendns.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
SUPERSERVERSDATACENTERRU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11606 |
Entropy (8bit): | 4.883977562702998 |
Encrypted: | false |
SSDEEP: | 192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr |
MD5: | 1F1446CE05A385817C3EF20CBD8B6E6A |
SHA1: | 1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D |
SHA-256: | 2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE |
SHA-512: | 252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 64 |
Entropy (8bit): | 0.9260988789684415 |
Encrypted: | false |
SSDEEP: | 3:Nlllulb/lj:NllUb/l |
MD5: | 13AF6BE1CB30E2FB779EA728EE0A6D67 |
SHA1: | F33581AC2C60B1F02C978D14DC220DCE57CC9562 |
SHA-256: | 168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F |
SHA-512: | 1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\cmd.exe |
File Type: | |
Category: | modified |
Size (bytes): | 120 |
Entropy (8bit): | 4.530397332961481 |
Encrypted: | false |
SSDEEP: | 3:cPaRhARtt7TSjjhThARtuV/gRLwvI11/v:oMWbtChWb0gRLwQL/v |
MD5: | 1658AC427436559C818CE024565FC43B |
SHA1: | 8ECC6A8B9512D66EC9816669273CD2934075ADA8 |
SHA-256: | 6AE6B137C04602F2D9D5191E3F6E8F54FB4E9D1FA63C3061CCF909A30966ADDD |
SHA-512: | 6D0C4CDA4C43B32226643D2C19871D1CEF506612B2C3B5DF3241A7A7E654D4149B9F3582F484DB12D577E5C27D7AC45784786726948A2C3401CBA59FC43216E1 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1336 |
Entropy (8bit): | 3.9905048188713526 |
Encrypted: | false |
SSDEEP: | 24:HsFm9Ua85m9Pl2maHUhKdNwI+ycuZhN1akSTPNnq9Sd:l8c2DGKdm1ul1a3Zq9C |
MD5: | A974F32B7F7707A15E329484C029FCE1 |
SHA1: | 2621E2D5447F8FC9FF7A9B7F88CAC98FE9B19A51 |
SHA-256: | 6C981182473D13DC5D1099250AF54771565EEC648223281D733144F0CC0EE8D1 |
SHA-512: | 10DDCC11C3A0B7D7F6B63C8F3B31031C95BF385B92C173D0AEBB8320EB7B41E245607CD4577F968C2B0952C6D75BE840F835B2A7FEF3194EC62FBC6A8426B233 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1336 |
Entropy (8bit): | 3.9830478299388257 |
Encrypted: | false |
SSDEEP: | 24:H9Fm9naiL+laHVhKdNwI+ycuZhN9akSLPNnq9Sd:ViL+YjKdm1ul9a3hq9C |
MD5: | 3A1A501A900E890F9D548701B67521FC |
SHA1: | C7DD8F45F2C2A177B2FF710F2545AE7024DDCAD9 |
SHA-256: | F3902890484CFBE4C336D55730FB0CE6C9DE183861F2AE6DE9F210B1019C3E62 |
SHA-512: | AA3FD51DD806BF2C01054ABAF7A904E487A08DE40E519ED2FB70D55100099C61B1277D548882258AF682AA1FA2022867E504061AD11632AAC5F27B2F6636C86E |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.1008341702649616 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryXak7YnqqTPN5Dlq5J:+RI+ycuZhN1akSTPNnqX |
MD5: | 800445E4E2AAD2FA0D334051ADF0B364 |
SHA1: | 893D3C4C6D0041709E0BBD5726DE73160AA5A5BA |
SHA-256: | 967441E6D1D57937C05FFF1939F85674CCBE41CE85434EBE37C4103F33088442 |
SHA-512: | 2A600F5E220380A88F4AEA19415571C709100DB9CFA3848420FE783D802705C569B83251738FC5A9ED062D9743F5C93F50C74C32532210083A78FB8AAA522E72 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 404 |
Entropy (8bit): | 5.0070648605119645 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJA2EBaHMRSR7a18LTvVSRa+rVSSRnA/f0REWowy:V/DTLDfu2cPjLT89rV5nA/w/owy |
MD5: | F0B963F8AA00CA94A4AD66F311B988E2 |
SHA1: | 37F7E8D69DDEA558DEFD0C10FF1157E26884E7EC |
SHA-256: | 96038DB143062F959B6F1CA6944FCB0D291DA99881953ADE5A6BA02161CFA82A |
SHA-512: | EE54EFC484487B7EB8EE8A1CCED621C16ADE5A4610084290D43CC0555BA498B693F1D5F43371266CFE4EBBE62762086FEF5C2363289D6B1621D07BF704C5E7D1 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 375 |
Entropy (8bit): | 5.23126571977248 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fE5JiVH0zxs7+AEszIN723fE5JihFH:p37Lvkmb6K2a85Jit0WZETa85JiP |
MD5: | 3CCDF50B51E07687856A23D12A29A979 |
SHA1: | FFF5CC8F1A2E1229DE4A1A5C794189E35A96726F |
SHA-256: | 78D3B92A64C7EA86A6538D9B698F1E56CAC11B8603255FFEB88DBAC57F4361D9 |
SHA-512: | 822AFD9E2F18C483BA15433F49DB25430DCE78C7591F25166097AF9BB98C72EF4FCE259BFB05925A83B3B0B96379DF7D5668B8DFF7FCE1B26EC5A34619AC7103 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.618212121782042 |
Encrypted: | false |
SSDEEP: | 24:etGSb8OmU0t3lm85nt4tdxC6AqE4Zz5tkZfX7BnySVUWI+ycuZhN1akSTPNnq:6pXQ3r5eXxP5eJX75yS31ul1a3Zq |
MD5: | 85B2E4E1F05436271174EC39486A0A95 |
SHA1: | 2FE6CCACF593BE6DB43407CC0D176879C5D02CD2 |
SHA-256: | 7D827D9448E8380AD6CED5A961116F65916A5798A9E41EBCC4B656E3617E1054 |
SHA-512: | 1F3996AAA576D603DC91A43D1F749CD2DB5ADB236D8A42BCE078E0860B619B85A491FF0AC6DE10323FD753D6AE9FDFE7161BBE900582FA58E8233D89AF86CDA8 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 872 |
Entropy (8bit): | 5.320975485891332 |
Encrypted: | false |
SSDEEP: | 24:AId3ka6K2a85AtVETa85A2KaM5DqBVKVrdFAMBJTH:Akka6C8+tVE+8+2KxDcVKdBJj |
MD5: | 96947B50878F73CE5428D23AAE4787E0 |
SHA1: | A1A096819E23C98480A3DFA2463B34AB506A9E35 |
SHA-256: | 0E6B59B50FF03F9E522773D40648E6CB72EE541EE22E4086D19FF7FA7503BE71 |
SHA-512: | B1CFB62D31394343C2246211981DCE654096E19560FA1921B7D2C0397FC453F7609A51E7E52C6ED3E92E78604B1B011E591718AC88AF536177FFD10E80E08447 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.0967556868791926 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry/Xak7YnqqaAPN5Dlq5J:+RI+ycuZhN9akSLPNnqX |
MD5: | 9F24615A9A0A013476B4D3C60DE4525A |
SHA1: | 34FACB8DA6C81CE5F3BE94D9D1130EBDC9CCBE65 |
SHA-256: | 84326AA94A233AC6F56DBEF12E2F21784B370C7A11D6E77E2106AC735114C4C4 |
SHA-512: | 949CA22445878A82A44DD4F8944701D8F5DD595F81F050900E197F0915A62886EE529E627C9256DDEF0EC18CCFF539D90F4BE0AFD98BEF3489D273953DBD99BA |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 394 |
Entropy (8bit): | 4.993235973617522 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJlMRSRa+eNMjSSRrJ90SRNmbPJjxVnQy:V/DTLDfu/9eg5rJ9kbx92y |
MD5: | 030386E2BD305EC55BEE50D72051A0C2 |
SHA1: | 618FE858F3B7B1296E760EE21969463861B875E3 |
SHA-256: | 2DABA5D5466729FE4AD5753FBB2F95BC486F9AF12A59516BA175F6FF2062CE44 |
SHA-512: | 0017F802613E78C762F43480581E4F92433F39DF07C402BDF462E6AD0310375D62AE782C605A2EAAF646783F070858B1F1AC358CC8394422C04C72C160E0067A |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 375 |
Entropy (8bit): | 5.217708034480186 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fKpODXBJ+zxs7+AEszIN723fKpODXb:p37Lvkmb6K2aiIb/+WZETaiIbb |
MD5: | C5C643579061A3DB5B51E3E4589C060C |
SHA1: | BE2E53E17AF0989CE4341AA551AFB2D9123A52D0 |
SHA-256: | EF4E87C963F4A33CC15F16C84D10024AE58BAB6B7062AD65A1268322E266416A |
SHA-512: | 8F6AFCB1D8F78372B53E4B86B0B90BD174B3A17B9CC64638A15F7557CB2DCE89AA3F0852C47D403F3F1DC610588F0FB6E36386E554B40CE953745E2A5CA8B170 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.599225632580337 |
Encrypted: | false |
SSDEEP: | 24:etGSD/W2dg85n+QRW4+hRdWDOyFWHEtkZfbBAVK+WI+ycuZhN9akSLPNnq:6Ckb5+QReNWKyW7Jb+Kl1ul9a3hq |
MD5: | 14629306DBDED3960A7A17BFE2D29866 |
SHA1: | C5450DA4EF9A5D248A282B4B8264157E15EEC086 |
