Edit tour
Windows
Analysis Report
4dzlU0beKB.exe
Overview
General Information
| Sample Name: | 4dzlU0beKB.exe |
| Analysis ID: | 693554 |
| MD5: | fe304e909fb1f67c4d9030fc74d0a2f1 |
| SHA1: | 1102fb973b3b83bbd5749db3ceb9405443c09dfe |
| SHA256: | a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96 |
| Tags: | 32exetrojan |
| Infos: |  |
 | |
Detection
Phorpiex
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Phorpiex
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Found evasive API chain (may stop execution after checking mutex)
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Contains functionality to detect sleep reduction / modifications
Contains functionality to check if Internet connection is working
Uses 32bit PE files
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Drops files with a non-matching file extension (content does not match file extension)
Installs a raw input device (often for capturing keystrokes)
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality for read data from the clipboard
Classification
- System is w10x64
4dzlU0beKB.exe (PID: 2372 cmdline: "C:\Users\ user\Deskt op\4dzlU0b eKB.exe" MD5: FE304E909FB1F67C4D9030FC74D0A2F1) - 2314729694.scr (PID: 3508 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2314729 694.scr MD5: ED2D7B25BB360CCCB4F0F6A4F8732D7A) - winrecsv.exe (PID: 868 cmdline:
C:\Windows \winrecsv. exe MD5: ED2D7B25BB360CCCB4F0F6A4F8732D7A)
- winrecsv.exe (PID: 4860 cmdline:
"C:\Window s\winrecsv .exe" MD5: ED2D7B25BB360CCCB4F0F6A4F8732D7A) - 2201832713.exe (PID: 2028 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2201832 713.exe MD5: 8F56F0F0C9A4AA6C0BDA072D8BF7C769)
- cleanup
{"C2 url": "http://185.215.113.66/twizt/", "Wallet": ["12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc", "1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD", "3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg", "3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz", "lskbjrchofkmqtugfw28ot7jzv96u75xzyb5bvoop", "qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k", "XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8", "DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG", "0xb899fC445a1b61Cdd62266795193203aa72351fE", "LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7", "r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1", "TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5", "t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy", "terra1smy8jurjwm790qrt5z3qrsyrx9a3lcwehvzmw3", "tz1fpBZAB1jz7RsefBjT94VR3h5VzL4akg6L", "hxc65003fbd738014cf286edf92f9ddac689ec4de5", "QYHny85SWYTLcZFFNNoVovyN15eNbwZdW6", "RRQ9QGcqnHEqJAbcEjs9X3EYsEfXrZPvEi", "NC7YTU5BSOVDYRUPWA3KUXP437AEZ7JNE2H3EYGI", "AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX", "SNCjaBTsinQUDTjBvBoDLVm2AnN2qXeMCs", "zil14rxudm29xzmu9cyk0mcwvrlxm086evuawjy2ev", "s1dSgik6QuCDrRnw9yvtrLCvRLDemi2juJe", "bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k", "cosmos156h8kejuwm3n7ywpwajplfzahgum8lenvkezny", "4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK", "addr1q8ujsfumgrpjvp2v6s3cfndz7yqf7cgpnjfpdlqxfphwfa0e9qneksxrycz5e4prsnx69ugqnassr8yjzm7qvjrwun6s6dfsrt", "aPSfmf1H5DNksgcUMV39NPJcSj832L2okm", "FeGdLZrnbVLsmiY9tZ4ssoRjdLDxiigQBL", "GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY", "GSdrN7W3GsqsxqaXg4x9k5C8cf1uJeoFFg", "bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky", "band1f2nuxcxahrph4n4gpy4lndsp5q342fz0yjh945", "bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | 3_2_0040AB50 | |
| Source: | Code function: | 4_2_0040AB50 | |
| Source: | Code function: | 9_2_0040AB50 | |
Phishing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_00404A90 | |
| Source: | Code function: | 3_2_00404BD0 | |
| Source: | Code function: | 4_2_00404A90 | |
| Source: | Code function: | 4_2_00404BD0 | |
| Source: | Code function: | 9_2_00404A90 | |
| Source: | Code function: | 9_2_00404BD0 | |
Networking | |
|---|
| Source: | Code function: | 3_2_00409880 | |
| Source: | Code function: | 4_2_00409880 | |
| Source: | Code function: | 9_2_00409880 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | UDP traffic: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_003C10B0 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | Code function: | 3_2_00403DB0 | |
| Source: | Binary or memory string: | ||
| Source: | Code function: | 3_2_00403DB0 | |
| Source: | Code function: | 3_2_00403480 | |
Spam, unwanted Advertisements and Ransom Demands | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 3_2_004092E0 | |
| Source: | Code function: | 3_2_0040F088 | |
| Source: | Code function: | 3_2_00402E90 | |
| Source: | Code function: | 3_2_00406950 | |
| Source: | Code function: | 3_2_00406979 | |
| Source: | Code function: | 4_2_004092E0 | |
| Source: | Code function: | 4_2_0040F088 | |
| Source: | Code function: | 4_2_00402E90 | |
| Source: | Code function: | 4_2_00406950 | |
| Source: | Code function: | 4_2_00406979 | |
| Source: | Code function: | 9_2_004092E0 | |
| Source: | Code function: | 9_2_0040F088 | |
| Source: | Code function: | 9_2_00402E90 | |
| Source: | Code function: | 9_2_00406950 | |
| Source: | Code function: | 9_2_00406979 | |
| Source: | Code function: | 3_2_0040C210 | |
| Source: | Code function: | 3_2_0040F2CD | |
| Source: | Code function: | 4_2_0040C210 | |
| Source: | Code function: | 4_2_0040F2CD | |
| Source: | Code function: | 9_2_0040C210 | |
| Source: | Code function: | 9_2_0040F2CD | |
| Source: | Dropped File: | ||
| Source: | Dropped File: | ||
| Source: | Dropped File: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_004054D0 | |
| Source: | Code function: | 3_2_004050B0 | |
| Source: | Mutant created: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 15_2_003D143E | |
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_4-4253 | ||
| Source: | Evasive API call chain: | graph_3-4253 | ||
| Source: | Evasive API call chain: | graph_4-4253 | ||
| Source: | Evasive API call chain: | graph_3-4253 | ||
| Source: | Code function: | 3_2_0040B8F0 | |
| Source: | Code function: | 4_2_0040B8F0 | |
| Source: | Code function: | 9_2_0040B8F0 | |
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Evaded block: | graph_3-4341 | ||
| Source: | Evaded block: | graph_4-4253 | ||
| Source: | Evasive API call chain: | graph_3-4267 | ||
| Source: | Evasive API call chain: | graph_9-5548 | ||
| Source: | Evasive API call chain: | graph_4-4267 | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | Code function: | 9_2_0040B8F0 | |
