Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Nymaim
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Obfuscated command line found
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains functionality to launch a program with higher privileges
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- file.exe (PID: 5992 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 14E09C7A5842688842F6C0BF61C17135) - file.tmp (PID: 6100 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-HGA MR.tmp\fil e.tmp" /SL 5="$4023C, 1536639,54 272,C:\Use rs\user\De sktop\file .exe" MD5: D76329B30DB65F61D55B20F36B56DA26) - finalrecovery.exe (PID: 6076 cmdline:
"C:\Progra m Files (x 86)\Fgasof tFR\FinalR ecovery\fi nalrecover y.exe" MD5: 88A9155EB9D85157634ED38D128C877B) - 6tohc1clzbcir.exe (PID: 1756 cmdline:
MD5: 3FB36CB0B7172E5298D2992D42984D06) - cmd.exe (PID: 4488 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /im "fin alrecovery .exe" /f & erase "C: \Program F iles (x86) \FgasoftFR \FinalReco very\final recovery.e xe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 5968 cmdline:
taskkill / im "finalr ecovery.ex e" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
- cleanup
{"C2 addresses": ["45.12.253.56", "45.12.253.72", "45.12.253.98", "45.12.253.75"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 45.12.253.72192.168.2.380497082852925 01/25/23-10:02:04.044834 |
SID: | 2852925 |
Source Port: | 80 |
Destination Port: | 49708 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Code function: | 1_2_0045C524 | |
Source: | Code function: | 1_2_0045C5D8 | |
Source: | Code function: | 1_2_0045C5F0 | |
Source: | Code function: | 1_2_10001000 | |
Source: | Code function: | 1_2_10001130 | |
Source: | Code function: | 2_2_00403770 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Code function: | 1_2_00473B80 | |
Source: | Code function: | 1_2_00451DC0 | |
Source: | Code function: | 1_2_004963A0 | |
Source: | Code function: | 1_2_00463080 | |
Source: | Code function: | 1_2_004634FC | |
Source: | Code function: | 1_2_00461AF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423DAD | |
Source: | Code function: | 2_2_10007E39 |
Networking |
---|
Source: | Snort IDS: |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 2_2_00401B40 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Binary or memory string: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00409420 | |
Source: | Code function: | 1_2_00454800 |
Source: | Code function: | 0_2_004083E4 | |
Source: | Code function: | 1_2_00466728 | |
Source: | Code function: | 1_2_0047EB9C | |
Source: | Code function: | 1_2_0046F304 | |
Source: | Code function: | 1_2_0043D388 | |
Source: | Code function: | 1_2_004440A8 | |
Source: | Code function: | 1_2_0045E468 | |
Source: | Code function: | 1_2_0045A510 | |
Source: | Code function: | 1_2_004447A0 | |
Source: | Code function: | 1_2_004687A0 | |
Source: | Code function: | 1_2_00434900 | |
Source: | Code function: | 1_2_00430B40 | |
Source: | Code function: | 1_2_00444BAC | |
Source: | Code function: | 1_2_00484C90 | |
Source: | Code function: | 1_2_00450D1C | |
Source: | Code function: | 1_2_00443B00 | |
Source: | Code function: | 1_2_00485BC4 | |
Source: | Code function: | 1_2_00433BFC | |
Source: | Code function: | 1_2_0048BECC | |
Source: | Code function: | 1_2_0042FFB4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00409670 | |
Source: | Code function: | 2_2_004056A0 | |
Source: | Code function: | 2_2_00406800 | |
Source: | Code function: | 2_2_00406AA0 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00405F40 | |
Source: | Code function: | 2_2_00402F20 | |
Source: | Code function: | 2_2_00415053 | |
Source: | Code function: | 2_2_00415285 | |
Source: | Code function: | 2_2_00422329 | |
Source: | Code function: | 2_2_00419490 | |
Source: | Code function: | 2_2_004267D0 | |
Source: | Code function: | 2_2_00404840 | |
Source: | Code function: | 2_2_004109D0 | |
Source: | Code function: | 2_2_0042AB1A | |
Source: | Code function: | 2_2_0040CBC0 | |
Source: | Code function: | 2_2_00421C08 | |
Source: | Code function: | 2_2_0042AC3A | |
Source: | Code function: | 2_2_00428CB9 | |
Source: | Code function: | 2_2_00447D2D | |
Source: | Code function: | 2_2_00404F20 | |
Source: | Code function: | 2_2_1000E111 | |
Source: | Code function: | 2_2_1000FAC0 |
Source: | Code function: | 1_2_0042F178 | |
Source: | Code function: | 1_2_00423B6C | |
Source: | Code function: | 1_2_004563D8 | |
Source: | Code function: | 1_2_004125C0 | |
Source: | Code function: | 1_2_004771E0 |
Source: | Code function: | 1_2_0042E780 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Dropped File: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_00409420 | |
Source: | Code function: | 1_2_00454800 |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 2_2_00401B40 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 1_2_00455028 |
Source: | Code function: | 2_2_00402C00 |
Source: | Code function: | 2_2_00405350 |