SHA-256: | 840B408EFD8F6F09CD463A1E00BF3A2BAFFDBFC75C8BEFE9B07C4AFB87236CBC |
SHA-512: | AE08DB1C9B252F6DF238BF635E1EBC29C71098482831D2A6FCB6A5D0CFE33FE52A8B47488E013C5572F0CF9BD6916C1CF86D28500447F6FA639E82C1B56B3113 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 872 |
Entropy (8bit): | 5.298681762018912 |
Encrypted: | false |
SSDEEP: | 24:AId3ka6K2aiI7ETaiImKaM5DqBVKVrdFAMBJTH:Akka6Ci0E+i7KxDcVKdBJj |
MD5: | 28AAE55A9F6E5B949444334DBC754B88 |
SHA1: | 2AE5170E6163517F855D41B872936A6EBD76D169 |
SHA-256: | C0BD1551BC8BB210614F5220F1785F42773E4BAC920C82049144010C2AADD590 |
SHA-512: | 3AA024D64AF434540ABECF8746B787CDD819AD8B9F0BC5B7648EB149E18A5990B66E96E791C874084E4EF35827FE44220C230C05571F95E978F04311FC9E92EA |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1357 |
Entropy (8bit): | 5.360139788660272 |
Encrypted: | false |
SSDEEP: | 24:BxSAQ57vBVLazx2DOXUWSUoviLCHGYBtBCW5HjeTKKjX4CIym1ZJXHUoviLCHGYj:BZQvTL0oOjoNGeV5qDYB1ZGoNGeSZZc |
MD5: | 15935D59DA482A07DCDF2A72F4B6AA8D |
SHA1: | B8D1B57BF6714C19B9227DFA395D3DAC6C264E24 |
SHA-256: | 74120FC42D802AE356E5E1280A6E8FA860498B7B8CF837123F501F554436C34A |
SHA-512: | A104291EA7E6F7B988C21CBD5F1E98AA8C7D0296EAFE6617149AEC9152B38C2FB780BBECB5D46881A35B28C5A96480F0A547598D51A9B0C19050C439B4BB7F0E |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\nslookup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 28 |
Entropy (8bit): | 4.039148671903071 |
Encrypted: | false |
SSDEEP: | 3:U+6QlBxAN:U+7BW |
MD5: | D796BA3AE0C072AA0E189083C7E8C308 |
SHA1: | ABB1B68758B9C2BF43018A4AEAE2F2E72B626482 |
SHA-256: | EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E |
SHA-512: | BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.429763105657002 |
TrID: |
|
File name: | lia.exe |
File size: | 37888 |
MD5: | 8b893e03dd1c7ce96df57f92f302dcb1 |
SHA1: | a7a131ea9f39ebaa195296ebd9b44708bee8264d |
SHA256: | dd023f1f2ce682e9db588aa6cb859b6279d5e43f87a9a99da3cd683711736324 |
SHA512: | f53ad1381e8ba9a33c32759acf4e631b6e596bf98a328b6e71e3be7b890e9ce1d8de4059aa2d9eeb2fd68ee21c5c0e26fdb510ae60982651e4afc0e45f419359 |
SSDEEP: | 768:X7G/eZFaxyUfQ40a/jQp9BhGgFIjFdRL5cFb:X7/2PfQ4n/Ef2gFURF6 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........jd....K...K...K.s.K...K...K...Kz.WK...K..{K...K..vK...K..rK...KRich...K........................PE..L...?~.a................... |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4018f5 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | NO_SEH |
Time Stamp: | 0x61B67E3F [Sun Dec 12 22:57:03 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 9987b801833955ee3995600b1a735d2e |
Entrypoint Preview |
---|
Instruction |
---|
push esi |
xor esi, esi |
push esi |
push 00400000h |
push esi |
call dword ptr [0040300Ch] |
cmp eax, esi |
mov dword ptr [00404160h], eax |
je 00007F9738BCC467h |
push esi |
call dword ptr [00403044h] |
mov dword ptr [00404170h], eax |
call dword ptr [00403028h] |
call 00007F9738BCBF2Fh |
push dword ptr [00404160h] |
mov esi, eax |
call dword ptr [00403008h] |
push esi |
call dword ptr [00403040h] |
pop esi |
push ebp |
mov ebp, esp |
sub esp, 10h |
and dword ptr [ebp-04h], 00000000h |
push ebx |
push esi |
mov esi, dword ptr [00404180h] |
push edi |
mov edi, dword ptr [00404170h] |
mov eax, dword ptr [edi+3Ch] |
add eax, edi |
movzx edx, word ptr [eax+06h] |
movzx ebx, word ptr [eax+14h] |
mov ecx, esi |
xor ecx, 0000150Eh |
inc edx |
imul edx, edx, 28h |
add ebx, eax |
movzx ecx, cx |
xor esi, 69B25F5Ch |
add ebx, edx |
mov dword ptr [ebp-0Ch], ecx |
add esi, ebx |
jmp 00007F9738BCC44Ah |
cmp ax, cx |
je 00007F9738BCC44Fh |
add esi, 14h |
movzx eax, word ptr [esi] |
test ax, ax |
jne 00007F9738BCC432h |
jmp 00007F9738BCC4A8h |
mov eax, dword ptr [ebp+10h] |
test eax, eax |
je 00007F9738BCC447h |
cmp dword ptr [esi+08h], eax |
jne 00007F9738BCC494h |
test byte ptr [esi+03h], 00000002h |
jne 00007F9738BCC48Eh |
mov eax, dword ptr [esi+10h] |
inc eax |
push eax |
call 00007F9738BCCA2Ch |
mov ebx, eax |
test ebx, ebx |
je 00007F9738BCC47Bh |
test byte ptr [esi+03h], 00000001h |
je 00007F9738BCC487h |
mov eax, dword ptr [esi+00h] |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3108 | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x6000 | 0x10 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7000 | 0xec | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3000 | 0xb8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x10c6 | 0x1200 | False | 0.671440972222 | data | 6.2925337146 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x3000 | 0x53a | 0x600 | False | 0.495442708333 | data | 4.73099023762 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x4000 | 0x194 | 0x200 | False | 0.056640625 | data | 0.122275881259 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.bss | 0x5000 | 0x26c | 0x400 | False | 0.6513671875 | data | 5.5245641 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x6000 | 0x10 | 0x200 | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x7000 | 0x7000 | 0x7000 | False | 0.959926060268 | data | 7.82218542611 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Imports |
---|
DLL | Import |
---|---|
ntdll.dll | _snwprintf, memset, NtQuerySystemInformation, _aulldiv |
SHLWAPI.dll | StrStrIA |
KERNEL32.dll | HeapDestroy, HeapCreate, GetLocaleInfoA, GetSystemDefaultUILanguage, ExitThread, lstrlenW, HeapAlloc, GetLastError, GetCommandLineW, VerLanguageNameA, Sleep, HeapFree, WaitForSingleObject, GetExitCodeThread, ExitProcess, GetModuleHandleA, CreateFileMappingW, GetSystemTimeAsFileTime, MapViewOfFile, CloseHandle, GetModuleFileNameW, SleepEx, QueueUserAPC, SetLastError, TerminateThread, CreateThread, OpenProcess, GetVersion, CreateEventA, GetCurrentProcessId, GetLongPathNameW, VirtualAlloc, VirtualFree, GetProcAddress, LoadLibraryA, VirtualProtect |
ADVAPI32.dll | ConvertStringSecurityDescriptorToSecurityDescriptorA |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
01/12/22-13:24:28.673513 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
01/12/22-13:24:29.697757 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
01/12/22-13:24:29.697757 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
01/12/22-13:24:31.085325 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49772 | 80 | 192.168.2.6 | 185.189.12.123 |
01/12/22-13:24:31.085325 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49772 | 80 | 192.168.2.6 | 185.189.12.123 |
01/12/22-13:26:47.177318 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49856 | 80 | 192.168.2.6 | 185.189.12.123 |
