Edit tour
Windows
Analysis Report
Id4zlrsrZ4.exe
Overview
General Information
| Sample Name: | Id4zlrsrZ4.exe |
| Analysis ID: | 684211 |
| MD5: | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1: | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256: | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| Tags: | exePhorpiex |
| Infos: |  |
 | |
Detection
Phorpiex
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Phorpiex
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Found evasive API chain (may stop execution after checking mutex)
Found strings related to Crypto-Mining
Creates HTML files with .exe extension (expired dropper behavior)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Contains functionality to detect sleep reduction / modifications
Contains functionality to check if Internet connection is working
Uses 32bit PE files
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality for read data from the clipboard
Classification
- System is w10x64
Id4zlrsrZ4.exe (PID: 6224 cmdline: "C:\Users\ user\Deskt op\Id4zlrs rZ4.exe" MD5: ED2D7B25BB360CCCB4F0F6A4F8732D7A) - winrecsv.exe (PID: 6244 cmdline:
C:\Windows \winrecsv. exe MD5: ED2D7B25BB360CCCB4F0F6A4F8732D7A)
- winrecsv.exe (PID: 6516 cmdline:
"C:\Window s\winrecsv .exe" MD5: ED2D7B25BB360CCCB4F0F6A4F8732D7A) - 509517324.exe (PID: 6816 cmdline:
C:\Users\u ser~1\AppD ata\Local\ Temp\50951 7324.exe MD5: A475E43527D7DC7D6F2D23BAD64FCC99)
- cleanup
{"C2 url": "http://185.215.113.66/twizt/", "Wallet": ["12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc", "1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD", "3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg", "3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz", "lskbjrchofkmqtugfw28ot7jzv96u75xzyb5bvoop", "qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k", "XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8", "DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG", "0xb899fC445a1b61Cdd62266795193203aa72351fE", "LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7", "r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1", "TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5", "t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy", "terra1smy8jurjwm790qrt5z3qrsyrx9a3lcwehvzmw3", "tz1fpBZAB1jz7RsefBjT94VR3h5VzL4akg6L", "hxc65003fbd738014cf286edf92f9ddac689ec4de5", "QYHny85SWYTLcZFFNNoVovyN15eNbwZdW6", "RRQ9QGcqnHEqJAbcEjs9X3EYsEfXrZPvEi", "NC7YTU5BSOVDYRUPWA3KUXP437AEZ7JNE2H3EYGI", "AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX", "SNCjaBTsinQUDTjBvBoDLVm2AnN2qXeMCs", "zil14rxudm29xzmu9cyk0mcwvrlxm086evuawjy2ev", "s1dSgik6QuCDrRnw9yvtrLCvRLDemi2juJe", "bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k", "cosmos156h8kejuwm3n7ywpwajplfzahgum8lenvkezny", "4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK", "addr1q8ujsfumgrpjvp2v6s3cfndz7yqf7cgpnjfpdlqxfphwfa0e9qneksxrycz5e4prsnx69ugqnassr8yjzm7qvjrwun6s6dfsrt", "aPSfmf1H5DNksgcUMV39NPJcSj832L2okm", "FeGdLZrnbVLsmiY9tZ4ssoRjdLDxiigQBL", "GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY", "GSdrN7W3GsqsxqaXg4x9k5C8cf1uJeoFFg", "bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky", "band1f2nuxcxahrph4n4gpy4lndsp5q342fz0yjh945", "bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | ReversingLabs: | |||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | 0_2_0040AB50 | |
| Source: | Code function: | 1_2_0040AB50 | |
| Source: | Code function: | 5_2_0040AB50 | |
Phishing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Bitcoin Miner | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00404A90 | |
| Source: | Code function: | 0_2_00404BD0 | |
| Source: | Code function: | 1_2_00404A90 | |
| Source: | Code function: | 1_2_00404BD0 | |
| Source: | Code function: | 5_2_00404A90 | |
| Source: | Code function: | 5_2_00404BD0 | |
Networking | |
|---|
| Source: | File created: | ||
| Source: | Code function: | 0_2_00409880 | |
| Source: | Code function: | 1_2_00409880 | |
| Source: | Code function: | 5_2_00409880 | |
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_0040C840 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | Code function: | 0_2_00403DB0 | |
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00403DB0 | |
| Source: | Code function: | 0_2_00403480 | |
Spam, unwanted Advertisements and Ransom Demands | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_004092E0 | |
| Source: | Code function: | 0_2_0040F088 | |
| Source: | Code function: | 0_2_00402E90 | |
| Source: | Code function: | 0_2_00406950 | |
| Source: | Code function: | 0_2_00406979 | |
| Source: | Code function: | 1_2_004092E0 | |
| Source: | Code function: | 1_2_0040F088 | |
| Source: | Code function: | 1_2_00402E90 | |
| Source: | Code function: | 1_2_00406950 | |
| Source: | Code function: | 1_2_00406979 | |
| Source: | Code function: | 5_2_004092E0 | |
| Source: | Code function: | 5_2_0040F088 | |
| Source: | Code function: | 5_2_00402E90 | |
| Source: | Code function: | 5_2_00406950 | |
| Source: | Code function: | 5_2_00406979 | |
| Source: | Code function: | 0_2_0040C210 | |
| Source: | Code function: | 0_2_0040F2CD | |
| Source: | Code function: | 1_2_0040C210 | |
| Source: | Code function: | 1_2_0040F2CD | |
| Source: | Code function: | 5_2_0040C210 | |
| Source: | Code function: | 5_2_0040F2CD | |
| Source: | Dropped File: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004054D0 | |
| Source: | File read: | Jump to behavior | ||
| Source: | Code function: | 0_2_004050B0 | |
| Source: | Mutant created: | ||
| Source: | File read: | Jump to behavior | ||
Persistence and Installation Behavior | |
|---|
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_1-4253 | ||
| Source: | Evasive API call chain: | graph_1-4253 | ||
| Source: | Evasive API call chain: | graph_0-4253 | ||
| Source: | Evasive API call chain: | graph_0-4253 | ||
