Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Nymaim
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- file.exe (PID: 5856 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: F6EF13946619524C0E6BB1C01CFA73FB) - is-188R9.tmp (PID: 5832 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-U0O JH.tmp\is- 188R9.tmp" /SL4 $402 C2 "C:\Use rs\user\De sktop\file .exe" 2023 066 96256 MD5: 2C3832FDF847813369EC960CD39C8265) - ntFolders.exe (PID: 6076 cmdline:
"C:\Progra m Files (x 86)\PrintF olders\ntF olders.exe " MD5: E2D8395C6ADC664320DCF1CFC63336F4) - LUxJPTIXtIs.exe (PID: 5216 cmdline:
MD5: 3FB36CB0B7172E5298D2992D42984D06) - cmd.exe (PID: 3788 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /im "ntF olders.exe " /f & era se "C:\Pro gram Files (x86)\Pri ntFolders\ ntFolders. exe" & exi t MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5220 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 588 cmdline:
taskkill / im "ntFold ers.exe" / f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
- cleanup
{"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 107.182.129.235192.168.2.380496992852925 12/09/22-10:47:08.950307 |
SID: | 2852925 |
Source Port: | 80 |
Destination Port: | 49699 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.345.139.105.17149698802041920 12/09/22-10:47:08.733822 |
SID: | 2041920 |
Source Port: | 49698 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Code function: | 1_2_10001000 | |
Source: | Code function: | 1_2_10001130 | |
Source: | Code function: | 2_2_00403770 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 1_2_0046C770 | |
Source: | Code function: | 1_2_00474708 | |
Source: | Code function: | 1_2_00451554 | |
Source: | Code function: | 1_2_0048A778 | |
Source: | Code function: | 1_2_004729D4 | |
Source: | Code function: | 1_2_0045CA54 | |
Source: | Code function: | 1_2_00406FEC | |
Source: | Code function: | 1_2_0045DB60 | |
Source: | Code function: | 1_2_0045DEF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 2_2_00401B30 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Binary or memory string: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: | 0_2_004081C8 | |
Source: | Code function: | 1_2_00468940 | |
Source: | Code function: | 1_2_00460F30 | |
Source: | Code function: | 1_2_0043DF70 | |
Source: | Code function: | 1_2_004303A4 | |
Source: | Code function: | 1_2_0047A6D8 | |
Source: | Code function: | 1_2_004446E8 | |
Source: | Code function: | 1_2_00434994 | |
Source: | Code function: | 1_2_0045AA90 | |
Source: | Code function: | 1_2_00480BDC | |
Source: | Code function: | 1_2_00444C90 | |
Source: | Code function: | 1_2_00462F38 | |
Source: | Code function: | 1_2_00445388 | |
Source: | Code function: | 1_2_00435698 | |
Source: | Code function: | 1_2_00445794 | |
Source: | Code function: | 1_2_0042F948 | |
Source: | Code function: | 1_2_00457BB4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_004096F0 | |
Source: | Code function: | 2_2_004056A0 | |
Source: | Code function: | 2_2_00406800 | |
Source: | Code function: | 2_2_00406AA0 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00405F40 | |
Source: | Code function: | 2_2_00402F20 | |
Source: | Code function: | 2_2_004150D3 | |
Source: | Code function: | 2_2_00415305 | |
Source: | Code function: | 2_2_004223A9 | |
Source: | Code function: | 2_2_00419510 | |
Source: | Code function: | 2_2_00404840 | |
Source: | Code function: | 2_2_00426850 | |
Source: | Code function: | 2_2_00410A50 | |
Source: | Code function: | 2_2_0042AB9A | |
Source: | Code function: | 2_2_00421C88 | |
Source: | Code function: | 2_2_0042ACBA | |
Source: | Code function: | 2_2_00447D2D | |
Source: | Code function: | 2_2_00428D39 | |
Source: | Code function: | 2_2_00404F20 | |
Source: | Code function: | 2_2_1000F670 | |
Source: | Code function: | 2_2_1000EC61 |
Source: | Code function: | 1_2_00423D9C | |
Source: | Code function: | 1_2_004127F0 | |
Source: | Code function: | 1_2_004551C4 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Dropped File: |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_00408F74 | |
Source: | Code function: | 1_2_00453A8C |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 2_2_00401B30 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 1_2_00454498 |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 2_2_00405350 |
Source: | Mutant created: |
Source: | Code function: | 1_2_0040B1E0 |
Source: | File created: | Jump to behavior |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Static file information: |
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_004065B9 | |
Source: | Code function: | 0_2_00404195 | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_00407E89 | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_00408B4F | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 1_2_00409BA5 | |
Source: | Code function: | 1_2_0040A258 | |
Source: | Code function: | 1_2_004782B3 | |
Source: | Code function: | 1_2_0040A255 | |
Source: | Code function: | 1_2_004063C9 | |
Source: | Code function: | 1_2_004303A9 | |
Source: | Code function: | 1_2_0045A751 | |
Source: | Code function: | 1_2_004108ED | |
Source: | Code function: | 1_2_00412B9B | |
Source: | Code function: | 1_2_00451023 | |
Source: | Code function: | 1_2_0040D242 | |
Source: | Code function: | 1_2_004055F9 | |
Source: | Code function: | 1_2_00443664 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_0047976D | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_0040F7A2 | |
Source: | Code function: | 1_2_00419E45 | |
Source: | Code function: | 2_2_004311B6 | |
Source: | Code function: | 2_2_0040F4CE |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Code function: | 1_2_00423E24 | |