01/12/22-13:26:47.177318 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49856 | 80 | 192.168.2.6 | 185.189.12.123 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 12, 2022 13:24:28.617896080 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:28.672404051 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:28.672626972 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:28.673512936 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:28.766773939 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.193212986 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.193311930 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.193335056 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.193378925 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.193506956 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.193531990 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.193717003 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.193741083 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.193763971 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.193773985 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.193927050 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.193953037 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.194125891 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.194161892 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.194171906 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.247283936 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.247482061 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.247513056 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.247560978 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.247721910 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.247747898 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.247770071 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.247824907 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.247839928 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.248003960 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.248039007 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.248121023 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.248322010 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.248349905 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.248388052 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.248410940 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.248416901 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.248749018 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.248799086 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.248816967 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.248840094 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.248919010 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.248928070 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.248950005 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.249023914 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.301340103 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.301368952 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.301384926 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.301578045 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.301604033 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.301656008 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.301687956 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.301740885 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.301779985 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.301856995 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.301903963 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.301992893 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.302043915 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.302134991 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.302212000 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.302359104 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.302418947 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.302436113 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.302503109 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.302695036 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.302791119 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.302844048 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.302862883 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.355539083 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.355560064 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.355576992 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.355655909 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.355696917 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.355796099 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.355798006 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.355901957 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.356003046 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.356030941 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.356169939 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.356188059 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.356431961 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.356458902 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.356461048 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.356575966 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.356620073 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.356648922 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.356775999 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.356841087 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.356889009 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.356928110 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.356985092 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.357049942 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.357155085 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.357224941 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.357306957 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.357350111 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.357490063 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.357640982 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.409398079 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.409425020 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.409512997 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.409543991 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.409647942 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.409667015 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.409704924 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.409789085 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.409924984 