Edit tour
Windows
Analysis Report
Ordene 501527,pdf.exe
Overview
General Information
Detection
AgentTesla, GuLoader
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected AgentTesla
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Classification
- System is w10x64native
- Ordene 501527,pdf.exe (PID: 4496 cmdline:
"C:\Users\ user\Deskt op\Ordene 501527,pdf .exe" MD5: 5162B6782F86F1F24E8610544D159AE9) - CasPol.exe (PID: 4944 cmdline:
"C:\Users\ user\Deskt op\Ordene 501527,pdf .exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - CasPol.exe (PID: 4428 cmdline:
"C:\Users\ user\Deskt op\Ordene 501527,pdf .exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - conhost.exe (PID: 4596 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
- flex.exe (PID: 7436 cmdline:
"C:\Users\ user\AppDa ta\Roaming \flex\flex .exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - conhost.exe (PID: 7356 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
- flex.exe (PID: 5196 cmdline:
"C:\Users\ user\AppDa ta\Roaming \flex\flex .exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - conhost.exe (PID: 8164 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
- cleanup
{"Exfil Mode": "SMTP", "SMTP Info": "ventas@merian.com.arofven1mail.merian.com.arkagawabunch869@gmail.com"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 1 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 1_2_004065A2 | |
Source: | Code function: | 1_2_0040596D |
Source: | IP Address: |
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | Static PE information: |
Source: | Code function: | 1_2_00403350 |
Source: | Code function: | 9_2_01312168 | |
Source: | Code function: | 9_2_0131233B | |
Source: | Code function: | 9_2_01312366 | |
Source: | Code function: | 9_2_1D7B9F18 | |
Source: | Code function: | 9_2_1D7B9648 | |
Source: | Code function: | 9_2_1D7B9300 | |
Source: | Code function: | 14_2_026E0D60 | |
Source: | Code function: | 16_2_02610D60 |
Source: | Code function: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Dropped File: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 1_2_00403350 |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 9_2_013122E8 |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: |
Source: | WMI Queries: |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 1_2_004065A2 | |
Source: | Code function: | 1_2_0040596D |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | System information queried: | Jump to behavior |
Source: | API call chain: | graph_1-1311 | ||
Source: | API call chain: | graph_1-1492 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Process queried: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 1_2_00403350 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 211 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | 2 OS Credential Dumping | 2 File and Directory Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | 11 Registry Run Keys / Startup Folder | 1 Access Token Manipulation | 1 Deobfuscate/Decode Files or Information | 1 Credentials in Registry | 116 System Information Discovery | Remote Desktop Protocol | 2 Data from Local System | Exfiltration Over Bluetooth | 1 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | 1 Process Injection | 2 Obfuscated Files or Information | Security Account Manager | 321 Security Software Discovery | SMB/Windows Admin Shares | 1 Email Collection | Automated Exfiltration | 1 Non-Standard Port | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | 11 Registry Run Keys / Startup Folder | 1 DLL Side-Loading | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 2 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Masquerading | LSA Secrets | 241 Virtualization/Sandbox Evasion | SSH | Keylogging | Data Transfer Size Limits | 22 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 241 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 Access Token Manipulation | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 Process Injection | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | 1 Hidden Files and Directories | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
7% | ReversingLabs | Win32.Malware.Tedy |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
3% | Metadefender | Browse | ||
0% | ReversingLabs | |||
0% | Metadefender | Browse | ||
0% | ReversingLabs | |||
0% | Metadefender | Browse | ||
0% | ReversingLabs | |||
0% | Metadefender | Browse | ||
0% | ReversingLabs |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
merian.com.ar | 69.61.116.42 | true | false |
| unknown |
mail.merian.com.ar | unknown | unknown | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
69.61.116.42 | merian.com.ar | United States | 22653 | GLOBALCOMPASSUS | false | |
141.98.6.239 | unknown | Germany | 33657 | CMCSUS | false |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 680367 |
Start date and time: 08/08/202213:27:29 | 2022-08-08 13:27:29 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 13m 45s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Ordene 501527,pdf.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Run name: | Suspected Instruction Hammering |
Number of analysed new started processes analysed: | 27 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal92.troj.spyw.evad.winEXE@8/12@1/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
- Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.82.207.122, 20.93.58.141
- Excluded domains from analysis (whitelisted): wd-prod-cp-eu-north-3-fe.northeurope.cloudapp.azure.com, spclient.wg.spotify.com, client.wns.windows.com, wdcpalt.microsoft.com, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net
- Execution Graph export aborted for target flex.exe, PID 5196 because it is empty
- Execution Graph export aborted for target flex.exe, PID 7436 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
Time | Type | Description |
---|---|---|
13:30:16 | API Interceptor | |
13:30:18 | Autostart | |
13:30:27 | Autostart |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
69.61.116.42 | Get hash | malicious | Browse | ||
141.98.6.239 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
GLOBALCOMPASSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\nsd84B6.tmp\System.dll | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\FanControlWrapper.dll | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\Microsoft.Office.Tools.Common.v9.0.dll | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
C:\Users\user\AppData\Roaming\flex\flex.exe | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Process: | C:\Users\user\AppData\Roaming\flex\flex.exe |
File Type: | |
Category: | modified |
Size (bytes): | 42 |
Entropy (8bit): | 4.0050635535766075 |
Encrypted: | false |
SSDEEP: | 3:QHXMKa/xwwUy:Q3La/xwQ |
MD5: | 84CFDB4B995B1DBF543B26B86C863ADC |
SHA1: | D2F47764908BF30036CF8248B9FF5541E2711FA2 |
SHA-256: | D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B |
SHA-512: | 485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Ordene 501527,pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.659384359264642 |
Encrypted: | false |
SSDEEP: | 192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz |
MD5: | 8B3830B9DBF87F84DDD3B26645FED3A0 |