Source: | Code function: | 1_2_00423E24 | |
Source: | Code function: | 1_2_004243F4 | |
Source: | Code function: | 1_2_004243AC | |
Source: | Code function: | 1_2_0041859C | |
Source: | Code function: | 1_2_00422A74 | |
Source: | Code function: | 1_2_004177B0 | |
Source: | Code function: | 1_2_00477D2C | |
Source: | Code function: | 1_2_00417EE6 | |
Source: | Code function: | 1_2_00417EE8 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-5519 |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Check user administrative privileges: | graph_2-35031 |
Source: | Code function: | 2_2_004056A0 |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_004095D0 |
Source: | Code function: | 1_2_0046C770 | |
Source: | Code function: | 1_2_00474708 | |
Source: | Code function: | 1_2_00451554 | |
Source: | Code function: | 1_2_0048A778 | |
Source: | Code function: | 1_2_004729D4 | |
Source: | Code function: | 1_2_0045CA54 | |
Source: | Code function: | 1_2_00406FEC | |
Source: | Code function: | 1_2_0045DB60 | |
Source: | Code function: | 1_2_0045DEF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 2_2_0041336B |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 2_2_00402F20 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 2_2_0044028F | |
Source: | Code function: | 2_2_0042041F | |
Source: | Code function: | 2_2_004429E7 | |
Source: | Code function: | 2_2_00417BAF | |
Source: | Code function: | 2_2_100091C7 | |
Source: | Code function: | 2_2_10006CE1 |
Source: | Code function: | 2_2_0040F789 | |
Source: | Code function: | 2_2_0041336B | |
Source: | Code function: | 2_2_0040F5F5 | |
Source: | Code function: | 2_2_0040EBD2 | |
Source: | Code function: | 2_2_10006180 | |
Source: | Code function: | 2_2_100035DF | |
Source: | Code function: | 2_2_10003AD4 |
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 1_2_004593E4 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_004051C8 | |
Source: | Code function: | 0_2_00405214 | |
Source: | Code function: | 1_2_0040874C | |
Source: | Code function: | 1_2_00408798 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00427041 | |
Source: | Code function: | 2_2_0042708C | |
Source: | Code function: | 2_2_00427127 | |
Source: | Code function: | 2_2_004271B2 | |
Source: | Code function: | 2_2_0041E2FF | |
Source: | Code function: | 2_2_00427405 | |
Source: | Code function: | 2_2_0042752B | |
Source: | Code function: | 2_2_00427631 | |
Source: | Code function: | 2_2_00427700 | |
Source: | Code function: | 2_2_0041E821 | |
Source: | Code function: | 2_2_00426D9F |
Source: | Code function: | 2_2_0040F7F3 |
Source: | Code function: | 1_2_00455B2C |
Source: | Code function: | 0_2_004026C4 |
Source: | Code function: | 0_2_00405CB0 |
Source: | Code function: | 1_2_00453A24 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 1 Access Token Manipulation | 2 Masquerading | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 13 Process Injection | 1 Disable or Modify Tools | LSASS Memory | 141 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 2 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 2 Native API | Logon Script (Windows) | Logon Script (Windows) | 1 Access Token Manipulation | Security Account Manager | 3 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 13 Process Injection | NTDS | 11 Application Window Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 3 Obfuscated Files or Information | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 23 Software Packing | DCSync | 3 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 26 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
50% | ReversingLabs | Win32.Trojan.Generic |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1250671 | Download File | ||
100% | Avira | HEUR/AGEN.1232832 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen2 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen2 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen8 | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | URL Reputation | malware | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
windowsupdatebg.s.llnwi.net | 178.79.242.0 | true | false |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.139.105.171 | unknown | Italy | 33657 | CMCSUS | true | |
45.139.105.1 | unknown | Italy | 33657 | CMCSUS | true | |
85.31.46.167 | unknown | Germany | 43659 | CLOUDCOMPUTINGDE | true | |
107.182.129.235 | unknown | Reserved | 11070 | META-ASUS | true | |
171.22.30.106 | unknown | Germany | 33657 | CMCSUS | true |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 764035 |
Start date and time: | 2022-12-09 10:46:08 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 21s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | file.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 18 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal96.troj.evad.winEXE@12/23@0/5 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 8.238.85.126, 8.241.126.121, 8.238.191.126, 8.248.131.254, 8.238.190.126, 93.184.221.240
- Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
10:47:07 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.139.105.171 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
windowsupdatebg.s.llnwi.net | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Program Files (x86)\PrintFolders\Russian.dll (copy) | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 118869 |
Entropy (8bit): | 7.933172616287708 |
Encrypted: | false |
SSDEEP: | 1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT |
MD5: | 204A5BF160646F9A55ED70AB6E1A07A6 |
SHA1: | 5404AB219FA01C270ADC36303D447109503C4A4D |
SHA-256: | CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD |
SHA-512: | 6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 5403 |
Entropy (8bit): | 4.918324842676727 |
Encrypted: | false |
SSDEEP: | 96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY |
MD5: | C8B211D81EB7D4F9EBB071A117444D51 |
SHA1: | 43BF57BB0931EBED953FE17F937C1C7FF58A027C |
SHA-256: | AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC |
SHA-512: | C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3391 |
Entropy (8bit): | 4.812121234949207 |
Encrypted: | false |
SSDEEP: | 96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk |
MD5: | A5E8094B0CBADE929AEE07F5DA5E9429 |
SHA1: | 60BB56A380CD9126AC067AE39B262E28A22532CD |
SHA-256: | F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1 |
SHA-512: | 018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 21504 |
Entropy (8bit): | 4.508743257769972 |
Encrypted: | false |
SSDEEP: | 192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f |
MD5: | 4FB606EDBDE8EFB6D34E6E1BC5F677F1 |
SHA1: | F8F094064D107384E619DED1139932AA38476272 |
SHA-256: | A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62 |
SHA-512: | 5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3391 |
Entropy (8bit): | 4.812121234949207 |
Encrypted: | false |
SSDEEP: | 96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk |
MD5: | A5E8094B0CBADE929AEE07F5DA5E9429 |
SHA1: | 60BB56A380CD9126AC067AE39B262E28A22532CD |
SHA-256: | F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1 |
SHA-512: | 018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 118869 |
Entropy (8bit): | 7.933172616287708 |
Encrypted: | false |
SSDEEP: | 1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT |
MD5: | 204A5BF160646F9A55ED70AB6E1A07A6 |
SHA1: | 5404AB219FA01C270ADC36303D447109503C4A4D |
SHA-256: | CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD |
SHA-512: | 6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 21504 |
Entropy (8bit): | 4.508743257769972 |
Encrypted: | false |
SSDEEP: | 192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f |
MD5: | 4FB606EDBDE8EFB6D34E6E1BC5F677F1 |
SHA1: | F8F094064D107384E619DED1139932AA38476272 |
SHA-256: | A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62 |
SHA-512: | 5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 5403 |
Entropy (8bit): | 4.918324842676727 |
Encrypted: | false |
SSDEEP: | 96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY |
MD5: | C8B211D81EB7D4F9EBB071A117444D51 |
SHA1: | 43BF57BB0931EBED953FE17F937C1C7FF58A027C |
SHA-256: | AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC |
SHA-512: | C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3403776 |
Entropy (8bit): | 5.672339987165257 |
Encrypted: | false |
SSDEEP: | 98304:/fY3VQjKp3rHsVs4F5LrGfQd0C28E/8K+:isBXR |
MD5: | 998EE7C6DBC3A2B7C9B1C9639CECA33C |
SHA1: | E53F5F744CC01E8EF5C05ADAA594C87AF9DF6A66 |
SHA-256: | 5B66B3EB6FEBD3076D7A199B86489A847546BB21439ADD813FBC1F6E598DF7C5 |
SHA-512: | E1511AAF4F8D30275ABDAFDAFCA50AF74DC6231FAD6C359B02E121E4986898C3C6C74A823726F4AE49534BAAC2EF61088B857E3FC67F997711C72F0FB9DF7020 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 714506 |
Entropy (8bit): | 6.488639273564823 |
Encrypted: | false |
SSDEEP: | 12288:Ih5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvo6xOZ:q5NoqWolrP837JzHvA6yknyWFxvVxOZ |
MD5: | F82EF8A460249A7A71B8DA396C651027 |
SHA1: | 1BA036C9860EB581550998DA24980CC63CD7E2C9 |
SHA-256: | B7B477D0DE6348FAEA68869B86782B2859AC302A0DFE5C91B94CE65CFAD31218 |
SHA-512: | F331C2149313896A37AD0F268EB83EFF75B1A65EE1372185F02558F49BB4E0DE2BF9565D93DEF6A0009D37A2CDC297CC14108629CDBE168FDDA202470BEBE31A |
Malicious: | true |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | modified |
Size (bytes): | 3403776 |
Entropy (8bit): | 5.672340721630265 |
Encrypted: | false |
SSDEEP: | 98304:UfY3VQjKp3rHsVs4F5LrGfQd0C28E/8K+:9sBXR |
MD5: | E2D8395C6ADC664320DCF1CFC63336F4 |
SHA1: | 83B874B930FC45127A38E576ED26FF49ADB8EEBB |
SHA-256: | 3C340CC08770DCB3706C5AAEC7ADBA45BCC60737050C3ED817473589EEB862BE |
SHA-512: | A6E5AB555F5DB60E5D519B37AD231ABB3B3F6261929A2744D5D16F9D66F9EB8CBEBE91997B2DE660BD8757D408D30993CFA48F6742377EA9FFD0FD844624D986 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3804 |
Entropy (8bit): | 4.499289945780387 |
Encrypted: | false |
SSDEEP: | 48:zXlihyMHLBv8iD86plmlDFoIN0hqkLVO3471qVToa0zA47bJMuGq:xYrp8iD86p4lJoIyhqYOIh0Xc |
MD5: | 34C89D308FC4DAAF854CA976FAD1C258 |
SHA1: | 10BAAA5B799348A599A4E6AC501B1B3C3B931C39 |
SHA-256: | 00FE7490A30A0F5572324B7C6847FF7F94F3B05E14613BC7579F7A48B1678B6A |
SHA-512: | CBB5591FDBAB42EE73CF43E424467837471F8603C7F1A98A90DBADE6477B69A5E8A913DE6B3D655A74F95D13F35509C806EDBFD023876B1DF0F1345600DB68A6 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 714506 |
Entropy (8bit): | 6.488639273564823 |
Encrypted: | false |
SSDEEP: | 12288:Ih5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvo6xOZ:q5NoqWolrP837JzHvA6yknyWFxvVxOZ |
MD5: | F82EF8A460249A7A71B8DA396C651027 |
SHA1: | 1BA036C9860EB581550998DA24980CC63CD7E2C9 |
SHA-256: | B7B477D0DE6348FAEA68869B86782B2859AC302A0DFE5C91B94CE65CFAD31218 |
SHA-512: | F331C2149313896A37AD0F268EB83EFF75B1A65EE1372185F02558F49BB4E0DE2BF9565D93DEF6A0009D37A2CDC297CC14108629CDBE168FDDA202470BEBE31A |
Malicious: | true |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll
Download File
Process: | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 94224 |
Entropy (8bit): | 7.998072640845361 |
Encrypted: | true |
SSDEEP: | 1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0 |
MD5: | 418619EA97671304AF80EC60F5A50B62 |
SHA1: | F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6 |
SHA-256: | EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4 |
SHA-512: | F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 17 |