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.409979105 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.410053015 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.410084963 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.410211086 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.410418987 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.410505056 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.410980940 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.411011934 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.411099911 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.411123991 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.411293030 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.411483049 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.411493063 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.411530972 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.411654949 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.411676884 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.411895037 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.411931038 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.412015915 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.412203074 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.412331104 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.412369967 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.412475109 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.412483931 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.412692070 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.412811995 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.412914991 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.412951946 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.413012028 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.413162947 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.463387966 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.463411093 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.463465929 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.463588953 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.463618994 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.463654995 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.463740110 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.463823080 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.463938951 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.463949919 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.463983059 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.464121103 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.464229107 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.464263916 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.464307070 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.464387894 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.464442968 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.464502096 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.464508057 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.464695930 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.464744091 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.464863062 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.464971066 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.464998007 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.465017080 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.465069056 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.465245008 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.465269089 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.465301037 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.465336084 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.465428114 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.465506077 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.465584040 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.465656042 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.465785980 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.465878010 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.465879917 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.465970993 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.466130018 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.466243982 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.466289997 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.466299057 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.466305971 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.466415882 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.466527939 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.466748953 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.466785908 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.466799021 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.466813087 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.466844082 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.466948986 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.466989994 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.467060089 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.467219114 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.467330933 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.467377901 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.467389107 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.467394114 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.516172886 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.517359018 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.517398119 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.517451048 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.517472982 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.517481089 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.517541885 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.517570972 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.517671108 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.517726898 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.517947912 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.517975092 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.518117905 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.518198013 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.518238068 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.518265009 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.518377066 