SHA1: | 223BEF1F19E644A610A0877D01EADC9E28299509 |
SHA-256: | F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37 |
SHA-512: | D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: | |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\FanControlWrapper.dll
Download File
Process: | C:\Users\user\Desktop\Ordene 501527,pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 53480 |
Entropy (8bit): | 6.013119476725682 |
Encrypted: | false |
SSDEEP: | 768:Sd5iVw6ve4HsIrMTW5q6Aq2g1AEpwhaPvWFzg4KClyQ2c94PkhEeaA2X9qKh:s4wmnMT6Jp2g1a4s+7 |
MD5: | 8D512C6FFE33E6B77981497ED40D9092 |
SHA1: | A31DE10B01C626D528FEF987CE5D7DB68D228849 |
SHA-256: | 25673566002F8EEF81872E2913DA0E44D0B7480EF824EDD1C12D725A122CAE1C |
SHA-512: | 479DDADE0F58CFDEB43EEACD38D0CE8A361275A2BD4257CDF4FA3DD5A5FEEF231E6E41D0F2BF3F17AF8DF38B0DB72114677C42B69865F90F81329041CDFBB4A5 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: | |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\Microsoft.Office.Tools.Common.v9.0.dll
Download File
Process: | C:\Users\user\Desktop\Ordene 501527,pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 356352 |
Entropy (8bit): | 5.597789776248351 |
Encrypted: | false |
SSDEEP: | 6144:gAENg6Ta1Hjxcv/IUIuoeT/xK6ur6EaPC:gdgbFK/IU7T/xK6ur6EaP |
MD5: | E047210B4CE2BBF0F6A9819031C5874A |
SHA1: | FBE964CABCD15468EFF6848ACE2F49E194C2B1B4 |
SHA-256: | F0C45C94B8B1B38718FD373E9E98BF76A5552D8405DE3A98A6CADBE9610F7E74 |
SHA-512: | 57754F490FAD208076EA717470E431493396556E5DC4BE53ED2ACFBBC00857B9F6A5AEDA66FFE82F4E4CF405ABEF16E72F77535932E9D166CC4F3DE262AC09D8 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: | |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\edit-cut-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\Ordene 501527,pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1327 |
Entropy (8bit): | 4.272364610533777 |
Encrypted: | false |
SSDEEP: | 24:2dPnnxu3tlKpRe+9abXi2QP+60wWgP7IC233P+60cXW7GTNWgPN:cfnHFabXij+zgP7ICK+r7GTUgPN |
MD5: | 36C1AE9391F50D4AD3A1E61CA30CBFCB |
SHA1: | DF3D58AB8DBFD1CE9F0456C4F8C84440A1005507 |
SHA-256: | 9FDDABAAF63AE19BA00A965BBDAACAC3703AB2F055661040A4ACFF2882D0087B |
SHA-512: | 180D77E3FA447CED1276C2E2070E110667530C864C71961E97E80B51C214C7BEBF604104F6A0DF87A4779E6E3AD08C5A574278F70C6D36C083FE727B1DD66476 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Perciform\Selskabelig\Hjemmeopgaven\vrkstedsbygninger\Ricciaceae185.Inc
Download File
Process: | C:\Users\user\Desktop\Ordene 501527,pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 76679 |
Entropy (8bit): | 6.814432315698124 |
Encrypted: | false |
SSDEEP: | 1536:XJV/wgXTw40tzGcM8E7nhHaxpqeGhJrfBxdKTi:XJWgXTyvE7nqMhJvL |
MD5: | FFDF86E18706923E73DE9A5D67A8C9EB |
SHA1: | F01102765BEEB1330F29E2427C9559EDBEEA8D4E |
SHA-256: | 63D2CBFFAB97859707640C94C9810AF953093F01FF0E7FDB2DBFF3827935EDC0 |
SHA-512: | 1D3E7DD9A687580682CB827CAB4C3D50F9EEC145411EEE24261DB0F89B8A087B5B6DE57B33E2D6B6E807D9AA79005050E5E09A4D58FC60F4E48F31BD32C7BF72 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 98304 |
Entropy (8bit): | 2.9216957692876595 |
Encrypted: | false |
SSDEEP: | 384:ST8XNcKu0iTwbAziYN570RMZXVuKnQM2V6ofbDO4xmTgZcZygSA2O9RVHfwrhhxV:JNcgiD5Q6luKQM2V7DXcAgSA2KD4jL |
MD5: | 1A706D20E96086886B5D00D9698E09DF |
SHA1: | DACF81D90647457585345BEDD6DE222E83FDE01F |
SHA-256: | 759F62B61AA65D6D5FAC95086B26D1D053CE1FB24A8A0537ACB42DDF45D2F19F |
SHA-512: | CFF7D42AA3B089759C5ACE934A098009D1A58111FE7D99AC7669B7F0A1C973907FD16A4DC1F37B5BE5252EC51B8D876511F4F6317583FA9CC48897B1B913C7F3 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\ec0qfe1f.342\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite
Download File
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
File Type: | |
Category: | modified |
Size (bytes): | 98304 |
Entropy (8bit): | 0.08231524779339361 |
Encrypted: | false |
SSDEEP: | 12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO |
MD5: | 886A5F9308577FDF19279AA582D0024D |
SHA1: | CDCCC11837CDDB657EB0EF6A01202451ECDF4992 |
SHA-256: | BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2 |
SHA-512: | FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 108664 |
Entropy (8bit): | 5.8959760602012965 |
Encrypted: | false |
SSDEEP: | 1536:QSF7vA1hRqHNxxMjlI3ZC+0CtOss6mdcQ6A4vhZ91RKGpQJN:nA1hYPMUs6mdclA4vhNRKG4N |
MD5: | 914F728C04D3EDDD5FBA59420E74E56B |
SHA1: | 8C68CA3F013C490161C0156EF359AF03594AE5E2 |
SHA-256: | 7D3BDB5B7EE9685C7C18C0C3272DA2A593F6C5C326F1EA67F22AAE27C57BA1E6 |
SHA-512: | D7E49B361544BA22A0C66CF097E9D84DB4F3759FBCC20386251CAAC6DA80C591861C1468CB7A102EEE1A1F86C974086EBC61DE4027F9CD22AD06D63550400D6D |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\AppData\Roaming\flex\flex.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 486 |
Entropy (8bit): | 5.043661544202442 |
Encrypted: | false |
SSDEEP: | 12:z30d30C4BFNY8fNFquci7S1pE+DPOCN6+QOH5JyY:z3I3+DO4UE+Tz5JB |
MD5: | 323764DD20845C0EE00598E8EE35467C |
SHA1: | 7A3DC131CCF4B3A41893F83C553193267A7F654F |
SHA-256: | 7DEBA11FDF38735A63038192BF033BAE7F49E72E598F0AEFD3FC626477A31FEF |
SHA-512: | BF353BCB64D65024C7E627788D32087C15EC5F8780AACF61D57BC22923F2283D0A5ED389CA644270013835EF26269F2E5EEE4ED610AC88254855DE80D67F3700 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.549201429075207 |
TrID: |
|
File name: | Ordene 501527,pdf.exe |
File size: | 596608 |
MD5: | 5162b6782f86f1f24e8610544d159ae9 |
SHA1: | 0d1ead84c74ee462976928783c1f733aa859bc94 |
SHA256: | 6730e52c8075c7e044c2bbaf9f7ad8c0f7f8d03fb23adbd2331adc8b591caec7 |
SHA512: | ccbea38e4c47edf9172e47f8ea884bae222365500d17bc5d95bef911d64feb6857ac7c2d99bd9b6a0a6112a042ea0e74cd958b656883912827451f21c5113f83 |
SSDEEP: | 6144:B6bAcJOv+qlAcxp8XNbu0lTCzYQhb3VG+rmAYJDB5aRELlQBjokpKE+c0AzugkGd:a+NniSb3VtrHSaklQBjo0KE+72jCMii |
TLSH: | 96C4AE4179B86ED3F57E03716CA7869212A8EC141672E71B3192FE17B4B23532B0F29D |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....uY.................d....:.... |
Icon Hash: | 71c884a498dc7890 |
Entrypoint: | 0x403350 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x59759518 [Mon Jul 24 06:35:04 2017 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | b34f154ec913d2d2c435cbd644e91687 |
Signature Valid: | false |
Signature Issuer: | CN="Murdock Hjernespinds Orddannelserne ", OU="Beauti Pilede ", E=Sheeting@Beredelse213.Syn, O=Stregens, L=La Haie-Traversaine, S=Pays de la Loire, C=FR |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | D9460ED9973B95EA8561C6C26E032EC9 |
Thumbprint SHA-1: | 64BCC2EC4F74B5FAADE9D48BAC0D710AFF171E4F |
Thumbprint SHA-256: | 599928258A412563BC2620CAD41D51A4EDCF5C8E724A9DF73E6996094DA70D1E |
Serial: | F03396B055CCF99F |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+14h], ebx |
mov dword ptr [esp+10h], 0040A2E0h |
mov dword ptr [esp+1Ch], ebx |
call dword ptr [004080A8h] |
call dword ptr [004080A4h] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [007A8A2Ch], eax |
je 00007FE46088E853h |
push ebx |
call 00007FE460891AE9h |
cmp eax, ebx |
je 00007FE46088E849h |
push 00000C00h |
call eax |
mov esi, 004082B0h |
push esi |
call 00007FE460891A63h |
push esi |
call dword ptr [00408150h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], 00000000h |
jne 00007FE46088E82Ch |