| Source: | Code function: | 3_2_0040B8F0 | |
| Source: | Code function: | 3_2_0040EEA0 | |
| Source: | Code function: | 3_2_00404A90 | |
| Source: | Code function: | 3_2_00404BD0 | |
| Source: | Code function: | 4_2_00404A90 | |
| Source: | Code function: | 4_2_00404BD0 | |
| Source: | Code function: | 9_2_00404A90 | |
| Source: | Code function: | 9_2_00404BD0 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | API call chain: | graph_3-4254 | ||
| Source: | API call chain: | graph_3-4279 | ||
| Source: | API call chain: | graph_4-4279 | ||
| Source: | API call chain: | graph_4-4314 | ||
| Source: | API call chain: | graph_9-4255 | ||
| Source: | API call chain: | graph_9-4316 | ||
| Source: | API call chain: | graph_9-4281 | ||
| Source: | Code function: | 3_2_00408C70 | |
| Source: | Code function: | 3_2_0040D4A0 | |
| Source: | Code function: | 4_2_0040D4A0 | |
| Source: | Code function: | 9_2_0040D4A0 | |
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 3_2_0040DC40 | |
| Source: | Code function: | 3_2_0040EEA0 | |
| Source: | Code function: | 3_2_0040E110 | |
| Source: | Code function: | 3_2_0040C930 | |
| Source: | Code function: | 4_2_0040DC40 | |
| Source: | Code function: | 4_2_0040EEA0 | |
| Source: | Code function: | 4_2_0040E110 | |
| Source: | Code function: | 4_2_0040C930 | |
| Source: | Code function: | 9_2_0040DC40 | |
| Source: | Code function: | 9_2_0040EEA0 | |
| Source: | Code function: | 9_2_0040E110 | |
| Source: | Code function: | 9_2_0040C930 | |
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 11 Native API | Path Interception | 1 Process Injection | 231 Masquerading | 21 Input Capture | 22 Security Software Discovery | Remote Services | 21 Input Capture | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 21 Virtualization/Sandbox Evasion | LSASS Memory | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 1 Remote System Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | Automated Exfiltration | 4 Ingress Tool Transfer | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Hidden Files and Directories | NTDS | 1 System Network Connections Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 2 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Data Transfer Size Limits | 12 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 13 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 76% | Virustotal | Browse | ||
| 62% | ReversingLabs | Win32.Trojan.MintZard | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1237550 | ||
| 100% | Avira | HEUR/AGEN.1237550 | ||
| 100% | Avira | HEUR/AGEN.1239737 | ||
| 100% | Avira | HEUR/AGEN.1237550 | ||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 68% | Metadefender | Browse | ||
| 96% | ReversingLabs | Win32.Worm.Phorpiex | ||
| 35% | ReversingLabs | Win32.Trojan.Fragtor | ||
| 68% | Metadefender | Browse | ||
| 96% | ReversingLabs | Win32.Worm.Phorpiex | ||
| 68% | Metadefender | Browse | ||
| 96% | ReversingLabs | Win32.Worm.Phorpiex |
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1237550 | Download File | ||
| 100% | Avira | HEUR/AGEN.1237550 | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | HEUR/AGEN.1237550 | Download File | ||
| 100% | Avira | HEUR/AGEN.1237550 | Download File | ||
| 100% | Avira | HEUR/AGEN.1239737 | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | HEUR/AGEN.1239737 | Download File | ||
| 100% | Avira | HEUR/AGEN.1237550 | Download File | ||
| 100% | Avira | HEUR/AGEN.1237550 | Download File |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 16% | Virustotal | Browse | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 11% | Virustotal | Browse | ||
| 100% | Avira URL Cloud | malware | ||
| 10% | Virustotal | Browse | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 11% | Virustotal | Browse | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| true |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 151.235.32.225 | unknown | Iran (ISLAMIC Republic Of) | 58224 | TCIIR | false | |
| 185.215.113.66 | unknown | Portugal | 206894 | WHOLESALECONNECTIONSNL | false | |
| 5.236.182.192 | unknown | Iran (ISLAMIC Republic Of) | 58224 | TCIIR | false | |
| 213.246.19.58 | unknown | Yemen | 30873 | PTC-YEMENNETYE | false | |
| 178.163.120.234 | unknown | Russian Federation | 8416 | INFOLINE-ASRU | false | |
| 134.35.246.12 | unknown | Yemen | 30873 | PTC-YEMENNETYE | false | |
| 196.175.1.52 | unknown | Ghana | 37030 | Airtel-GhanaGH | false | |
| 193.193.254.13 | unknown | Kazakhstan | 8393 | ASTEL-ASAlma-AtaKZ | false | |
| 89.236.219.80 | unknown | Uzbekistan | 39032 | ISPETCUZ | false | |
| 2.185.152.73 | unknown | Iran (ISLAMIC Republic Of) | 58224 | TCIIR | false | |
| 134.35.50.137 | unknown | Yemen | 30873 | PTC-YEMENNETYE | false | |
| 2.182.9.184 | unknown | Iran (ISLAMIC Republic Of) | 58224 | TCIIR | false | |
| 69.67.151.59 | unknown | United States | 22241 | IC2NETUS | false | |
| 193.17.189.170 | unknown | Syrian Arab Republic | 29256 | INT-PDN-STE-ASSTEPDNInternalASSY | false | |
| 37.202.191.246 | unknown | Iran (ISLAMIC Republic Of) | 31549 | RASANAIR | false | |
| 154.118.198.100 | unknown | Angola | 37645 | ZAP-AngolaAO | false | |
| 176.113.143.70 | unknown | Tajikistan | 44027 | SATURN-ONLINE-ASElcatUplinkRU | false | |
| 239.255.255.250 | unknown | Reserved | unknown | unknown | false | |
| 213.230.120.247 | unknown | Uzbekistan | 8193 | BRM-ASUZ | false | |
| 5.74.57.165 | unknown | Iran (ISLAMIC Republic Of) | 12880 | DCI-ASIR | false | |
| 180.222.143.42 | unknown | Afghanistan | 131284 | ETISALATAFG-AS-APEtisalatAfghanAF | false | |
| 105.109.251.50 | unknown | Algeria | 36947 | ALGTEL-ASDZ | false |
| IP |
|---|
| 192.168.2.1 |
| 192.168.1.2 |
| Joe Sandbox Version: | 35.0.0 Citrine |
| Analysis ID: | 693554 |
| Start date and time: | 2022-08-31 02:14:56 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 6m 59s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | 4dzlU0beKB.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 24 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@8/6@0/24 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 20.72.235.82
- Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, redir.update.msft.com.trafficmanager.net, fs.microsoft.com, prod-azurecdn-akamai-iris.azureedge.net, eudb.ris.api.iris.microsoft.com, www.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtDeviceIoControlFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 02:16:03 | API Interceptor | |
| 02:16:06 | API Interceptor | |