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.518431902 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.518448114 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.518501997 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.518666983 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.518696070 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.518748045 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.518820047 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.518893957 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.518932104 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.519013882 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.519088984 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.519129992 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.519254923 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.519344091 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.519380093 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.519407034 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.519542933 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.519555092 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.519583941 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.519737959 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.519875050 CET | 49768 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.573925972 CET | 80 | 49768 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.644450903 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.697081089 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:29.697204113 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.697757006 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:29.790719986 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.207361937 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.207408905 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.207480907 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.207506895 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.207607985 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.207674980 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.207715034 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.207828045 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.207989931 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.208043098 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.208060026 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.208142996 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.208190918 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.208214045 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.208616972 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.259987116 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.260071039 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.260127068 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.260176897 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.260205984 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.260231018 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.260263920 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.260287046 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.260366917 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.260478020 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.260560989 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.260639906 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.260658026 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.260770082 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.260837078 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.260963917 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.261018038 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.261075974 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.261086941 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.261179924 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.261281967 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.261306047 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.312787056 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.312830925 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.312863111 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.312870026 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.312907934 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.312952042 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.313045979 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.313086987 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.313134909 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.313316107 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.313361883 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.313419104 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.313476086 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.313494921 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.313540936 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.313613892 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.313678026 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.313740015 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.313905001 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.313941002 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.313961029 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.313990116 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.314110041 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.314229965 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.314269066 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.314291954 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.314412117 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.314625025 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.314666986 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.314683914 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.314707994 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.314721107 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.360019922 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.365390062 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.365437031 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.365478992 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.365545034 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.365570068 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.365585089 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.365643024 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.365751028 