| Source: | Code function: | 0_2_0040B8F0 | |
| Source: | Code function: | 1_2_0040B8F0 | |
| Source: | Code function: | 5_2_0040B8F0 | |
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Evaded block: | graph_0-4341 | ||
| Source: | Evaded block: | graph_1-4253 | ||
| Source: | Evasive API call chain: | graph_0-4267 | ||
| Source: | Evasive API call chain: | |||
| Source: | Evasive API call chain: | graph_1-4267 | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | Code function: | 5_2_0040B8F0 | |
| Source: | Code function: | 0_2_0040B8F0 | |
| Source: | Code function: | 0_2_0040EEA0 | |
| Source: | Code function: | 0_2_00404A90 | |
| Source: | Code function: | 0_2_00404BD0 | |
| Source: | Code function: | 1_2_00404A90 | |
| Source: | Code function: | 1_2_00404BD0 | |
| Source: | Code function: | 5_2_00404A90 | |
| Source: | Code function: | 5_2_00404BD0 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | API call chain: | graph_0-4254 | ||
| Source: | API call chain: | graph_0-4279 | ||
| Source: | API call chain: | graph_1-4279 | ||
| Source: | API call chain: | graph_1-4314 | ||
| Source: | API call chain: | |||
| Source: | API call chain: | |||
| Source: | API call chain: | |||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00408C70 | |
| Source: | Code function: | 0_2_0040D4A0 | |
| Source: | Code function: | 1_2_0040D4A0 | |
| Source: | Code function: | 5_2_0040D4A0 | |
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_0040DC40 | |
| Source: | Code function: | 0_2_0040EEA0 | |
| Source: | Code function: | 0_2_0040E110 | |
| Source: | Code function: | 0_2_0040C930 | |
| Source: | Code function: | 1_2_0040DC40 | |
| Source: | Code function: | 1_2_0040EEA0 | |
| Source: | Code function: | 1_2_0040E110 | |
| Source: | Code function: | 1_2_0040C930 | |
| Source: | Code function: | 5_2_0040DC40 | |
| Source: | Code function: | 5_2_0040EEA0 | |
| Source: | Code function: | 5_2_0040E110 | |
| Source: | Code function: | 5_2_0040C930 | |
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 11 Native API | Path Interception | 1 Process Injection | 121 Masquerading | 21 Input Capture | 231 Security Software Discovery | Remote Services | 21 Input Capture | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Disable or Modify Tools | LSASS Memory | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 21 Virtualization/Sandbox Evasion | Security Account Manager | 1 Remote System Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | Automated Exfiltration | 4 Ingress Tool Transfer | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Process Injection | NTDS | 1 System Network Connections Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 2 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Hidden Files and Directories | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | Data Transfer Size Limits | 12 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 13 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 70% | Virustotal | Browse | ||
| 74% | ReversingLabs | Win32.Trojan.FWDisable | ||
| 100% | Avira | HEUR/AGEN.1237550 | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1237550 | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | ||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 52% | Metadefender | Browse | ||
| 88% | ReversingLabs | Win32.Trojan.Donut | ||
| 74% | ReversingLabs | Win32.Trojan.FWDisable |
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1237550 | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | HEUR/AGEN.1237550 | Download File | ||
| 100% | Avira | HEUR/AGEN.1237550 | Download File | ||
| 100% | Avira | HEUR/AGEN.1237550 | Download File | ||
| 100% | Avira | HEUR/AGEN.1237550 | Download File | ||
| 100% | Avira | HEUR/AGEN.1237550 | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 15% | Virustotal | Browse | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| false | high | |||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| true |
| unknown | ||
| true |
| unknown | ||
| false | high | |||
| true |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.215.113.66 | unknown | Portugal | 206894 | WHOLESALECONNECTIONSNL | false | |
| 105.106.149.0 | unknown | Algeria | 36947 | ALGTEL-ASDZ | false | |
| 239.255.255.250 | unknown | Reserved | unknown | unknown | false | |
| 176.194.22.84 | unknown | Russian Federation | 12714 | TI-ASMoscowRussiaRU | false | |
| 185.215.113.84 | unknown | Portugal | 206894 | WHOLESALECONNECTIONSNL | true | |
| 89.236.217.87 | unknown | Uzbekistan | 39032 | ISPETCUZ | false |
| IP |
|---|
| 192.168.2.1 |
| Joe Sandbox Version: | 35.0.0 Citrine |
| Analysis ID: | 684211 |
| Start date and time: | 2022-08-15 18:30:01 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 7m 46s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | Id4zlrsrZ4.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 20 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.evad.mine.winEXE@8/7@0/7 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.109.209.108
- Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, redir.update.msft.com.trafficmanager.net, login.live.com, store-images.s-microsoft.com, www.update.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 18:31:06 | API Interceptor | |
| 18:31:09 | API Interceptor | |
| 18:31:12 | Autostart | |
| 18:31:36 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 185.215.113.66 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| 239.255.255.250 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| 185.215.113.84 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| WHOLESALECONNECTIONSNL | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| ALGTEL-ASDZ | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
| Process: | C:\Windows\winrecsv.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6912 |
| Entropy (8bit): | 7.973025390406073 |