| 02:16:06 | Autostart |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 185.215.113.66 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| 193.193.254.13 | Get hash | malicious | Browse | ||
| 213.246.19.58 | Get hash | malicious | Browse | ||
| 2.185.152.73 | Get hash | malicious | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| TCIIR | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| WHOLESALECONNECTIONSNL | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\2314729694.scr | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| C:\Windows\winrecsv.exe | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\tpeinf[1].png | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse |
| Process: | C:\Users\user\Desktop\4dzlU0beKB.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 77312 |
| Entropy (8bit): | 6.345505183378638 |
| Encrypted: | false |
| SSDEEP: | 1536:K3Mz8enofIxQrFP+ZrFugrZpVnWw7V15Frrmi:xweZQhGZ5ugDVnj7V15Fr |
| MD5: | ED2D7B25BB360CCCB4F0F6A4F8732D7A |
| SHA1: | 6FFCC083956C5AC19826BDD87E12F87817EE837C |
| SHA-256: | 22F524ABC98F958705FEBD3761BEDC85EC1AE859316A653B67C0C01327533092 |
| SHA-512: | 6592EC1A12F9575176474C6192D49F4F4A87998DA6692E07E8BA6A93789D6A92E41DBABD3488A27A49EC8C8C414E02751867FEB2A0038E4091630CA3E4FB235F |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Joe Sandbox View: | |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\winrecsv.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6912 |
| Entropy (8bit): | 7.974003045868741 |
| Encrypted: | false |
| SSDEEP: | 192:yc7ruJ3WV8LsVPAd12Oi0PfDqO+6mvrK5r6bM/uwt:jc3WVd4d1RBT+ViriMvt |
| MD5: | C3C46FC47CF6000878182A6E6C4A1BC5 |
| SHA1: | 05764D7EA80A88038ABDAB133E2F3732674BE473 |
| SHA-256: | 90E2CDB13AC35774BA388AFA505CD6B4EE40A41848EAD7C6EFA6AE24D81232A8 |
| SHA-512: | BB782FBD193E5931104AE397B60668E82449297883E4B27A59BD6226DD75392ADC1C3E80C49278809B6CDF4B06E4E6FCE51F35052C4D3B023B7287E396FC3D0B |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\winrecsv.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6656 |
| Entropy (8bit): | 4.322055480464072 |
| Encrypted: | false |
| SSDEEP: | 48:S7bIIyRPSDyRP/DyRPc12oxOwgWUy8X5ogCS0FovQoWeLjT6XOQXPtboyl1dPFty:wxFDYDbBxOFPLPfjTt+PtboynVyCtgf |
| MD5: | 8F56F0F0C9A4AA6C0BDA072D8BF7C769 |
| SHA1: | 24A01D3502C3BFEBFB052AFADB0367B1407342FF |
| SHA-256: | 4433C5F202948E0B5F5D9F4B14A423756149F9B879F5BF641CE9B8EE2CDD92A4 |
| SHA-512: | 8BE67132DF6AB80A67FA130C1BCF13519FC782C37E98553D89C847DAB4B29D78C51152185776E5C7ED49BD3C3DF0FF294605DD3E43CF899F4E6F295A7307A91A |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\4dzlU0beKB.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 77312 |
| Entropy (8bit): | 6.345505183378638 |
| Encrypted: | false |
| SSDEEP: | 1536:K3Mz8enofIxQrFP+ZrFugrZpVnWw7V15Frrmi:xweZQhGZ5ugDVnj7V15Fr |
| MD5: | ED2D7B25BB360CCCB4F0F6A4F8732D7A |
| SHA1: | 6FFCC083956C5AC19826BDD87E12F87817EE837C |
| SHA-256: | 22F524ABC98F958705FEBD3761BEDC85EC1AE859316A653B67C0C01327533092 |
| SHA-512: | 6592EC1A12F9575176474C6192D49F4F4A87998DA6692E07E8BA6A93789D6A92E41DBABD3488A27A49EC8C8C414E02751867FEB2A0038E4091630CA3E4FB235F |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Joe Sandbox View: | |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\winrecsv.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4096 |
| Entropy (8bit): | 4.828161577041089 |
| Encrypted: | false |
| SSDEEP: | 96:rlukshBku5Gen5eRl7KKCek/Yk71L6LoDQz8seyZ61oNiPL:r8jhBkHe0VKSlkRGsDseyGoaL |
| MD5: | F7F7E705B6572D411923B3EC897B99D8 |
| SHA1: | AA9AF430172C3EE25F6F546E7E9B2A3888B37381 |
| SHA-256: | 20BEEF3496B65A0FEE5ECCD7DAE659E763AFA3D88234DC31FB10C3EAE515EEF9 |
| SHA-512: | F8D78EE34D3D202E0F45566E3BCCACD33EEA86F5275CCD4F88B308B2057DF0C18544698AAEED5B5BCF55480D5795522A4165C6C72BD570171D856B030B93E944 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\2314729694.scr |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 77312 |
| Entropy (8bit): | 6.345505183378638 |
| Encrypted: | false |
| SSDEEP: | 1536:K3Mz8enofIxQrFP+ZrFugrZpVnWw7V15Frrmi:xweZQhGZ5ugDVnj7V15Fr |
| MD5: | ED2D7B25BB360CCCB4F0F6A4F8732D7A |
| SHA1: | 6FFCC083956C5AC19826BDD87E12F87817EE837C |
| SHA-256: | 22F524ABC98F958705FEBD3761BEDC85EC1AE859316A653B67C0C01327533092 |
| SHA-512: | 6592EC1A12F9575176474C6192D49F4F4A87998DA6692E07E8BA6A93789D6A92E41DBABD3488A27A49EC8C8C414E02751867FEB2A0038E4091630CA3E4FB235F |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Joe Sandbox View: | |
| Preview: |
| File type: | |
| Entropy (8bit): | 4.715360115768845 |
| TrID: |
|
| File name: | 4dzlU0beKB.exe |
| File size: | 9216 |
| MD5: | fe304e909fb1f67c4d9030fc74d0a2f1 |
| SHA1: | 1102fb973b3b83bbd5749db3ceb9405443c09dfe |
| SHA256: | a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96 |
| SHA512: | 46f797b30affdc7bc2291b2b1fb064246a7aa2359072380468abce1423b338859c0ad45b02c2dc5623d167ef51c65414e06890c7c9dfe4b9e305a0b70257f1aa |
| SSDEEP: | 192:oeJbEZ11AsLvRP1oynfUOMNc1Fu669tk2Hv:BJwZ11T51BUOMNqF96s |
| TLSH: | 0612711C9AD84AADF2FB04F0B972724F426DB9322369C4FF553B10C5D892512D8E166B |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........^...^...^...1...\......._...1...U...y%..U...^...u...@.W._...@.B._...Rich^...................PE..L...8].b................... |
 | |
| Icon Hash: | 00828e8e8686b000 |
| Entrypoint: | 0x40194a |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x62FF5D38 [Fri Aug 19 09:51:52 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 1638b66ab562e34b96db8786791d32b7 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| push FFFFFFFFh |
| push 00402248h |
| push 00401AD0h |
| mov eax, dword ptr fs:[00000000h] |
| push eax |
| mov dword ptr fs:[00000000h], esp |
| sub esp, 68h |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [ebp-18h], esp |
| xor ebx, ebx |
| mov dword ptr [ebp-04h], ebx |
| push 00000002h |
| call dword ptr [0040203Ch] |
| pop ecx |
| or dword ptr [00403500h], FFFFFFFFh |
| or dword ptr [00403504h], FFFFFFFFh |
| call dword ptr [00402038h] |
| mov ecx, dword ptr [004034FCh] |
| mov dword ptr [eax], ecx |
| call dword ptr [00402040h] |
| mov ecx, dword ptr [004034F8h] |
| mov dword ptr [eax], ecx |
| mov eax, dword ptr [00402048h] |
| mov eax, dword ptr [eax] |
| mov dword ptr [00403508h], eax |
| call 00007F3F2CDF99D5h |
| cmp dword ptr [004034E0h], ebx |
| jne 00007F3F2CDF98CEh |
| push 00401AC6h |
| call dword ptr [0040204Ch] |
| pop ecx |
| call 00007F3F2CDF99A7h |
| push 0040300Ch |
| push 00403008h |