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.365784883 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.365812063 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.365860939 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.366122007 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.366204977 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.366250038 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.366259098 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.366295099 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.366350889 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.366487980 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.366555929 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.366848946 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.366900921 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.366951942 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.366971970 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.367006063 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.367108107 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.367161036 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.367369890 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.367386103 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.367424965 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.367650986 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.367705107 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.367731094 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.367772102 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.367870092 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.367922068 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.367991924 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.368047953 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.368170977 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.368221998 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.368251085 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.368272066 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.368746996 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.368848085 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.368865013 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.368954897 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.369010925 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.369041920 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.369072914 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.369086027 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.369178057 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.369276047 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.412792921 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.412853956 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.415565968 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.418061018 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.418128014 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.418179035 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.418203115 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.418219090 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.418261051 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.418283939 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.418498039 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.418540001 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.418601036 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.418653011 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.418809891 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.418864965 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.418932915 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.419003963 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.419073105 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.419104099 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.419254065 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.419363022 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.419428110 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.419476986 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.419481039 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.419502974 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.419554949 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.419738054 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.419781923 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.419837952 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.419902086 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.420054913 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.420105934 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.420150042 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.420190096 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.420248985 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.420315981 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.420581102 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.420631886 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.420653105 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.420682907 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.420839071 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.420892000 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.420898914 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.420941114 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.420989037 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.421046019 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.421292067 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.421336889 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.421374083 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.421396971 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.421710014 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.421751976 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.421789885 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.421808958 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.421864986 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.421921968 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.422002077 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.422055006 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.422121048 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.422240019 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.422297001 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.422389030 