| Encrypted: | false |
| SSDEEP: | 96:oj6V/SoG95rGUWjQXk2i4yZwil2aFrl28WqR/P7/8lOmAzhBHqsUNDjUmD2eEN8x:oeVhGLr0QXj1yZHl9RZz8lwt8fNXr |
| MD5: | 9E2F163C15EE457BE1F51981985570A1 |
| SHA1: | 4A191E6DA4A85B915F285E758D0789D2EDE3AFF1 |
| SHA-256: | C7DE55DDD548F4F268979E1F0C70AB0EDB2566C0CE46B921EA281E1570ABAD82 |
| SHA-512: | 4B3EAE4A1DF79AC8805F46D32DAECDB54028D160A5056679D4478C08E7F8FF42DF5F84F4B1FE2CB8B5F3574EAE5B18A94AD865EDFC4D314A51118316C907967D |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\509517324.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 564 |
| Entropy (8bit): | 4.775290370533887 |
| Encrypted: | false |
| SSDEEP: | 12:TjeRHVIdtklI5rRCNGlTF5TF5TF5TF5TF5TFK:neRH688lTPTPTPTPTPTc |
| MD5: | 5DA4C1420F84EC727D1B6BDD0D46E62E |
| SHA1: | 280D08D142F7386283F420444EC48E1CDBFD61BB |
| SHA-256: | 3C8CC37A98346BD0123B35E5CCD87BD07D69914DAE04F8B49F61C150D96E9D1F |
| SHA-512: | 7C51A628831D0236E8D314C71732B8A62E06334431D10F7C293C49B23665B2A6A1DDBC4772009010955B5228EA4A5CD97FB93581CE391EE1792E8A198B76111A |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\winrecsv.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6656 |
| Entropy (8bit): | 4.230127984822324 |
| Encrypted: | false |
| SSDEEP: | 96:nYdJtz6aW+HMl7hswYGZ9w/Ptboynun9Cth:nktz/67hO/P1oynW8 |
| MD5: | A475E43527D7DC7D6F2D23BAD64FCC99 |
| SHA1: | 793A7625C0106D6CD79D060B4EEC94E58530833E |
| SHA-256: | F97C43BF3DCE6180E658F2C3776E31CF52472B28AC8249BE4D307880B6405EEB |
| SHA-512: | 4AF57A218D7D790B5EC4581DD2BC941DEFF05EA11BF6054A9D268C054AF421977CDD68D5090884358208925F50023C97E9CFABA0831D72E9BCDCCA729447D900 |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\winrecsv.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 4096 |
| Entropy (8bit): | 4.818471917182262 |
| Encrypted: | false |
| SSDEEP: | 96:IlukshBzu5Gen5eRl7KKCek/Wok71L6LoDez8seyZ61ocHPL:I8jhBzHe0VKSUkRGsDmeyGoGL |
| MD5: | FBC49CE2908C1B0B1532569F35D123FF |
| SHA1: | BB0948AD3CE4472B6A9A03F4FB5F1A04216C9AE9 |
| SHA-256: | D3F2C2406407678E4CF9507F48143A6B39261F11835ACD32585FC9D789A4EB7C |
| SHA-512: | F46D81481B015DAA94A52826CACDCEE00B4A98D7A938B36F1F3F2372C00B08003AB2FB859DEEC3DA82B3E8A9FC65632A469CCF67FFA5AF999564E68F67F00212 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\509517324.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1572864 |
| Entropy (8bit): | 4.273557257647912 |
| Encrypted: | false |
| SSDEEP: | 12288:bwb+0Th31Trp3TSP6a0rOupypy+Z6U6KvUJn5CmGreLzGGUsyU:ka0Th31Trp3TSP6ff+C |
| MD5: | 8DBEF248F4B8327279613A374208D979 |
| SHA1: | CD8BF0CF7FF05E0DA686EF2F11C0CC5ECEA94634 |
| SHA-256: | AF29DD441C0D4156DF24A534E10A381F7465CB8D2E4DB00F79B4848FE2203028 |
| SHA-512: | 285BE7CAF852291F67503C03329447A42B704F32E56EE64CD2FBF9E6889EBDD38E8411F239820413BB0E1C8FBBCD6E02C5AD3E880737544E329CF635C57507EC |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\509517324.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12288 |
| Entropy (8bit): | 3.3091281554845113 |
| Encrypted: | false |
| SSDEEP: | 192:lRTHAZo19YOx3x1YN5FSE0V1w5G5tGrgM3+4:rT255e+G5tGrN+4 |
| MD5: | 086FD986F38603874BB00AB8F63F8DBD |
| SHA1: | F8BA4481F857FA46502D788A417F5B135DF4B5FE |
| SHA-256: | 0E7FD6EB2B50E9E7D0C9A9D4AC960F3EB32D070B80CED28CD0C24E7837FE336E |
| SHA-512: | 71788E2D873A89BDFFE01F312701FD787BBFCC81DA5591A7B15BE3B58C86FD450CF74D96763FE431F9A7F2D24EF64379E220C0B5F85AAD89DF61B0A04F750F13 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Id4zlrsrZ4.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 77312 |
| Entropy (8bit): | 6.345505183378638 |
| Encrypted: | false |
| SSDEEP: | 1536:K3Mz8enofIxQrFP+ZrFugrZpVnWw7V15Frrmi:xweZQhGZ5ugDVnj7V15Fr |
| MD5: | ED2D7B25BB360CCCB4F0F6A4F8732D7A |
| SHA1: | 6FFCC083956C5AC19826BDD87E12F87817EE837C |
| SHA-256: | 22F524ABC98F958705FEBD3761BEDC85EC1AE859316A653B67C0C01327533092 |
| SHA-512: | 6592EC1A12F9575176474C6192D49F4F4A87998DA6692E07E8BA6A93789D6A92E41DBABD3488A27A49EC8C8C414E02751867FEB2A0038E4091630CA3E4FB235F |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Preview: |
| File type: | |
| Entropy (8bit): | 6.345505183378638 |
| TrID: |
|
| File name: | Id4zlrsrZ4.exe |
| File size: | 77312 |
| MD5: | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1: | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256: | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512: | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
| SSDEEP: | 1536:K3Mz8enofIxQrFP+ZrFugrZpVnWw7V15Frrmi:xweZQhGZ5ugDVnj7V15Fr |
| TLSH: | CB732810F6D0C03AF0F740FBE2FB05AA592CEFB4530698E752D9A85F5B215D1A9364A3 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K...K...K...J...K.......K.......K...D...K..&&...K...J.~.K..&0...K.......K.......K.Rich..K.........PE..L...0D.b........... |
 | |
| Icon Hash: | 00828e8e8686b000 |
| Entrypoint: | 0x405a20 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x62FA4430 [Mon Aug 15 13:03:44 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 2f2316fb946682a102e453a8ae405904 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| sub esp, 00000C4Ch |
| push 00001B58h |
| call dword ptr [004100F0h] |
| mov dword ptr [ebp-00000214h], 00000000h |
| mov dword ptr [ebp-0000083Ch], 00002332h |
| mov eax, dword ptr [ebp-00000214h] |
| cmp eax, dword ptr [ebp-0000083Ch] |
| jnc 00007FF3C0B6163Bh |
| push 00000000h |
| push 00413C60h |
| call dword ptr [004101C0h] |
| mov dword ptr [ebp-00000A50h], eax |
| cmp dword ptr [ebp-00000A50h], 00000000h |
| je 00007FF3C0B61607h |
| push 000003E8h |
| call dword ptr [004100F0h] |
| push 00413C60h |
| push 00413C8Ch |
| call dword ptr [00410098h] |
| push 00413C60h |
| push 00413C8Ch |
| call dword ptr [00410098h] |
| push 00000000h |
| push 00413C60h |
| call dword ptr [004101C0h] |
| mov dword ptr [ebp-00000A74h], eax |
| cmp dword ptr [ebp-00000A74h], 00000000h |
| je 00007FF3C0B60ECDh |
| push 000003E8h |