Source: | Mutant created: |
Source: | Code function: | 0_2_00409BC4 |
Source: | File created: | Jump to behavior |
Source: | Command line argument: | 2_2_00409670 | |
Source: | Command line argument: | 2_2_00409670 | |
Source: | Command line argument: | 2_2_00409670 | |
Source: | Command line argument: | 2_2_00409670 |
Source: | Key value created or modified: | Jump to behavior |
Source: | Key value created or modified: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Static file information: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_004065C5 | |
Source: | Code function: | 0_2_004080E1 | |
Source: | Code function: | 0_2_004040F1 | |
Source: | Code function: | 0_2_00404389 | |
Source: | Code function: | 0_2_00404389 | |
Source: | Code function: | 0_2_0040C219 | |
Source: | Code function: | 0_2_00404389 | |
Source: | Code function: | 0_2_00404389 | |
Source: | Code function: | 0_2_00408F3B | |
Source: | Code function: | 1_2_00409961 | |
Source: | Code function: | 1_2_0040A028 | |
Source: | Code function: | 1_2_00476229 | |
Source: | Code function: | 1_2_004062CD | |
Source: | Code function: | 1_2_004586A8 | |
Source: | Code function: | 1_2_004106BD | |
Source: | Code function: | 1_2_0040A781 | |
Source: | Code function: | 1_2_0041296B | |
Source: | Code function: | 1_2_00442A7C | |
Source: | Code function: | 1_2_00450B83 | |
Source: | Code function: | 1_2_00450D21 | |
Source: | Code function: | 1_2_00456E30 | |
Source: | Code function: | 1_2_00492ECD | |
Source: | Code function: | 1_2_0040D012 | |
Source: | Code function: | 1_2_0045F0C4 | |
Source: | Code function: | 1_2_004054A9 | |
Source: | Code function: | 1_2_0040F572 | |
Source: | Code function: | 1_2_0048353D | |
Source: | Code function: | 1_2_00405741 | |
Source: | Code function: | 1_2_00405741 | |
Source: | Code function: | 1_2_00405741 | |
Source: | Code function: | 1_2_00405741 |
Source: | Static PE information: |
Source: | Code function: | 1_2_0044AC90 |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Code function: | 1_2_00423BF4 | |
Source: | Code function: | 1_2_00423BF4 | |
Source: | Code function: | 1_2_0042417C | |
Source: | Code function: | 1_2_004241C4 | |
Source: | Code function: | 1_2_0041836C | |
Source: | Code function: | 1_2_00422844 | |
Source: | Code function: | 1_2_00417580 | |
Source: | Code function: | 1_2_00481878 | |
Source: | Code function: | 1_2_00417CB6 | |
Source: | Code function: | 1_2_00417CB8 |
Source: | Code function: | 1_2_0044AC90 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-5775 |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Check user administrative privileges: | graph_2-35635 |
Source: | Code function: | 2_2_004056A0 |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_00409B08 |
Source: | Code function: | 1_2_00473B80 | |
Source: | Code function: | 1_2_00451DC0 | |
Source: | Code function: | 1_2_004963A0 | |
Source: | Code function: | 1_2_00463080 | |
Source: | Code function: | 1_2_004634FC | |
Source: | Code function: | 1_2_00461AF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423DAD | |
Source: | Code function: | 2_2_10007E39 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 2_2_004132EB |
Source: | Code function: | 2_2_00402C00 |
Source: | Code function: | 1_2_0044AC90 |
Source: | Code function: | 2_2_00402F20 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 2_2_0044028F | |
Source: | Code function: | 2_2_0042039F | |
Source: | Code function: | 2_2_004429E7 | |
Source: | Code function: | 2_2_00417B2F | |
Source: | Code function: | 2_2_10007A06 | |
Source: | Code function: | 2_2_10005EB5 |
Source: | Code function: | 2_2_0040F709 | |
Source: | Code function: | 2_2_004132EB | |
Source: | Code function: | 2_2_0040F575 | |
Source: | Code function: | 2_2_0040EB52 | |
Source: | Code function: | 2_2_10005630 | |
Source: | Code function: | 2_2_10002A85 | |
Source: | Code function: | 2_2_10002F80 |
Source: | Code function: | 1_2_00476C24 |
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 1_2_0042DF9C |
Source: | Code function: | 0_2_004051D4 | |
Source: | Code function: | 0_2_00405220 | |
Source: | Code function: | 1_2_00408548 | |
Source: | Code function: | 1_2_00408594 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_0042700C | |
Source: | Code function: | 2_2_004270A7 | |
Source: | Code function: | 2_2_00427132 | |
Source: | Code function: | 2_2_0041E27F | |
Source: | Code function: | 2_2_00427385 | |
Source: | Code function: | 2_2_004274AB | |
Source: | Code function: | 2_2_004275B1 | |
Source: | Code function: | 2_2_00427680 | |
Source: | Code function: | 2_2_0041E7A1 | |
Source: | Code function: | 2_2_00426D1F | |
Source: | Code function: | 2_2_00426FC1 |
Source: | Code function: | 2_2_0040F773 |
Source: | Code function: | 1_2_00457964 |
Source: | Code function: | 0_2_004026C4 |
Source: | Code function: | 0_2_00405CBC |