| call 00007F3F2CDF9992h |
| mov eax, dword ptr [004034F4h] |
| mov dword ptr [ebp-6Ch], eax |
| lea eax, dword ptr [ebp-6Ch] |
| push eax |
| push dword ptr [004034F0h] |
| lea eax, dword ptr [ebp-64h] |
| push eax |
| lea eax, dword ptr [ebp-70h] |
| push eax |
| lea eax, dword ptr [ebp-60h] |
| push eax |
| call dword ptr [00402054h] |
| push 00403004h |
| push 00403000h |
| call 00007F3F2CDF995Fh |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2254 | 0x8c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4000 | 0x1b4 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x5000 | 0x204 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0xbc | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xadc | 0xc00 | False | 0.4251302083333333 | data | 5.002862195071096 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2000 | 0x654 | 0x800 | False | 0.419921875 | data | 3.917242396308186 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3000 | 0x50c | 0x600 | False | 0.2903645833333333 | data | 2.741256132437388 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x4000 | 0x1b4 | 0x200 | False | 0.486328125 | data | 5.097979088823027 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x5000 | 0x260 | 0x400 | False | 0.48046875 | data | 4.038914351897677 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_MANIFEST | 0x4058 | 0x15a | ASCII text, with CRLF line terminators | English | United States |
| DLL | Import |
|---|---|
| SHLWAPI.dll | PathFileExistsA |
| MSVCRT.dll | __p__fmode, __set_app_type, __p__commode, _controlfp, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, srand, rand, memset, _except_handler3 |
| WININET.dll | InternetOpenUrlA, InternetOpenA, InternetOpenUrlW, InternetReadFile, InternetCloseHandle, InternetOpenW |
| KERNEL32.dll | DeleteFileA, GetTickCount, CloseHandle, DeleteFileW, CreateProcessW, Sleep, MoveFileW, MoveFileA, GetModuleHandleA, CreateFileW, GetStartupInfoA, ExpandEnvironmentStringsW, WriteFile |
| USER32.dll | SetForegroundWindow, FindWindowA, ShowWindow, wsprintfW |
| SHELL32.dll | ShellExecuteW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Aug 31, 2022 02:15:59.368870974 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.424976110 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.425048113 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.425627947 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.481503010 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.618554115 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.618596077 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.618616104 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.618629932 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.618648052 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.618659973 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.618675947 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.618694067 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.618706942 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.618719101 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.618796110 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.618849039 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.618854046 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.674906969 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.674946070 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.674972057 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.674998045 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675028086 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675044060 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675065041 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675075054 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.675077915 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675093889 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675111055 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675127029 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675137997 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.675144911 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675164938 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675168991 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.675177097 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675194979 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675198078 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.675211906 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675229073 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675237894 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.675246954 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675261021 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.675265074 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675282001 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.675292015 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.675314903 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.675367117 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.731256008 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.731368065 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.731424093 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.731441975 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.731462002 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.731468916 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.731473923 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.731515884 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.731632948 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.731672049 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.731720924 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.731741905 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.731745005 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.731781960 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.731787920 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.731817961 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.731828928 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.731856108 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.731868029 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.731890917 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.731913090 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.731926918 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.731931925 