Entropy (8bit): | 3.1751231351134614 |
Encrypted: | false |
SSDEEP: | 3:nCmxEl:Cmc |
MD5: | 064DB2A4C3D31A4DC6AA2538F3FE7377 |
SHA1: | 8F877AE1873C88076D854425221E352CA4178DFA |
SHA-256: | 0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0 |
SHA-512: | CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2560 |
Entropy (8bit): | 2.8818118453929262 |
Encrypted: | false |
SSDEEP: | 24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG |
MD5: | A69559718AB506675E907FE49DEB71E9 |
SHA1: | BC8F404FFDB1960B50C12FF9413C893B56F2E36F |
SHA-256: | 2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
SHA-512: | E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4608 |
Entropy (8bit): | 4.226829458093667 |
Encrypted: | false |
SSDEEP: | 48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa |
MD5: | 9E5BA8A0DB2AE3A955BEE397534D535D |
SHA1: | EF08EF5FAC94F42C276E64765759F8BC71BF88CB |
SHA-256: | 08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA |
SHA-512: | 229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 23312 |
Entropy (8bit): | 4.596242908851566 |
Encrypted: | false |
SSDEEP: | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
MD5: | 92DC6EF532FBB4A5C3201469A5B5EB63 |
SHA1: | 3E89FF837147C16B4E41C30D6C796374E0B8E62C |
SHA-256: | 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 |
SHA-512: | 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 704000 |
Entropy (8bit): | 6.478833170287182 |
Encrypted: | false |
SSDEEP: | 12288:gh5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvo6xOM:y5NoqWolrP837JzHvA6yknyWFxvVxOM |
MD5: | 2C3832FDF847813369EC960CD39C8265 |
SHA1: | 35B24C0B451E987C1E2B07B670A65FBCB02B118C |
SHA-256: | 2820D4BDBD9CAB3EEE82C86B11CFB2B8EC55247BCB975331078ECD182C1471B2 |
SHA-512: | 408A642264E967AAA78CC7B58529AAA152BA85AF12A4DC7DBA0A82E560E08299031CB45D8DE78E5FA26F03FC6DB863344AAA68E010F7DDDA4FC29501365D986A |
Malicious: | true |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73728 |
Entropy (8bit): | 6.20389308045717 |
Encrypted: | false |
SSDEEP: | 1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi |
MD5: | 3FB36CB0B7172E5298D2992D42984D06 |
SHA1: | 439827777DF4A337CBB9FA4A4640D0D3FA1738B7 |
SHA-256: | 27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
SHA-512: | 6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C |
Malicious: | true |
Antivirus: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.9848801233119335 |
TrID: |
|
File name: | file.exe |
File size: | 2268666 |
MD5: | f6ef13946619524c0e6bb1c01cfa73fb |
SHA1: | e8a59c66c15d4a1681cff18cb8a9750db3da648f |
SHA256: | e2224686d59ed32b39689b853a88c3f17720dead31201d8920d4ef5d71ed4eb7 |
SHA512: | a34d316050efeeebc9452be517ae1dd0c96039b2bb176b5d8388412c3de2f69271896bb34249ca1042d0dda8954d22e7bdb0938963ef58ab73f5402abb8bf80f |
SSDEEP: | 49152:O4Y7nFp2Vwdy+wrOgoc3bIa0/O1bmOBH83rP8fMbYKfZ5:OP7FAVYydrDIzW1bmOBYwMcKfj |
TLSH: | DDB533C1FAE1213DEAB651F52C1295B402F73DF0ACF1544A7A4E7B22A773391224B636 |
File Content Preview: | MZP.....................@.......................Inno..".-b..............!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | ecccdac6c6c6d464 |
Entrypoint: | 0x40968c |
Entrypoint Section: | CODE |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 1 |
OS Version Minor: | 0 |
File Version Major: | 1 |
File Version Minor: | 0 |
Subsystem Version Major: | 1 |
Subsystem Version Minor: | 0 |
Import Hash: | da86ff6d22d7419ae7f10724a403dffd |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFD4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-10h], eax |
mov dword ptr [ebp-1Ch], eax |
call 00007F8C10FA246Fh |
call 00007F8C10FA371Ah |
call 00007F8C10FA590Dh |
call 00007F8C10FA5954h |
call 00007F8C10FA7EA3h |
call 00007F8C10FA7F92h |
mov esi, 0040BDE0h |
xor eax, eax |
push ebp |
push 00409D71h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 00409D27h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [0040B014h] |
call 00007F8C10FA891Fh |
call 00007F8C10FA84DEh |
lea edx, dword ptr [ebp-10h] |
xor eax, eax |
call 00007F8C10FA5DC8h |
mov edx, dword ptr [ebp-10h] |
mov eax, 0040BDD4h |
call 00007F8C10FA251Bh |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [0040BDD4h] |
mov dl, 01h |
mov eax, 004070C4h |
call 00007F8C10FA642Bh |
mov dword ptr [0040BDD8h], eax |
xor edx, edx |
push ebp |
push 00409D05h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
lea edx, dword ptr [ebp-18h] |
mov eax, dword ptr [0040BDD8h] |
call 00007F8C10FA6503h |
mov ebx, dword ptr [ebp-18h] |
mov edx, 00000030h |
mov eax, dword ptr [0040BDD8h] |
call 00007F8C10FA663Dh |
mov edx, esi |
mov ecx, 0000000Ch |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc000 | 0x8c8 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x10000 | 0xd5a0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf000 | 0x0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xe000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
CODE | 0x1000 | 0x8e00 | 0x8e00 | False | 0.6218364876760564 | data | 6.600437911517656 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
DATA | 0xa000 | 0x248 | 0x400 | False | 0.3115234375 | data | 2.7204325510923035 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
BSS | 0xb000 | 0xe64 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xc000 | 0x8c8 | 0xa00 | False | 0.389453125 | data | 4.2507970587946735 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xd000 | 0x8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xe000 | 0x18 | 0x200 | False | 0.052734375 | data | 0.1991075177871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.reloc | 0xf000 | 0x86c | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.rsrc | 0x10000 | 0xd5a0 | 0xd600 | False | 0.2876204731308411 | data | 5.7136247823841 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x1042c | 0x1628 | Device independent bitmap graphic, 64 x 128 x 8, image size 4608 | English | United States |