Source: | Code function: | 1_2_004547B8 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 1 Exploitation for Privilege Escalation | 1 Disable or Modify Tools | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 2 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | 3 Native API | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 11 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 1 Input Capture | Exfiltration Over Bluetooth | 2 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 12 Command and Scripting Interpreter | Logon Script (Windows) | 12 Process Injection | 3 Obfuscated Files or Information | Security Account Manager | 2 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 23 Software Packing | NTDS | 26 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 2 Masquerading | LSA Secrets | 141 Security Software Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Access Token Manipulation | Cached Domain Credentials | 2 Process Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 12 Process Injection | DCSync | 11 Application Window Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 3 System Owner/User Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
60% | ReversingLabs | Win32.Trojan.GenusAgent |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Dropper.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1250671 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Dropper.Gen | Download File |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.12.253.72 | unknown | Germany | 33657 | CMCSUS | true | |
45.12.253.75 | unknown | Germany | 33657 | CMCSUS | true | |
45.12.253.98 | unknown | Germany | 33657 | CMCSUS | true | |
45.12.253.56 | unknown | Germany | 33657 | CMCSUS | true |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 791301 |
Start date and time: | 2023-01-25 10:01:06 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 4s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | file.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 20 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal92.troj.evad.winEXE@12/24@0/4 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
10:02:03 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.12.253.72 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy) | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 791040 |
Entropy (8bit): | 6.608982798504157 |
Encrypted: | false |
SSDEEP: | 24576:pvfBdvyjNf8cbMtMJjLKRfwaNSkxtkNkYzSYcj0oHyxdpVhNZFGv+56nBb/ExWyt:pBC4rTQnC1QaX4+I |
MD5: | 5C2FE7D4DDE65810152054F3C93C1815 |
SHA1: | 2A19F3FAA78A5072068F7902DB19A248F11FA69B |
SHA-256: | 233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730 |
SHA-512: | 2C01AE918044829FC649F0775BF3FFDB417B1524B47CDABFF0C06B6382B6578A742D9C1D036090D7AD1FC3A8B7D563D28C0CDB94DE572BF883389825F73FD654 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1949 |
Entropy (8bit): | 4.915453283427292 |
Encrypted: | false |
SSDEEP: | 48:Sik3C0nGTAFE3blB/aMO0Mk2fLXVn7K+eq9hb6Suf:pkvGTAFELlB/A4GXVnWU9BNuf |
MD5: | C0AE85DB30FE9027DBBF3BA758FA78BE |
SHA1: | 95E69DB95504A9F61D090690F32FB5D2F685C604 |
SHA-256: | CF63BBFD735C18757AC2AA6CB8A14C82745B6158F9FD299BD189D9CA3E7A2DE7 |
SHA-512: | DA53177074E79F96C1C7E477E0E7B63CD1D2B836DB9E8066F20B60897FC5770D2B16594A84A953A9CD56BD4C0DDB7D5EFBDDF881EEA840D6B106552C5AC6815E |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6452 |
Entropy (8bit): | 4.734154041089812 |
Encrypted: | false |
SSDEEP: | 96:EonMpdbxw/+9MjLKJ9+LsxS/wV2iderMRyLjQ1WsL+9w/SxEDz8bONAPujBUTjkv:E7nb |
MD5: | 247D3A0C3B0C53CA33D032A561619495 |
SHA1: | F30570C48749FE427FACCBDF925048B149D22460 |
SHA-256: | 783AC8FBA1DD88291A4F331EC2459DDE4005CF70FAFB4F19F9061713FFD580EB |
SHA-512: | 9D18FDC8A32C86A0F8C2BB408A33A71645632289CA0D684B58B98862AA1A67E75258D39C621F4E647753A1480D50444756D125C273B16323A757270CD94B7BBD |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6452 |
Entropy (8bit): | 4.734154041089812 |
Encrypted: | false |
SSDEEP: | 96:EonMpdbxw/+9MjLKJ9+LsxS/wV2iderMRyLjQ1WsL+9w/SxEDz8bONAPujBUTjkv:E7nb |
MD5: | 247D3A0C3B0C53CA33D032A561619495 |
SHA1: | F30570C48749FE427FACCBDF925048B149D22460 |
SHA-256: | 783AC8FBA1DD88291A4F331EC2459DDE4005CF70FAFB4F19F9061713FFD580EB |
SHA-512: | 9D18FDC8A32C86A0F8C2BB408A33A71645632289CA0D684B58B98862AA1A67E75258D39C621F4E647753A1480D50444756D125C273B16323A757270CD94B7BBD |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 553405 |
Entropy (8bit): | 7.979175020825392 |
Encrypted: | false |
SSDEEP: | 12288:G8kCp81IkXlwDvsttKcoKRWqZPP4owP1G2uQeDyXwaWt:HJp3kXlDvKwRWg4owdGueDiwaWt |
MD5: | 37E6EEA8C4E469F6439F3790166815DD |
SHA1: | E0A3768F291CC7FCE178A001F0356D4FBA29D81F |
SHA-256: | 606D66026DA226D1AA1C1A4CA6416F3B9F6C66791F4116EB3FFF9E8E28E6B113 |
SHA-512: | 68D3DA77F272A382D800EBB07F02156957CB14C96728896BBB5F6A1E9AEA9A1A5DA4EFCCB09D49096E986A3FCE3F86685B5AFD790887DB28F8F9F5C76D9435A9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | modified |
Size (bytes): | 1327103 |
Entropy (8bit): | 6.349641677377942 |
Encrypted: | false |
SSDEEP: | 24576:p8sn21M2uJJKYcbmuBm/GAihHJTo+M/FLUTTb2ghAfrZLya6p4ZyQzAp:CsroY6mGAugUlgIbn |
MD5: | 88A9155EB9D85157634ED38D128C877B |