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.731962919 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.731981039 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732002020 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732007980 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732039928 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732054949 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732074976 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732089043 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732111931 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732124090 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732147932 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732160091 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732182980 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732218027 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732219934 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732229948 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732254982 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732268095 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732290983 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732301950 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732328892 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732341051 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732377052 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732378006 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732414961 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732424974 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732450962 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732464075 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732496977 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732497931 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732533932 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.732546091 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.732588053 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:15:59.789072037 CEST | 80 | 49724 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:15:59.789247990 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:05.487484932 CEST | 49724 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.041699886 CEST | 49733 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.098999023 CEST | 80 | 49733 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.099211931 CEST | 49733 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.100950003 CEST | 49733 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.157778978 CEST | 80 | 49733 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.158679008 CEST | 80 | 49733 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.158716917 CEST | 80 | 49733 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.158745050 CEST | 80 | 49733 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.158771992 CEST | 80 | 49733 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.158797026 CEST | 80 | 49733 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.158822060 CEST | 80 | 49733 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.158874989 CEST | 49733 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.158905029 CEST | 49733 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.158910036 CEST | 49733 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.158912897 CEST | 49733 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.163060904 CEST | 49733 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.163079023 CEST | 49733 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.165301085 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.221704960 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.221889973 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.319304943 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.375802040 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.375932932 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.375961065 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.375982046 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.376002073 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.376024008 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.376043081 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:23.376081944 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.376172066 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.376182079 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.376187086 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:23.376193047 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:34.014147997 CEST | 49735 | 40500 | 192.168.2.6 | 5.236.182.192 |
| Aug 31, 2022 02:16:37.027163982 CEST | 49735 | 40500 | 192.168.2.6 | 5.236.182.192 |
| Aug 31, 2022 02:16:43.027487993 CEST | 49735 | 40500 | 192.168.2.6 | 5.236.182.192 |
| Aug 31, 2022 02:16:44.828418016 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:44.884618998 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:44.884804964 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:44.884951115 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:45.890073061 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:45.946708918 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:45.946866035 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:45.946917057 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:46.971465111 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:47.027870893 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:47.030252934 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:48.184475899 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:48.241894007 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:48.242089033 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:49.384533882 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:49.443176985 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:49.443372011 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:52.657641888 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:52.658835888 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:53.011468887 CEST | 80 | 49734 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:53.011564016 CEST | 49734 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:53.747134924 CEST | 80 | 49744 