push 0000000Ah |
call 00007FE460891ABCh |
push 00000008h |
call 00007FE460891AB5h |
push 00000006h |
mov dword ptr [007A8A24h], eax |
call 00007FE460891AA9h |
cmp eax, ebx |
je 00007FE46088E851h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007FE46088E849h |
or byte ptr [007A8A2Fh], 00000040h |
push ebp |
call dword ptr [00408044h] |
push ebx |
call dword ptr [004082A0h] |
mov dword ptr [007A8AF8h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 000002B4h |
push eax |
push ebx |
push 0079FEE0h |
call dword ptr [00408188h] |
push 0040A2C8h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x84fc | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3c4000 | 0x59b58 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x8fd60 | 0x1d20 | .data |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x63c8 | 0x6400 | False | 0.6766015625 | data | 6.504099201068482 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x138e | 0x1400 | False | 0.4509765625 | data | 5.146454805063938 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x39eb38 | 0x600 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x3a9000 | 0x1b000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x3c4000 | 0x59b58 | 0x59c00 | False | 0.4010598015320334 | data | 5.323726974368565 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x3c4328 | 0x42028 | dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0x406350 | 0xe8be | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
RT_ICON | 0x414c10 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295 | English | United States |
RT_ICON | 0x418e38 | 0x25a8 | data | English | United States |
RT_ICON | 0x41b3e0 | 0x10a8 | data | English | United States |
RT_ICON | 0x41c488 | 0x988 | data | English | United States |
RT_ICON | 0x41ce10 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_DIALOG | 0x41d278 | 0x100 | data | English | United States |
RT_DIALOG | 0x41d378 | 0x11c | data | English | United States |
RT_DIALOG | 0x41d498 | 0xc4 | data | English | United States |
RT_DIALOG | 0x41d560 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x41d5c0 | 0x68 | data | English | United States |
RT_VERSION | 0x41d628 | 0x1ec | data | English | United States |
RT_MANIFEST | 0x41d818 | 0x33e | XML 1.0 document, ASCII text, with very long lines, with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
USER32.dll | GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 8, 2022 13:30:13.447227001 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.466327906 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.466487885 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.467061996 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.487915039 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.487977028 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.488024950 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.488070965 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.488179922 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.488225937 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.488238096 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.507420063 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.507479906 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.507527113 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.507575035 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.507580042 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.507637024 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.507652998 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.507714987 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.507755041 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.507770061 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.507819891 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.507844925 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.507879972 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.507970095 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.508096933 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.527952909 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528047085 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528163910 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.528171062 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528234005 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528254032 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.528300047 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528325081 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.528363943 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528397083 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.528423071 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528475046 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528520107 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528533936 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.528584957 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528584957 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.528645039 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528659105 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.528708935 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528738976 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.528769016 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528819084 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528856993 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.528871059 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528909922 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.528932095 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.528983116 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.529055119 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.529189110 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.548114061 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.548171043 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.548237085 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.548281908 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.548350096 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.548358917 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.548435926 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.548449039 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.548599958 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.548624039 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.548718929 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.548748016 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.548803091 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.548851013 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.548897982 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.548944950 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.548948050 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.549010038 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.549011946 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549073935 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549093008 