SHA1: | 1ED44B28A6652EC52EE93DE9DD18065625938D0B |
SHA-256: | 919DBDEDBDF4312EF0EF97A94343DEC76EEBA35FD50CE0A8B3885029750FAD06 |
SHA-512: | 4A04B85C7DF8ECCDCF7740EB5B451B0696D3C109308766D4A1BB7288B7A13891AC6023EF81BB1754A97157DDC265AF40660AAB6C0E468FC5A4366A92BFD54E71 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 553405 |
Entropy (8bit): | 7.979175020825392 |
Encrypted: | false |
SSDEEP: | 12288:G8kCp81IkXlwDvsttKcoKRWqZPP4owP1G2uQeDyXwaWt:HJp3kXlDvKwRWg4owdGueDiwaWt |
MD5: | 37E6EEA8C4E469F6439F3790166815DD |
SHA1: | E0A3768F291CC7FCE178A001F0356D4FBA29D81F |
SHA-256: | 606D66026DA226D1AA1C1A4CA6416F3B9F6C66791F4116EB3FFF9E8E28E6B113 |
SHA-512: | 68D3DA77F272A382D800EBB07F02156957CB14C96728896BBB5F6A1E9AEA9A1A5DA4EFCCB09D49096E986A3FCE3F86685B5AFD790887DB28F8F9F5C76D9435A9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1949 |
Entropy (8bit): | 4.915453283427292 |
Encrypted: | false |
SSDEEP: | 48:Sik3C0nGTAFE3blB/aMO0Mk2fLXVn7K+eq9hb6Suf:pkvGTAFELlB/A4GXVnWU9BNuf |
MD5: | C0AE85DB30FE9027DBBF3BA758FA78BE |
SHA1: | 95E69DB95504A9F61D090690F32FB5D2F685C604 |
SHA-256: | CF63BBFD735C18757AC2AA6CB8A14C82745B6158F9FD299BD189D9CA3E7A2DE7 |
SHA-512: | DA53177074E79F96C1C7E477E0E7B63CD1D2B836DB9E8066F20B60897FC5770D2B16594A84A953A9CD56BD4C0DDB7D5EFBDDF881EEA840D6B106552C5AC6815E |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1327103 |
Entropy (8bit): | 6.349642071497365 |
Encrypted: | false |
SSDEEP: | 24576:O8sn21M2uJJKYcbmuBm/GAihHJTo+M/FLUTTb2ghAfrZLya6p4ZyQzAp:dsroY6mGAugUlgIbn |
MD5: | 686E27330B438E55788EE0A132194478 |
SHA1: | 19AB1A4D5724A647984EDBBDAC465E98F7093B2F |
SHA-256: | 5D07E971A265774EE4C2ACF51CC41C815D247284C1A69AD05298FD54A7285FCF |
SHA-512: | B54D7258AFEB1243445A7E344655D6A050E8F5F44FEBAFF3C5D62D6CEFBC49F948CD35A549D0AFD654310CA3E50951C23863007F94BF944C0957496C4DE96AA6 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 791040 |
Entropy (8bit): | 6.608982798504157 |
Encrypted: | false |
SSDEEP: | 24576:pvfBdvyjNf8cbMtMJjLKRfwaNSkxtkNkYzSYcj0oHyxdpVhNZFGv+56nBb/ExWyt:pBC4rTQnC1QaX4+I |
MD5: | 5C2FE7D4DDE65810152054F3C93C1815 |
SHA1: | 2A19F3FAA78A5072068F7902DB19A248F11FA69B |
SHA-256: | 233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730 |
SHA-512: | 2C01AE918044829FC649F0775BF3FFDB417B1524B47CDABFF0C06B6382B6578A742D9C1D036090D7AD1FC3A8B7D563D28C0CDB94DE572BF883389825F73FD654 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 723230 |
Entropy (8bit): | 6.49191904892708 |
Encrypted: | false |
SSDEEP: | 12288:1QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kSW:WtCUA4arPEn37TzH7A6nw9yzeESUFWHF |
MD5: | D0E4493CD1CEC1B97F24BAB12A942543 |
SHA1: | CEE352F43F982FCB36A337D2C15FFDD28B04B80D |
SHA-256: | C5851530669107DF77FD7079EC7C6F0C668003D6094643D6E723FB74F1DEB5D9 |
SHA-512: | D2A02702AEDE0509AC81785DBECBA312CABD6D83E064DCAA7E95B43FF4E373D538327539290288CED6A6837F44819A6A7CCC912285E5E1407F9B79C086B6C58F |
Malicious: | true |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4340 |
Entropy (8bit): | 4.712609745266559 |
Encrypted: | false |
SSDEEP: | 96:AyWx5pJU+oIahqwOIhdc87ICSss/LBtbgfj1:AyWx5pJU+KEIhZICSsATgfJ |
MD5: | 15CF1A53B3514856C721F859E721DCBD |
SHA1: | 9BC828AC64112060DB3059F8EEC43722BE1AB041 |
SHA-256: | 87159F502A66551DA4E65C05DB04E132CBC46B1D4370EEC9022499FBEAD59A84 |
SHA-512: | C49D7B0D200BC65FA055302353FAC99BBD379D81EF0D220411A379006D4A6A3AA716D36F0E9E2B1BD2AFD699941F5547E371AFB277B99800CFB290A379C5DB99 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 723230 |
Entropy (8bit): | 6.49191904892708 |
Encrypted: | false |
SSDEEP: | 12288:1QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kSW:WtCUA4arPEn37TzH7A6nw9yzeESUFWHF |
MD5: | D0E4493CD1CEC1B97F24BAB12A942543 |
SHA1: | CEE352F43F982FCB36A337D2C15FFDD28B04B80D |
SHA-256: | C5851530669107DF77FD7079EC7C6F0C668003D6094643D6E723FB74F1DEB5D9 |
SHA-512: | D2A02702AEDE0509AC81785DBECBA312CABD6D83E064DCAA7E95B43FF4E373D538327539290288CED6A6837F44819A6A7CCC912285E5E1407F9B79C086B6C58F |
Malicious: | true |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll
Download File
Process: | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 95248 |
Entropy (8bit): | 7.998277474001343 |
Encrypted: | true |
SSDEEP: | 1536:1ajIVNDkCngyeaL3ZC7cjgn35QgjaeiPr6idOZAkOLfTRCaLQhAboaAkepTXnkY5:1vVpj3ZC72gnJQg2eikik4FC9/RX+f6 |
MD5: | 636E3CA21F2541B5EE3AB9922A183C79 |
SHA1: | 4B98C5432E534AF5FA17424C907E61CCFA6880D9 |
SHA-256: | 9B97BF40465ACFBAB5D61EE45ECAC1E485A988ADC66E1A859F950605DC5677B9 |
SHA-512: | 6AA99DFAB439063332383EBA737F34A5929353794245E8E4469EAEB2F7055889891D5A3F3CD3C9F20E37DCDEBFA78C5B5749F3BFDF40263970C880F047A0BDBB |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 21 |
Entropy (8bit): | 3.975418017913833 |
Encrypted: | false |
SSDEEP: | 3:iIxcsJE:iyE |
MD5: | C0236A8F8EB0411CC373CD432E252990 |
SHA1: | 49CA519830FADD97FA7BFB7C3404ED2DB29DF4E0 |
SHA-256: | 375CD2A305050C0ECDC8EF9A417194DB2955F3C99B04C76F1B2CD5A88369A242 |