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:53.747466087 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:53.750128031 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:53.809906006 CEST | 80 | 49744 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:53.809990883 CEST | 80 | 49744 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:53.810100079 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:54.829653978 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:54.886660099 CEST | 80 | 49744 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:54.886708975 CEST | 80 | 49744 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:54.886827946 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:55.890388012 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:55.946316957 CEST | 80 | 49744 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:55.946450949 CEST | 80 | 49744 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:55.946523905 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:57.082552910 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:57.139005899 CEST | 80 | 49744 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:57.139053106 CEST | 80 | 49744 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:57.139216900 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:58.156339884 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:16:58.212491035 CEST | 80 | 49744 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:16:58.212627888 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:00.065459967 CEST | 49747 | 40500 | 192.168.2.6 | 213.246.19.58 |
| Aug 31, 2022 02:17:01.374466896 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:01.375556946 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:01.430677891 CEST | 80 | 49744 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:01.430879116 CEST | 49744 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:01.431616068 CEST | 80 | 49748 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:01.431865931 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:01.432400942 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:01.495418072 CEST | 80 | 49748 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:01.495464087 CEST | 80 | 49748 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:01.495568991 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:02.504230976 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:02.560187101 CEST | 80 | 49748 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:02.560307980 CEST | 80 | 49748 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:02.560432911 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:03.076060057 CEST | 49747 | 40500 | 192.168.2.6 | 213.246.19.58 |
| Aug 31, 2022 02:17:03.579242945 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:03.637404919 CEST | 80 | 49748 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:03.637521029 CEST | 80 | 49748 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:03.637746096 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:04.656775951 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:04.712923050 CEST | 80 | 49748 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:04.713007927 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:05.726660967 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:05.783158064 CEST | 80 | 49748 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:05.783273935 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:09.185996056 CEST | 49747 | 40500 | 192.168.2.6 | 213.246.19.58 |
| Aug 31, 2022 02:17:09.875499010 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:09.876562119 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:09.941236973 CEST | 80 | 49748 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:09.941334009 CEST | 49748 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:09.942636013 CEST | 80 | 49749 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:09.942769051 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:09.943286896 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:10.000349998 CEST | 80 | 49749 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:10.000436068 CEST | 80 | 49749 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:10.000541925 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:11.016294003 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:11.073929071 CEST | 80 | 49749 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:11.073949099 CEST | 80 | 49749 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:11.074017048 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:12.079431057 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:12.146236897 CEST | 80 | 49749 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:12.146450043 CEST | 80 | 49749 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:12.147881985 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:13.172950029 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:13.230401039 CEST | 80 | 49749 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:13.230576992 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:14.236479044 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:14.294698954 CEST | 80 | 49749 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:14.294791937 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:17.465838909 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:17.467648029 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:17.523421049 CEST | 80 | 49751 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:17.523555040 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:17.524123907 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:17.524307966 CEST | 80 | 49749 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:17.524369955 CEST | 49749 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:17.579732895 CEST | 80 | 49751 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:17.579788923 CEST | 80 | 49751 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:17.579874992 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:18.595746040 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:18.651501894 CEST | 80 | 49751 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:18.651587009 CEST | 80 | 49751 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:18.651773930 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:19.659490108 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:19.715318918 