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.549141884 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549171925 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.549204111 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549273014 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549290895 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.549341917 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.549345016 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549407005 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549454927 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.549463987 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549527884 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549576044 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549609900 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.549627066 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549681902 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.549683094 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549741983 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549762964 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.549804926 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549854994 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549901962 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549925089 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.549962044 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.549988031 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.550024986 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.550060034 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.550080061 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.550132036 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.550137043 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.550194979 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.550272942 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.550321102 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.550395966 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.570158958 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.570275068 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.570324898 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.570372105 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.570399046 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.570430994 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.570521116 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.570621014 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.570710897 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.570774078 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.570796013 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.570863962 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.570919991 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.570943117 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.571024895 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571125031 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.571127892 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571187019 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.571203947 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571265936 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571286917 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.571335077 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571384907 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571403027 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.571449995 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571490049 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.571505070 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571559906 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571572065 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.571623087 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571671963 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571717978 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571764946 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571787119 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.571827888 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571857929 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.571888924 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.571930885 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.571944952 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572000027 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572029114 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.572058916 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572108984 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572154999 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572201014 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.572202921 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572262049 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572273016 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.572320938 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.572329044 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572385073 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572416067 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.572441101 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572479010 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.572496891 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572551012 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572597980 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572642088 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.572645903 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572704077 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572731972 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.572745085 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.572779894 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.572858095 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.573781013 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.573834896 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.573967934 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.574019909 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.574083090 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.574116945 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.574186087 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.574228048 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.574244976 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.574342012 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.574388981 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.574445009 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.574460030 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.574517012 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.574605942 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.574623108 