| call dword ptr [004100F0h] |
| push 00413C60h |
| push 00413C8Ch |
| call dword ptr [00410098h] |
| push 000003E8h |
| call dword ptr [004100F0h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x11f1c | 0x104 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x10000 | 0x318 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xe4fc | 0xe600 | False | 0.4665591032608696 | data | 6.11073833830779 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x10000 | 0x2eca | 0x3000 | False | 0.4490559895833333 | data | 5.5519954819651245 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x13000 | 0x26e0 | 0x1400 | False | 0.6556640625 | data | 6.173018070745021 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| WS2_32.dll | recvfrom, setsockopt, sendto, bind, WSAStartup, ioctlsocket, recv, send, WSACloseEvent, WSARecv, WSASend, WSAGetLastError, WSAEnumNetworkEvents, gethostname, connect, inet_ntoa, inet_addr, htons, getsockname, shutdown, socket, closesocket, gethostbyname, WSAEventSelect, WSAGetOverlappedResult, WSAWaitForMultipleEvents, getpeername, accept, WSACreateEvent, WSASocketA, listen |
| SHLWAPI.dll | PathFileExistsW, StrCmpNW, PathMatchSpecW, PathFindFileNameW, PathFileExistsA, StrChrA, StrStrIA, StrCmpNIA, StrStrW |
| urlmon.dll | URLDownloadToFileW |
| WININET.dll | InternetConnectA, InternetOpenUrlW, HttpQueryInfoA, InternetOpenW, HttpSendRequestA, HttpAddRequestHeadersA, HttpOpenRequestA, InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle, InternetCrackUrlA |
| ntdll.dll | memcpy, _chkstk, _aulldiv, RtlUnwind, memmove, mbstowcs, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtQueryVirtualMemory, strstr, isdigit, isalpha, _allshl, _aullshr, memset |
| msvcrt.dll | rand, srand, _vscprintf |
| KERNEL32.dll | MoveFileW, CreateProcessW, GetLocaleInfoA, DuplicateHandle, DeleteCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentThread, GetCurrentProcess, InterlockedExchangeAdd, InterlockedIncrement, InterlockedExchange, WaitForSingleObject, InterlockedDecrement, GetCurrentProcessId, HeapSetInformation, GetProcessHeaps, GetSystemInfo, PostQueuedCompletionStatus, HeapValidate, HeapCreate, HeapFree, HeapAlloc, HeapReAlloc, ExpandEnvironmentStringsW, CreateThread, DeleteFileA, CreateMutexA, MoveFileA, GetLastError, CreateEventA, ExitProcess, GetQueuedCompletionStatus, CreateIoCompletionPort, SetEvent, GetVolumeInformationW, SetFileAttributesW, lstrcpyW, DeleteFileW, GetDiskFreeSpaceExW, FindNextFileW, lstrcmpiW, QueryDosDeviceW, RemoveDirectoryW, FindClose, lstrlenA, GlobalLock, GetModuleHandleW, GetTickCount, GlobalAlloc, Sleep, lstrcpynW, ExitThread, MultiByteToWideChar, lstrlenW, GlobalUnlock, GetFileSize, MapViewOfFile, UnmapViewOfFile, WriteFile, InitializeCriticalSection, LeaveCriticalSection, CreateFileW, FlushFileBuffers, EnterCriticalSection, CreateFileMappingW, CloseHandle, FindFirstFileW, GetDriveTypeW, MoveFileExW, CreateDirectoryW, GetLogicalDrives, CopyFileW, GetModuleFileNameW, lstrcmpW |
| USER32.dll | SendMessageA, wsprintfW, IsClipboardFormatAvailable, RegisterClassExW, GetWindowLongW, GetClipboardData, EmptyClipboard, ChangeClipboardChain, SetWindowLongW, CloseClipboard, GetMessageA, FindWindowA, ShowWindow, wsprintfA, SetForegroundWindow, wvsprintfA, TranslateMessage, DefWindowProcA, RegisterRawInputDevices, CreateWindowExW, DispatchMessageA, OpenClipboard, SetClipboardData, SetClipboardViewer |
| ADVAPI32.dll | RegSetValueExW, CryptGenRandom, CryptReleaseContext, CryptAcquireContextW, RegQueryValueExW, RegOpenKeyExA, RegSetValueExA, RegCloseKey, RegOpenKeyExW |
| SHELL32.dll | ShellExecuteW |
| ole32.dll | CoInitializeEx, CoCreateInstance, CoInitialize, CoUninitialize |
| OLEAUT32.dll | SysFreeString, SysAllocString |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Aug 15, 2022 18:31:30.772701025 CEST | 49762 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:30.829678059 CEST | 80 | 49762 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:30.829869986 CEST | 49762 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:30.836591005 CEST | 49762 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:30.893178940 CEST | 80 | 49762 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:30.893227100 CEST | 80 | 49762 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:30.893254995 CEST | 80 | 49762 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:30.893306971 CEST | 80 | 49762 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:30.893336058 CEST | 80 | 49762 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:30.893359900 CEST | 80 | 49762 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:30.893424034 CEST | 80 | 49762 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:30.893436909 CEST | 49762 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:30.893493891 CEST | 49762 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:31.001279116 CEST | 49762 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:31.001372099 CEST | 49762 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:31.058437109 CEST | 80 | 49762 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:31.058501005 CEST | 49762 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:31.058612108 CEST | 80 | 49762 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:31.058660984 CEST | 49762 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:31.186661959 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:31.245110035 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:31.245215893 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:31.247442961 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:31.304191113 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:31.304255009 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:31.304302931 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:31.304336071 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:31.304343939 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:31.304367065 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:31.304390907 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:31.304414034 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:31.304436922 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:31.304444075 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:31.304474115 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:31.304493904 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:31.304615021 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:33.790317059 CEST | 49764 | 40500 | 192.168.2.7 | 176.194.22.84 |