CEST | 80 | 49751 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:19.715336084 CEST | 80 | 49751 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:19.715439081 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:20.750405073 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:20.812855005 CEST | 80 | 49751 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:20.812978029 CEST | 80 | 49751 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:20.813074112 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:21.832577944 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:21.888834000 CEST | 80 | 49751 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:21.889004946 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:25.121917963 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:25.122939110 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:25.180409908 CEST | 80 | 49751 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:25.180566072 CEST | 49751 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:25.181369066 CEST | 80 | 49757 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:25.181485891 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:25.231293917 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:25.288367987 CEST | 80 | 49757 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:25.288511992 CEST | 80 | 49757 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:25.288619041 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:26.503228903 CEST | 49758 | 40500 | 192.168.2.6 | 196.175.1.52 |
| Aug 31, 2022 02:17:26.630175114 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:26.686803102 CEST | 80 | 49757 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:26.686863899 CEST | 80 | 49757 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:26.687026978 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:27.737221003 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:27.795232058 CEST | 80 | 49757 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:27.795470953 CEST | 80 | 49757 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:27.795572042 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:28.799602985 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:28.856990099 CEST | 80 | 49757 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:28.857161045 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:29.547158957 CEST | 49758 | 40500 | 192.168.2.6 | 196.175.1.52 |
| Aug 31, 2022 02:17:29.862070084 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:29.918791056 CEST | 80 | 49757 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:29.918936968 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:33.081667900 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:33.082843065 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:33.138104916 CEST | 80 | 49757 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:33.138183117 CEST | 49757 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:33.139152050 CEST | 80 | 49761 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:33.139244080 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:33.139748096 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:33.196062088 CEST | 80 | 49761 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:33.196101904 CEST | 80 | 49761 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:33.196173906 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:34.211179018 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:34.267340899 CEST | 80 | 49761 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:34.267499924 CEST | 80 | 49761 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:34.267640114 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:35.285228968 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:35.341408014 CEST | 80 | 49761 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:35.341545105 CEST | 80 | 49761 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:35.341619015 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:35.547641993 CEST | 49758 | 40500 | 192.168.2.6 | 196.175.1.52 |
| Aug 31, 2022 02:17:36.381850004 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:36.438131094 CEST | 80 | 49761 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:36.438225985 CEST | 80 | 49761 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:36.438325882 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:37.528143883 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:37.584794998 CEST | 80 | 49761 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:37.584906101 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:40.927731991 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:40.931032896 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:40.983989000 CEST | 80 | 49761 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:40.984050989 CEST | 49761 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:40.989387989 CEST | 80 | 49765 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:40.989486933 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:40.990046978 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:41.047061920 CEST | 80 | 49765 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:41.047102928 CEST | 80 | 49765 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:41.047188044 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:42.081721067 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:42.138569117 CEST | 80 | 49765 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:42.138631105 CEST | 80 | 49765 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:42.138708115 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:43.147820950 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:43.204978943 CEST | 80 | 49765 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:43.205065966 CEST | 80 | 49765 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:43.205204010 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:44.223496914 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:44.280282974 CEST | 80 | 49765 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:44.280461073 CEST | 80 | 49765 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:44.280551910 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:45.292567015 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:45.350109100 CEST | 80 | 49765 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:45.350210905 