SHA-512: | 3EDFDF13D9AE53C3DC77B299137C7F318B689F4880D72E50CF037F5A4F5C2A6CBC24CB5FE557C10F458CD1658B65E27EF994794FAB2D8E1562694E7DE5039E7E |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4096 |
Entropy (8bit): | 4.026670007889822 |
Encrypted: | false |
SSDEEP: | 48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc |
MD5: | 0EE914C6F0BB93996C75941E1AD629C6 |
SHA1: | 12E2CB05506EE3E82046C41510F39A258A5E5549 |
SHA-256: | 4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2 |
SHA-512: | A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2560 |
Entropy (8bit): | 2.8818118453929262 |
Encrypted: | false |
SSDEEP: | 24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG |
MD5: | A69559718AB506675E907FE49DEB71E9 |
SHA1: | BC8F404FFDB1960B50C12FF9413C893B56F2E36F |
SHA-256: | 2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
SHA-512: | E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6144 |
Entropy (8bit): | 4.215994423157539 |
Encrypted: | false |
SSDEEP: | 96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF |
MD5: | 4FF75F505FDDCC6A9AE62216446205D9 |
SHA1: | EFE32D504CE72F32E92DCF01AA2752B04D81A342 |
SHA-256: | A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81 |
SHA-512: | BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 23312 |
Entropy (8bit): | 4.596242908851566 |
Encrypted: | false |
SSDEEP: | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
MD5: | 92DC6EF532FBB4A5C3201469A5B5EB63 |
SHA1: | 3E89FF837147C16B4E41C30D6C796374E0B8E62C |
SHA-256: | 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 |
SHA-512: | 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 712704 |
Entropy (8bit): | 6.4837542632664515 |
Encrypted: | false |
SSDEEP: | 12288:9QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kS0:+tCUA4arPEn37TzH7A6nw9yzeESUFWH/ |
MD5: | D76329B30DB65F61D55B20F36B56DA26 |
SHA1: | 5E4C77B723AE8F05B3AE6AFEEE735A4355F00663 |
SHA-256: | 229FBCB11EE7D1F082B6411610E95F726EEC4E6737E6B6392719DF4F0FE3FA1D |
SHA-512: | A291AED0897315E88B6378B1DB10ADA05BDA8C1ECCAF73DE23F409FE61860EBD1DBB422063E00996584D3B4B100122931D5BBAB54A88951706D75EFCC660F70D |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73728 |
Entropy (8bit): | 6.20389308045717 |
Encrypted: | false |
SSDEEP: | 1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi |
MD5: | 3FB36CB0B7172E5298D2992D42984D06 |
SHA1: | 439827777DF4A337CBB9FA4A4640D0D3FA1738B7 |
SHA-256: | 27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
SHA-512: | 6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C |
Malicious: | true |
Antivirus: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.992737502830512 |
TrID: |
|
File name: | file.exe |
File size: | 1782938 |
MD5: | 14e09c7a5842688842f6c0bf61c17135 |
SHA1: | 4c9e1cbcd933293268c396b3c79f3836665059a8 |
SHA256: | a5ce2c21d3f92080a06e0aa7862303848b2661181b279a2db9b72b8f31a82702 |
SHA512: | 291eba7114f626be1a02953267f4741adeb71593a75cbb8c65e74dc2783253fc94616ae73126dd2d7dd5eb273cebd6413d36a2a67fae66c1796e5b08c7344b15 |
SSDEEP: | 49152:Zj8WUqIwpfvQvBkF9PPeaPhUMewEgjkdLCgv2MR:98WxIU+mzsv2MR |
TLSH: | 7885335282B1D4B9E293A77C3C33DD692ED3BA1961781024331E56CF1F277A2AC4E356 |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | a2a0b496b2caca72 |
Entrypoint: | 0x409c18 |
Entrypoint Section: | CODE |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 1 |
OS Version Minor: | 0 |
File Version Major: | 1 |
File Version Minor: | 0 |
Subsystem Version Major: | 1 |
Subsystem Version Minor: | 0 |
Import Hash: | 884310b1928934402ea6fec1dbd3cf5e |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFC4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-10h], eax |
mov dword ptr [ebp-24h], eax |
call 00007EFFD44E77E3h |
call 00007EFFD44E89EAh |
call 00007EFFD44E8C79h |
call 00007EFFD44EAC88h |
call 00007EFFD44EACCFh |
call 00007EFFD44ED5FEh |
call 00007EFFD44ED765h |
xor eax, eax |
push ebp |
push 0040A2D4h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 0040A29Dh |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [0040C014h] |
call 00007EFFD44EE1CBh |
call 00007EFFD44EDDFEh |
lea edx, dword ptr [ebp-10h] |
xor eax, eax |
call 00007EFFD44EB2B8h |
mov edx, dword ptr [ebp-10h] |
mov eax, 0040CDE8h |
call 00007EFFD44E788Fh |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [0040CDE8h] |
mov dl, 01h |
mov eax, 00407364h |
call 00007EFFD44EBB47h |
mov dword ptr [0040CDECh], eax |
xor edx, edx |
push ebp |
push 0040A255h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
call 00007EFFD44EE23Bh |
mov dword ptr [0040CDF4h], eax |
mov eax, dword ptr [0040CDF4h] |
cmp dword ptr [eax+0Ch], 01h |
jne 00007EFFD44EE37Ah |
mov eax, dword ptr [0040CDF4h] |
mov edx, 00000028h |
call 00007EFFD44EBF48h |
mov edx, dword ptr [000000F4h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xd000 | 0x950 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x11000 | 0x2c00 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xf000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
CODE | 0x1000 | 0x933c | 0x9400 | False | 0.6138883023648649 | data | 6.557291120606636 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