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.574695110 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.574743032 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.574784040 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.574794054 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.574841022 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.574857950 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.574914932 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.574932098 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.574984074 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.575026035 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.575057983 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.575112104 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.575144053 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.575165987 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.575191975 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.575231075 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.575279951 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.575284958 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.575341940 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.575351954 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.575404882 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.575453043 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.575476885 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.575512886 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.575525045 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.575578928 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.575603008 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.575675011 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.575802088 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.595017910 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.595192909 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.595202923 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.595364094 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.595387936 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.595510960 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.595518112 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.595640898 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.595665932 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.595710039 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.595767021 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.595834970 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.595854998 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.595905066 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.595921040 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.595949888 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.595977068 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596036911 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596049070 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.596101046 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596151114 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.596152067 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596199036 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.596213102 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596266985 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.596271038 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596338034 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596364975 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.596400976 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596455097 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596501112 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.596503019 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596561909 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596609116 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596662998 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596663952 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.596714973 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.596726894 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596797943 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596812010 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.596864939 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596915007 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.596960068 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.597001076 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.597012043 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.597014904 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.597073078 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.597120047 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.597166061 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.597220898 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.597232103 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.597234964 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.597300053 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.597315073 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.597337961 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.597374916 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.597431898 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.597460985 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.597492933 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.597512007 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.597559929 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.597600937 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:30:13.597702980 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:13.597752094 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:30:24.417429924 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:24.535268068 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:24.535497904 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:24.723265886 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:24.723635912 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:24.847345114 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:24.847774029 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:24.973896980 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:25.022278070 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:25.049010992 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:25.193759918 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:25.193836927 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:25.193892002 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:25.193929911 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:25.194008112 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:25.194061041 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:25.198251963 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:25.200474024 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:25.311923027 