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:47.489877939 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:47.491401911 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:47.546853065 CEST | 80 | 49765 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:47.546926022 CEST | 49765 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:47.547444105 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:47.547548056 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:47.548510075 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:47.604454041 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:47.604707003 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:47.604789972 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:48.617147923 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:48.677680016 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:48.677912951 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:48.678014040 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:49.692909956 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:49.749074936 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:49.749217987 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:49.749803066 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:50.769622087 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:50.825948000 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:50.826114893 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:50.826261997 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:51.840993881 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:51.906789064 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:51.906863928 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:52.583745956 CEST | 49799 | 40500 | 192.168.2.6 | 69.67.151.59 |
| Aug 31, 2022 02:17:52.911853075 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:52.970256090 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:52.970336914 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:55.596247911 CEST | 49799 | 40500 | 192.168.2.6 | 69.67.151.59 |
| Aug 31, 2022 02:17:56.150274038 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:56.153091908 CEST | 49800 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:56.206564903 CEST | 80 | 49787 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:56.206742048 CEST | 49787 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:56.209359884 CEST | 80 | 49800 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:56.209609032 CEST | 49800 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:56.210105896 CEST | 49800 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:56.273480892 CEST | 80 | 49800 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:56.276905060 CEST | 80 | 49800 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:56.277944088 CEST | 49800 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:57.308902025 CEST | 49800 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:57.365041971 CEST | 80 | 49800 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:57.365096092 CEST | 80 | 49800 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:57.365219116 CEST | 49800 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:58.510873079 CEST | 49800 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:17:58.567048073 CEST | 80 | 49800 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:58.567092896 CEST | 80 | 49800 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:17:58.567193031 CEST | 49800 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:18:00.069252014 CEST | 49800 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:18:00.125279903 CEST | 80 | 49800 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:18:00.125408888 CEST | 80 | 49800 | 185.215.113.66 | 192.168.2.6 |
| Aug 31, 2022 02:18:00.125531912 CEST | 49800 | 80 | 192.168.2.6 | 185.215.113.66 |
| Aug 31, 2022 02:18:01.627979994 CEST | 49799 | 40500 | 192.168.2.6 | 69.67.151.59 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Aug 31, 2022 02:16:34.020525932 CEST | 63231 | 40500 | 192.168.2.6 | 2.185.152.73 |
| Aug 31, 2022 02:16:39.142756939 CEST | 63231 | 40500 | 192.168.2.6 | 151.235.32.225 |
| Aug 31, 2022 02:16:44.145689964 CEST | 63231 | 40500 | 192.168.2.6 | 193.193.254.13 |
| Aug 31, 2022 02:16:49.386518002 CEST | 63231 | 40500 | 192.168.2.6 | 180.222.143.42 |
| Aug 31, 2022 02:16:54.380816936 CEST | 63231 | 40500 | 192.168.2.6 | 134.35.246.12 |
| Aug 31, 2022 02:16:59.380676031 CEST | 63231 | 40500 | 192.168.2.6 | 213.230.120.247 |
| Aug 31, 2022 02:17:04.384885073 CEST | 63231 | 40500 | 192.168.2.6 | 2.182.9.184 |
| Aug 31, 2022 02:17:09.472390890 CEST | 63231 | 40500 | 192.168.2.6 | 192.168.1.2 |
| Aug 31, 2022 02:17:14.499742985 CEST | 63231 | 40500 | 192.168.2.6 | 176.113.143.70 |
| Aug 31, 2022 02:17:19.561342955 CEST | 63231 | 40500 | 192.168.2.6 | 196.175.1.52 |
| Aug 31, 2022 02:17:25.042804003 CEST | 63231 | 40500 | 192.168.2.6 | 134.35.50.137 |
| Aug 31, 2022 02:17:30.050107956 CEST | 63231 | 40500 | 192.168.2.6 | 193.17.189.170 |
| Aug 31, 2022 02:17:35.069401979 CEST | 63231 | 40500 | 192.168.2.6 | 89.236.219.80 |
| Aug 31, 2022 02:17:40.154408932 CEST | 63231 | 40500 | 192.168.2.6 | 5.74.57.165 |
| Aug 31, 2022 02:17:45.173243046 CEST | 63231 | 40500 | 192.168.2.6 | 178.163.120.234 |
| Aug 31, 2022 02:17:50.189012051 CEST | 63231 | 40500 | 192.168.2.6 | 105.109.251.50 |
| Aug 31, 2022 02:17:55.198187113 CEST | 63231 | 40500 | 192.168.2.6 | 37.202.191.246 |
| Aug 31, 2022 02:18:00.201078892 CEST | 63231 | 40500 | 192.168.2.6 | 154.118.198.100 |
| Timestamp | Source IP | Dest IP | Checksum | Code | Type |
|---|---|---|---|---|---|
| Aug 31, 2022 02:17:02.487714052 CEST | 213.230.120.247 | 192.168.2.6 | ec9 | (Host unreachable) | Destination Unreachable |
| Aug 31, 2022 02:17:15.216681957 CEST | 176.113.143.70 | 192.168.2.6 | ffa2 | (Host unreachable) | Destination Unreachable |
| Aug 31, 2022 02:17:50.283812046 CEST | 105.109.251.50 | 192.168.2.6 | 2489 | (Port unreachable) | Destination Unreachable |
| Aug 31, 2022 02:18:01.639939070 CEST | 154.118.198.100 | 192.168.2.6 | 20c6 | (Host unreachable) | Destination Unreachable |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49724 | 185.215.113.66 | 80 | C:\Users\user\Desktop\4dzlU0beKB.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Aug 31, 2022 02:15:59.425627947 CEST | 706 | OUT | |
| Aug 31, 2022 02:15:59.618554115 CEST | 707 | IN |