RT_ICON | 0x11a54 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688 | English | United States |
RT_ICON | 0x128fc | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States |
RT_ICON | 0x131a4 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 672 | English | United States |
RT_ICON | 0x1386c | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | English | United States |
RT_ICON | 0x13dd4 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States |
RT_ICON | 0x17ffc | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States |
RT_ICON | 0x1a5a4 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States |
RT_ICON | 0x1b64c | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States |
RT_ICON | 0x1bfd4 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States |
RT_STRING | 0x1c43c | 0x2f2 | data | ||
RT_STRING | 0x1c730 | 0x30c | data | ||
RT_STRING | 0x1ca3c | 0x2ce | data | ||
RT_STRING | 0x1cd0c | 0x68 | data | ||
RT_STRING | 0x1cd74 | 0xb4 | data | ||
RT_STRING | 0x1ce28 | 0xae | data | ||
RT_GROUP_ICON | 0x1ced8 | 0x92 | data | English | United States |
RT_VERSION | 0x1cf6c | 0x3a8 | data | English | United States |
RT_MANIFEST | 0x1d314 | 0x289 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
user32.dll | MessageBoxA |
oleaut32.dll | VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA |
kernel32.dll | WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetEndOfFile, RemoveDirectoryA, ReadFile, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle |
user32.dll | TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA |
comctl32.dll | InitCommonControls |
advapi32.dll | AdjustTokenPrivileges |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
107.182.129.235192.168.2.380496992852925 12/09/22-10:47:08.950307 | TCP | 2852925 | ETPRO TROJAN GCleaner Downloader - Payload Response | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
192.168.2.345.139.105.17149698802041920 12/09/22-10:47:08.733822 | TCP | 2041920 | ET TROJAN GCleaner Downloader Activity M8 | 49698 | 80 | 192.168.2.3 | 45.139.105.171 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 9, 2022 10:47:08.705904007 CET | 49698 | 80 | 192.168.2.3 | 45.139.105.171 |
Dec 9, 2022 10:47:08.733005047 CET | 80 | 49698 | 45.139.105.171 | 192.168.2.3 |
Dec 9, 2022 10:47:08.733119011 CET | 49698 | 80 | 192.168.2.3 | 45.139.105.171 |
Dec 9, 2022 10:47:08.733822107 CET | 49698 | 80 | 192.168.2.3 | 45.139.105.171 |
Dec 9, 2022 10:47:08.760735989 CET | 80 | 49698 | 45.139.105.171 | 192.168.2.3 |
Dec 9, 2022 10:47:08.769081116 CET | 80 | 49698 | 45.139.105.171 | 192.168.2.3 |
Dec 9, 2022 10:47:08.769258976 CET | 49698 | 80 | 192.168.2.3 | 45.139.105.171 |
Dec 9, 2022 10:47:08.834444046 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.863338947 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.863445997 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.865816116 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.892735958 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.892951965 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.893037081 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.923158884 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.949912071 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.950306892 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.950339079 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.950364113 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.950387955 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.950409889 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.950422049 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.950423002 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.950433969 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.950458050 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.950481892 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.950485945 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.950485945 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.950505018 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.950519085 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.950530052 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.950553894 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.950553894 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.950578928 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.977371931 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977428913 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977446079 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.977475882 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977504015 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.977521896 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977571964 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977571964 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.977596045 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.977619886 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977622032 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.977663994 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977669001 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.977710009 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977713108 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.977752924 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977763891 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.977797985 