| Aug 15, 2022 18:31:36.832381010 CEST | 49764 | 40500 | 192.168.2.7 | 176.194.22.84 |
| Aug 15, 2022 18:31:38.258161068 CEST | 49765 | 80 | 192.168.2.7 | 185.215.113.84 |
| Aug 15, 2022 18:31:38.315890074 CEST | 80 | 49765 | 185.215.113.84 | 192.168.2.7 |
| Aug 15, 2022 18:31:38.316106081 CEST | 49765 | 80 | 192.168.2.7 | 185.215.113.84 |
| Aug 15, 2022 18:31:38.323205948 CEST | 49765 | 80 | 192.168.2.7 | 185.215.113.84 |
| Aug 15, 2022 18:31:38.378767014 CEST | 80 | 49765 | 185.215.113.84 | 192.168.2.7 |
| Aug 15, 2022 18:31:38.378837109 CEST | 80 | 49765 | 185.215.113.84 | 192.168.2.7 |
| Aug 15, 2022 18:31:38.378969908 CEST | 49765 | 80 | 192.168.2.7 | 185.215.113.84 |
| Aug 15, 2022 18:31:38.826719999 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:38.883723974 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:38.883768082 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:38.883826971 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:39.898257017 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:39.954905033 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:39.955102921 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:39.955193996 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:40.983021021 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:41.042918921 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:41.046889067 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:42.926670074 CEST | 49764 | 40500 | 192.168.2.7 | 176.194.22.84 |
| Aug 15, 2022 18:31:43.014853001 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:43.071795940 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:43.072801113 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:44.812818050 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:44.871459961 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:44.871617079 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:45.125787973 CEST | 49765 | 80 | 192.168.2.7 | 185.215.113.84 |
| Aug 15, 2022 18:31:45.126938105 CEST | 49767 | 80 | 192.168.2.7 | 185.215.113.84 |
| Aug 15, 2022 18:31:45.184633970 CEST | 80 | 49767 | 185.215.113.84 | 192.168.2.7 |
| Aug 15, 2022 18:31:45.184873104 CEST | 49767 | 80 | 192.168.2.7 | 185.215.113.84 |
| Aug 15, 2022 18:31:45.186141968 CEST | 80 | 49765 | 185.215.113.84 | 192.168.2.7 |
| Aug 15, 2022 18:31:45.186245918 CEST | 49765 | 80 | 192.168.2.7 | 185.215.113.84 |
| Aug 15, 2022 18:31:45.186839104 CEST | 49767 | 80 | 192.168.2.7 | 185.215.113.84 |
| Aug 15, 2022 18:31:45.245997906 CEST | 80 | 49767 | 185.215.113.84 | 192.168.2.7 |
| Aug 15, 2022 18:31:45.246023893 CEST | 80 | 49767 | 185.215.113.84 | 192.168.2.7 |
| Aug 15, 2022 18:31:45.246228933 CEST | 49767 | 80 | 192.168.2.7 | 185.215.113.84 |
| Aug 15, 2022 18:31:45.524461985 CEST | 49767 | 80 | 192.168.2.7 | 185.215.113.84 |
| Aug 15, 2022 18:31:48.190406084 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:48.191395044 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:48.253849030 CEST | 80 | 49778 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:48.254038095 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:48.254514933 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:48.254626989 CEST | 80 | 49763 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:48.254724979 CEST | 49763 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:48.316457033 CEST | 80 | 49778 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:48.316487074 CEST | 80 | 49778 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:48.316560984 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:49.321367979 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:49.379134893 CEST | 80 | 49778 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:49.379162073 CEST | 80 | 49778 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:49.379271984 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:50.398318052 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:50.455782890 CEST | 80 | 49778 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:50.455815077 CEST | 80 | 49778 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:50.455980062 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:51.491883039 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:51.786901951 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:51.831628084 CEST | 80 | 49778 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:51.831710100 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:51.845146894 CEST | 80 | 49778 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:52.854788065 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:52.912568092 CEST | 80 | 49778 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:52.912606001 CEST | 80 | 49778 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:52.912729025 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:56.070290089 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:56.071338892 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:56.130171061 CEST | 80 | 49785 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:56.130592108 CEST | 80 | 49778 