DATA | 0xb000 | 0x24c | 0x400 | False | 0.3134765625 | data | 2.7679914923058866 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
BSS | 0xc000 | 0xe4c | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xd000 | 0x950 | 0xa00 | False | 0.414453125 | data | 4.430733069799036 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xe000 | 0x8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xf000 | 0x18 | 0x200 | False | 0.052734375 | data | 0.2044881574398449 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.reloc | 0x10000 | 0x8b4 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.rsrc | 0x11000 | 0x2c00 | 0x2c00 | False | 0.3243075284090909 | data | 4.467134664034375 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x11354 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | Dutch | Netherlands |
RT_ICON | 0x1147c | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | Dutch | Netherlands |
RT_ICON | 0x119e4 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | Dutch | Netherlands |
RT_ICON | 0x11ccc | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | Dutch | Netherlands |
RT_STRING | 0x12574 | 0x2f2 | data | ||
RT_STRING | 0x12868 | 0x30c | data | ||
RT_STRING | 0x12b74 | 0x2ce | data | ||
RT_STRING | 0x12e44 | 0x68 | data | ||
RT_STRING | 0x12eac | 0xb4 | data | ||
RT_STRING | 0x12f60 | 0xae | data | ||
RT_RCDATA | 0x13010 | 0x2c | data | ||
RT_GROUP_ICON | 0x1303c | 0x3e | data | English | United States |
RT_VERSION | 0x1307c | 0x4b8 | COM executable for DOS | English | United States |
RT_MANIFEST | 0x13534 | 0x560 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
user32.dll | MessageBoxA |
oleaut32.dll | VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA |
kernel32.dll | WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle |
user32.dll | TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA |
comctl32.dll | InitCommonControls |
advapi32.dll | AdjustTokenPrivileges |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Dutch | Netherlands | |
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
45.12.253.72192.168.2.380497082852925 01/25/23-10:02:04.044834 | TCP | 2852925 | ETPRO TROJAN GCleaner Downloader - Payload Response | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 25, 2023 10:02:03.838169098 CET | 49707 | 80 | 192.168.2.3 | 45.12.253.56 |
Jan 25, 2023 10:02:03.864574909 CET | 80 | 49707 | 45.12.253.56 | 192.168.2.3 |
Jan 25, 2023 10:02:03.864726067 CET | 49707 | 80 | 192.168.2.3 | 45.12.253.56 |
Jan 25, 2023 10:02:03.866645098 CET | 49707 | 80 | 192.168.2.3 | 45.12.253.56 |
Jan 25, 2023 10:02:03.894937992 CET | 80 | 49707 | 45.12.253.56 | 192.168.2.3 |
Jan 25, 2023 10:02:03.906924009 CET | 80 | 49707 | 45.12.253.56 | 192.168.2.3 |
Jan 25, 2023 10:02:03.907047033 CET | 49707 | 80 | 192.168.2.3 | 45.12.253.56 |
Jan 25, 2023 10:02:03.933878899 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:03.962369919 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:03.962474108 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:03.965511084 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:03.992350101 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:03.992405891 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:03.992479086 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.017834902 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.044780970 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.044833899 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.044881105 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.044903040 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.044934034 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.044971943 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.045028925 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.045042992 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.045097113 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.045144081 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.045197964 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.045212984 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.045248032 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.045277119 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.045326948 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.045353889 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.045403004 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.045423031 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.045476913 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.045490980 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.045531988 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.072855949 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.072938919 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.072961092 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.072999001 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073029995 