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977816105 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.977842093 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977848053 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.977895021 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.977896929 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977941990 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977948904 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.977986097 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.977992058 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.978029966 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.978065014 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.978074074 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.978087902 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.978117943 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.978123903 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.978161097 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.978168011 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.978204966 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.978220940 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.978249073 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:08.978254080 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:08.978322983 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005016088 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005084991 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005130053 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005137920 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005182028 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005203009 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005203009 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005228996 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005265951 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005275965 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005287886 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005320072 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005340099 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005366087 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005374908 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005410910 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005430937 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005455017 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005462885 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005500078 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005532980 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005542994 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005557060 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005588055 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005620956 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005633116 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005645037 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005678892 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005696058 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005726099 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005738020 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005769968 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005789042 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005815029 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005821943 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005857944 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005886078 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005911112 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005930901 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005953074 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.005965948 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.005992889 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006027937 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006035089 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006050110 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006076097 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006110907 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006114960 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006131887 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006154060 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006179094 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006194115 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006211042 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006232977 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006249905 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006273031 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006295919 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006313086 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006329060 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006354094 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006391048 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006397009 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006417036 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006437063 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006453037 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006477118 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006481886 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006516933 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006547928 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006557941 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006572008 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006597996 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006633043 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006639004 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006653070 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006679058 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006706953 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006721020 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.006735086 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.006784916 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.033524036 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.033562899 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.033592939 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.033600092 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.033622980 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:09.033679008 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.033679962 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.033679962 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:09.099134922 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:09.126121044 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:09.126219034 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:09.126785994 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:09.153537989 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:09.799880028 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:09.799969912 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:11.880548000 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:11.907299995 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:12.665924072 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:12.666022062 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:13.773715019 CET | 80 | 49698 | 45.139.105.171 | 192.168.2.3 |
Dec 9, 2022 10:47:13.774599075 CET | 49698 | 80 | 192.168.2.3 | 45.139.105.171 |
Dec 9, 2022 10:47:14.010241985 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Dec 9, 2022 10:47:14.010309935 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:14.839632988 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:14.866583109 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:15.510291100 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:15.510565996 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:18.239341974 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:18.266659975 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:18.893563986 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:18.893758059 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:20.965230942 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:20.992178917 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:21.689747095 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:21.691329956 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:23.869028091 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:23.896121979 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:24.531301975 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:24.531397104 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:26.646298885 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:26.673002958 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:27.318347931 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:27.318448067 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:29.461602926 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:29.488612890 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:30.104837894 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:30.104938984 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:32.177419901 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:32.204258919 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:32.990359068 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:32.990516901 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:35.087285995 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:35.114516973 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:35.726849079 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:35.726975918 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:38.193700075 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:38.220482111 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:38.837187052 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Dec 9, 2022 10:47:38.837265015 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Dec 9, 2022 10:47:42.122230053 CET | 49698 | 80 | 192.168.2.3 | 45.139.105.171 |
Dec 9, 2022 10:47:42.122250080 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Dec 9, 2022 10:47:42.122268915 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 9, 2022 10:46:54.544323921 CET | 8.8.8.8 | 192.168.2.3 | 0x4045 | No error (0) | 178.79.242.0 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49698 | 45.139.105.171 | 80 | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 9, 2022 10:47:08.733822107 CET | 143 | OUT | |
Dec 9, 2022 10:47:08.769081116 CET | 143 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49699 | 107.182.129.235 | 80 | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 9, 2022 10:47:08.865816116 CET | 144 | OUT | |
Dec 9, 2022 10:47:08.892951965 CET | 144 | IN | |
Dec 9, 2022 10:47:08.923158884 CET | 145 | OUT | |
Dec 9, 2022 10:47:08.950306892 CET | 146 | IN |