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:56.130697966 CEST | 49778 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:56.131527901 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:56.131560087 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:56.187562943 CEST | 80 | 49785 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:56.187637091 CEST | 80 | 49785 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:56.187736034 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:57.197448969 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:57.253433943 CEST | 80 | 49785 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:57.253489017 CEST | 80 | 49785 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:57.253562927 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:58.258836985 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:58.314738989 CEST | 80 | 49785 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:58.314960003 CEST | 80 | 49785 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:58.315020084 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:59.323095083 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:31:59.382608891 CEST | 80 | 49785 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:59.382657051 CEST | 80 | 49785 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:31:59.382725954 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:00.581275940 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:00.640603065 CEST | 80 | 49785 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:00.640722036 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:05.340064049 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:05.341897011 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:05.399940968 CEST | 80 | 49785 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:05.400258064 CEST | 49785 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:05.405114889 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:05.405236959 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:05.406146049 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:05.462671041 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:05.462749958 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:05.462920904 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:06.478008986 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:06.550353050 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:06.550513029 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:07.556500912 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:07.613779068 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:07.613881111 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:07.613969088 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:08.618907928 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:08.677336931 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:08.677377939 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:08.679595947 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:09.696106911 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:09.757704020 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:09.757846117 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:12.931016922 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:12.932782888 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:12.987638950 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:12.988606930 CEST | 49787 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:12.990498066 CEST | 80 | 49794 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:12.990657091 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:12.991106033 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:13.048710108 CEST | 80 | 49794 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:13.048749924 CEST | 80 | 49794 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:13.048921108 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:14.066327095 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:14.123651981 CEST | 80 | 49794 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:14.123684883 CEST | 80 | 49794 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:14.123805046 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:15.134737015 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:15.194490910 CEST | 80 | 49794 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:15.194560051 CEST | 80 | 49794 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:15.194699049 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:16.212922096 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:16.270648003 CEST | 80 | 49794 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:16.270699978 CEST | 80 | 49794 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:16.270816088 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:17.289227009 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:17.350804090 CEST | 80 | 49794 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:17.350972891 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:20.527383089 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:20.528688908 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:20.584839106 CEST | 80 | 49794 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:20.585040092 CEST | 80 | 49797 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:20.585127115 CEST | 49794 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:20.585258961 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:20.586002111 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:20.643687963 CEST | 80 | 49797 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:20.643721104 CEST | 80 | 49797 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:20.643846989 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:21.672964096 