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.422504902 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.422609091 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.422652006 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.422676086 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.422713041 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.422914982 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.422955036 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.423024893 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.423088074 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.468061924 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.468107939 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.468158960 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.471421957 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.471501112 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.471559048 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.471595049 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.471626997 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.471662998 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.471719980 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.471777916 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.471780062 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.471838951 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.471900940 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.472038984 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.472105026 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.472208023 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.472265959 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.472265959 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.472328901 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.472376108 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.472595930 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.472697973 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.472749949 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.472759008 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.472855091 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.472901106 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.473109961 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.473172903 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.473221064 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.473234892 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.473388910 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.473438025 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.473495007 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.473589897 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.473638058 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.473649979 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.473823071 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.473879099 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.473958969 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.474035978 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.474052906 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.474231958 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.474281073 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.474324942 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.474442005 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.474488020 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.474668026 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.474730015 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.474788904 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.474796057 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.474890947 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.475049019 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.475122929 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.475250006 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.475300074 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.475312948 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.475373030 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.475419044 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.475440025 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.475675106 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.475708008 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.475723982 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.475754976 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.475794077 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.475905895 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.475981951 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.476042032 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.476085901 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.476219893 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.476428986 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.520601034 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.520636082 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.520735025 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.524605036 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.524643898 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.524672031 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.524698973 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.524709940 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.524738073 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.524967909 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.525002003 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.525073051 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.525079966 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.525202990 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.525234938 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.525284052 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.525371075 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.525537014 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.525566101 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:30.525600910 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.525621891 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.525734901 CET | 49769 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:30.577986002 CET | 80 | 49769 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:31.027659893 CET | 49772 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:31.081933022 