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:25.366019011 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:25.500152111 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:25.620965004 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:25.622903109 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:25.733578920 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:25.734220028 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:25.847384930 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:25.848804951 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:25.959038973 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:25.959487915 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:26.256479025 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:26.366122961 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:26.434366941 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:26.434782982 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:26.544560909 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:26.544610977 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:26.558662891 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:26.558693886 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:26.558717966 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:26.558784962 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:26.668802023 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:26.668915033 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:26.668956995 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:26.668994904 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:31.220776081 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:31.270893097 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:33.539383888 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:33.689703941 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:33.980900049 CEST | 587 | 49796 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:33.985735893 CEST | 49796 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:33.987236023 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:34.096883059 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:34.097126007 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:34.274610043 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:34.275027037 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:34.385174990 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:34.385531902 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:34.496872902 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:34.497580051 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:34.613151073 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:34.613235950 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:34.613296986 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:34.613342047 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:34.613449097 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:34.613511086 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:34.614737988 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:34.616295099 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:34.726613045 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:34.727612019 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:34.837651014 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:34.838013887 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:34.948286057 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:34.948803902 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.061976910 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.062355995 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.172359943 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.172725916 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.322868109 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.326308966 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.326631069 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.436172962 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.436268091 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.437614918 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.437699080 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.437784910 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.437856913 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.438224077 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.438255072 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.438297987 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.548830986 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.548923969 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.548943043 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.548960924 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.548976898 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.548995972 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.549011946 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.549030066 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.549082041 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.549253941 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.549431086 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:30:35.658607960 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.658653021 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.658709049 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.659488916 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:35.659569025 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:42.131805897 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:30:42.174938917 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:32:03.407073975 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:32:03.426404953 CEST | 80 | 49793 | 141.98.6.239 | 192.168.11.20 |
Aug 8, 2022 13:32:03.426548004 CEST | 49793 | 80 | 192.168.11.20 | 141.98.6.239 |
Aug 8, 2022 13:32:03.516607046 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Aug 8, 2022 13:32:03.781115055 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:32:04.053133011 CEST | 587 | 49797 | 69.61.116.42 | 192.168.11.20 |
Aug 8, 2022 13:32:04.053857088 CEST | 49797 | 587 | 192.168.11.20 | 69.61.116.42 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 8, 2022 13:30:23.502373934 CEST | 55033 | 53 | 192.168.11.20 | 1.1.1.1 |
Aug 8, 2022 13:30:24.407882929 CEST | 53 | 55033 | 1.1.1.1 | 192.168.11.20 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Aug 8, 2022 13:30:23.502373934 CEST | 192.168.11.20 | 1.1.1.1 | 0x87d9 | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Aug 8, 2022 13:30:24.407882929 CEST | 1.1.1.1 | 192.168.11.20 | 0x87d9 | No error (0) | merian.com.ar | CNAME (Canonical name) | IN (0x0001) | ||
Aug 8, 2022 13:30:24.407882929 CEST | 1.1.1.1 | 192.168.11.20 | 0x87d9 | No error (0) | 69.61.116.42 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.11.20 | 49793 | 141.98.6.239 | 80 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Aug 8, 2022 13:30:13.467061996 CEST | 9013 | OUT | |
Aug 8, 2022 13:30:13.487915039 CEST | 9014 | IN |