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:21.729620934 CEST | 80 | 49797 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:21.729661942 CEST | 80 | 49797 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:21.729844093 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:23.761060953 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:23.817940950 CEST | 80 | 49797 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:23.817989111 CEST | 80 | 49797 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:23.818200111 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:24.838673115 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:24.898762941 CEST | 80 | 49797 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:24.902034044 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:25.923537016 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:25.980289936 CEST | 80 | 49797 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:25.980479956 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:29.136281967 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:29.137432098 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:29.193053961 CEST | 80 | 49797 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:29.193190098 CEST | 49797 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:29.193980932 CEST | 80 | 49799 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:29.194075108 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:29.194683075 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:29.250955105 CEST | 80 | 49799 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:29.251115084 CEST | 80 | 49799 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:29.251207113 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:30.271567106 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:30.333163977 CEST | 80 | 49799 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:30.333312988 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:31.339890957 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:31.397207975 CEST | 80 | 49799 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:31.397250891 CEST | 80 | 49799 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:31.397823095 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:32.406368971 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:32.463176012 CEST | 80 | 49799 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:32.463300943 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:33.479639053 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:33.536449909 CEST | 80 | 49799 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:33.537692070 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:36.748977900 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:36.750273943 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:36.807207108 CEST | 80 | 49799 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:36.807295084 CEST | 49799 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:36.808161974 CEST | 80 | 49804 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:36.809020042 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:36.809062958 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:36.865967989 CEST | 80 | 49804 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:36.866003036 CEST | 80 | 49804 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:36.866132975 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:37.938834906 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:38.000555992 CEST | 80 | 49804 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:38.000767946 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:39.964112043 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:40.021087885 CEST | 80 | 49804 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:40.021171093 CEST | 80 | 49804 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:40.021300077 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:41.314265013 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:41.375144005 CEST | 80 | 49804 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:41.375215054 CEST | 80 | 49804 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:41.375390053 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:43.473820925 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:43.869448900 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:43.928890944 CEST | 80 | 49804 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:43.928993940 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:47.120060921 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:47.121169090 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:47.176953077 CEST | 80 | 49804 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:47.179188013 CEST | 80 | 49821 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:47.179316044 CEST | 49804 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:47.179369926 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:47.189857006 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:47.251374960 CEST | 80 | 49821 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:47.251492977 CEST | 80 | 49821 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:47.255687952 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:48.278768063 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:48.336347103 CEST | 80 | 49821 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:48.336374044 CEST | 80 | 49821 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:48.336508989 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:49.350368023 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:49.407686949 CEST | 80 | 49821 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:49.407743931 CEST | 80 | 49821 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:49.411577940 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:50.423707008 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:50.484554052 CEST | 80 | 49821 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:50.485863924 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:51.508435011 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:51.565948963 CEST | 80 | 49821 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:51.566401005 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:54.723475933 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:54.724602938 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:54.795171976 CEST | 80 | 49842 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:54.795311928 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:54.795758963 CEST | 80 | 49821 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:54.795838118 CEST | 49821 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:54.796464920 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:54.854363918 CEST | 80 | 49842 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:54.854403019 CEST | 80 | 49842 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:54.854501963 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:55.868633032 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:55.924801111 CEST | 80 | 49842 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:55.924823999 CEST | 80 | 49842 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:55.924911976 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:56.930187941 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:56.986404896 CEST | 80 | 49842 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:56.986433029 CEST | 80 | 49842 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:56.986515999 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:57.993880033 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:58.050318003 CEST | 80 | 49842 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:58.050360918 CEST | 80 | 49842 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:58.050446987 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:59.134948015 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:32:59.191648960 CEST | 80 | 49842 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:32:59.191767931 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:03.377527952 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:03.378587008 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:03.438843012 CEST | 80 | 49842 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:03.438875914 CEST | 80 | 49852 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:03.439008951 CEST | 49842 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:03.439035892 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:03.461499929 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:03.518521070 CEST | 80 | 49852 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:03.518565893 CEST | 80 | 49852 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:03.518718958 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:04.547296047 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:04.604347944 CEST | 80 | 49852 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:04.604392052 CEST | 80 | 49852 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:04.604516983 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:05.621536016 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:05.686299086 CEST | 80 | 49852 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:05.686567068 CEST | 80 | 49852 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:05.686641932 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:06.697235107 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:06.754378080 CEST | 80 | 49852 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:06.754712105 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:07.794137955 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:07.851281881 CEST | 80 | 49852 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:07.851386070 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:11.009428978 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:11.010505915 CEST | 49859 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:11.069844961 CEST | 80 | 49852 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:11.069967031 CEST | 49852 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:11.070147038 CEST | 80 | 49859 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:11.070245028 CEST | 49859 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:11.077593088 CEST | 49859 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:11.134000063 CEST | 80 | 49859 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:11.134056091 CEST | 80 | 49859 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:11.134139061 CEST | 49859 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:12.150340080 CEST | 49859 | 80 | 192.168.2.7 | 185.215.113.66 |
| Aug 15, 2022 18:33:12.211819887 CEST | 80 | 49859 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:12.211927891 CEST | 80 | 49859 | 185.215.113.66 | 192.168.2.7 |
| Aug 15, 2022 18:33:12.212024927 CEST | 49859 | 80 | 192.168.2.7 | 185.215.113.66 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Aug 15, 2022 18:31:33.805222988 CEST | 57861 | 40500 | 192.168.2.7 | 105.106.149.0 |
| Aug 15, 2022 18:31:38.840588093 CEST | 57861 | 40500 | 192.168.2.7 | 89.236.217.87 |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49762 | 185.215.113.66 | 80 | C:\Windows\winrecsv.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Aug 15, 2022 18:31:30.836591005 CEST | 852 | OUT | |
| Aug 15, 2022 18:31:30.893227100 CEST | 853 | IN |