CET | 80 | 49772 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:31.082345009 CET | 49772 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:31.085325003 CET | 49772 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:31.179045916 CET | 80 | 49772 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:31.580383062 CET | 80 | 49772 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:31.580420971 CET | 80 | 49772 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:31.580444098 CET | 80 | 49772 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:24:31.580610037 CET | 49772 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:31.581285000 CET | 49772 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:24:31.637943983 CET | 80 | 49772 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:26:47.124680996 CET | 49856 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:26:47.176888943 CET | 80 | 49856 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:26:47.177067041 CET | 49856 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:26:47.177318096 CET | 49856 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:26:47.269603014 CET | 80 | 49856 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:26:47.639175892 CET | 80 | 49856 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:26:47.639287949 CET | 80 | 49856 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:26:47.639429092 CET | 49856 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:26:47.639561892 CET | 49856 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:26:47.691675901 CET | 80 | 49856 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:26:58.714560986 CET | 49858 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:26:58.768919945 CET | 80 | 49858 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:26:58.769175053 CET | 49858 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:26:58.769229889 CET | 49858 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:26:58.769239902 CET | 49858 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:26:58.821933031 CET | 80 | 49858 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:26:59.250108004 CET | 80 | 49858 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:26:59.250571966 CET | 80 | 49858 | 185.189.12.123 | 192.168.2.6 |
Jan 12, 2022 13:26:59.250809908 CET | 49858 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:26:59.250844955 CET | 49858 | 80 | 192.168.2.6 | 185.189.12.123 |
Jan 12, 2022 13:26:59.303678989 CET | 80 | 49858 | 185.189.12.123 | 192.168.2.6 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 12, 2022 13:24:28.581885099 CET | 60261 | 53 | 192.168.2.6 | 8.8.8.8 |
Jan 12, 2022 13:24:28.604604959 CET | 53 | 60261 | 8.8.8.8 | 192.168.2.6 |
Jan 12, 2022 13:24:29.624264956 CET | 56061 | 53 | 192.168.2.6 | 8.8.8.8 |
Jan 12, 2022 13:24:29.642622948 CET | 53 | 56061 | 8.8.8.8 | 192.168.2.6 |
Jan 12, 2022 13:24:30.696774960 CET | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
Jan 12, 2022 13:24:31.026072025 CET | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
Jan 12, 2022 13:26:11.697997093 CET | 54683 | 53 | 192.168.2.6 | 8.8.8.8 |
Jan 12, 2022 13:26:11.716238022 CET | 53 | 54683 | 8.8.8.8 | 192.168.2.6 |
Jan 12, 2022 13:26:11.722532988 CET | 54684 | 53 | 192.168.2.6 | 208.67.222.222 |
Jan 12, 2022 13:26:11.739139080 CET | 53 | 54684 | 208.67.222.222 | 192.168.2.6 |
Jan 12, 2022 13:26:11.741723061 CET | 54685 | 53 | 192.168.2.6 | 208.67.222.222 |
Jan 12, 2022 13:26:11.758064032 CET | 53 | 54685 | 208.67.222.222 | 192.168.2.6 |
Jan 12, 2022 13:26:11.794171095 CET | 54686 | 53 | 192.168.2.6 | 208.67.222.222 |
Jan 12, 2022 13:26:11.810571909 CET | 53 | 54686 | 208.67.222.222 | 192.168.2.6 |
Jan 12, 2022 13:26:46.739839077 CET | 64021 | 53 | 192.168.2.6 | 8.8.8.8 |
Jan 12, 2022 13:26:47.118662119 CET | 53 | 64021 | 8.8.8.8 | 192.168.2.6 |
Jan 12, 2022 13:26:58.693052053 CET | 58177 | 53 | 192.168.2.6 | 8.8.8.8 |
Jan 12, 2022 13:26:58.711225033 CET | 53 | 58177 | 8.8.8.8 | 192.168.2.6 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 12, 2022 13:24:28.581885099 CET | 192.168.2.6 | 8.8.8.8 | 0x7d4c | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 12, 2022 13:24:29.624264956 CET | 192.168.2.6 | 8.8.8.8 | 0x10a9 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 12, 2022 13:24:30.696774960 CET | 192.168.2.6 | 8.8.8.8 | 0x63ac | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 12, 2022 13:26:11.697997093 CET | 192.168.2.6 | 8.8.8.8 | 0x7100 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 12, 2022 13:26:11.722532988 CET | 192.168.2.6 | 208.67.222.222 | 0x1 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Jan 12, 2022 13:26:11.741723061 CET | 192.168.2.6 | 208.67.222.222 | 0x2 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 12, 2022 13:26:11.794171095 CET | 192.168.2.6 | 208.67.222.222 | 0x3 | Standard query (0) | 28 | IN (0x0001) | |
Jan 12, 2022 13:26:46.739839077 CET | 192.168.2.6 | 8.8.8.8 | 0xd1c0 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 12, 2022 13:26:58.693052053 CET | 192.168.2.6 | 8.8.8.8 | 0xe5f3 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 12, 2022 13:24:28.604604959 CET | 8.8.8.8 | 192.168.2.6 | 0x7d4c | No error (0) | 185.189.12.123 | A (IP address) | IN (0x0001) | ||
Jan 12, 2022 13:24:29.642622948 CET | 8.8.8.8 | 192.168.2.6 | 0x10a9 | No error (0) | 185.189.12.123 | A (IP address) | IN (0x0001) | ||
Jan 12, 2022 13:24:31.026072025 CET | 8.8.8.8 | 192.168.2.6 | 0x63ac | No error (0) | 185.189.12.123 | A (IP address) | IN (0x0001) | ||
Jan 12, 2022 13:26:11.716238022 CET | 8.8.8.8 | 192.168.2.6 | 0x7100 | No error (0) | 208.67.222.222 | A (IP address) | IN (0x0001) | ||
Jan 12, 2022 13:26:11.739139080 CET | 208.67.222.222 | 192.168.2.6 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Jan 12, 2022 13:26:11.739139080 CET | 208.67.222.222 | 192.168.2.6 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Jan 12, 2022 13:26:11.739139080 CET | 208.67.222.222 | 192.168.2.6 | 0x1 | No error (0) | PTR (Pointer record) | IN (0x0001) | |||
Jan 12, 2022 13:26:11.758064032 CET | 208.67.222.222 | 192.168.2.6 | 0x2 | No error (0) | 102.129.143.64 | A (IP address) | IN (0x0001) | ||
Jan 12, 2022 13:26:47.118662119 CET | 8.8.8.8 | 192.168.2.6 | 0xd1c0 | No error (0) | 185.189.12.123 | A (IP address) | IN (0x0001) | ||
Jan 12, 2022 13:26:58.711225033 CET | 8.8.8.8 | 192.168.2.6 | 0xe5f3 | No error (0) | 185.189.12.123 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.6 | 49768 | 185.189.12.123 | 80 | C:\Users\user\Desktop\lia.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 12, 2022 13:24:28.673512936 CET | 1134 | OUT | |
Jan 12, 2022 13:24:29.193212986 CET | 1135 | IN |