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073085070 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073100090 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073138952 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073163986 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073218107 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073234081 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073268890 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073296070 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073349953 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073364019 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073405027 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073425055 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073472023 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073508024 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073524952 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073553085 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073600054 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073626041 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073656082 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073683023 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073729992 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073750019 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073785067 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073812962 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073865891 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073879957 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073920012 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.073941946 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.073987961 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.074008942 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.074048042 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.074069977 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.074122906 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.074136019 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.074170113 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.100656986 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.100718021 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.100743055 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.100780964 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.100815058 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.100871086 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.100887060 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.100938082 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.100951910 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.100985050 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.101016998 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.101146936 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.101169109 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.101198912 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.101242065 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.101289034 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.101310968 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.101342916 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.101373911 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.101442099 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.101459026 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.101506948 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.101553917 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.101569891 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.101613045 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.101665020 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.101680040 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.101716042 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.101747990 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.101795912 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.101839066 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.101888895 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.101905107 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.101953030 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.101969957 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102016926 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102082014 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.102104902 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102157116 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.102174997 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102226973 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.102266073 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102319956 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102336884 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.102368116 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.102401018 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102452993 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102467060 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.102516890 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.102560997 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102607012 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102629900 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.102667093 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.102710962 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102762938 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.102811098 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102863073 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102876902 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.102911949 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.102941036 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.102991104 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.103004932 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.103038073 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.103065014 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.103111982 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.103127956 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.103174925 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.103192091 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.103238106 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.103255987 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.103307962 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.103326082 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.103357077 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.103389978 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.103439093 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.103452921 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.103487968 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.103519917 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.103568077 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.130091906 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.130150080 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.130182028 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.130203009 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.130249977 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.130306959 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.130323887 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.130368948 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.130830050 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:04.130914927 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:04.160794973 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:04.186933994 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:04.187083960 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:04.197102070 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:04.224081993 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:04.930826902 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:04.931129932 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:06.997060061 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:07.023386002 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:07.763757944 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:07.763948917 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:08.908459902 CET | 80 | 49707 | 45.12.253.56 | 192.168.2.3 |
Jan 25, 2023 10:02:08.908906937 CET | 49707 | 80 | 192.168.2.3 | 45.12.253.56 |
Jan 25, 2023 10:02:09.105787039 CET | 80 | 49708 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:02:09.106043100 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:09.794056892 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:09.820291996 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:10.516107082 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:10.516488075 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:12.576730967 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:12.602955103 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:13.318223000 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:13.318440914 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:15.544200897 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:15.570667982 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:16.325639963 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:16.325897932 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:18.368289948 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:18.394781113 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:19.105379105 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:19.105479956 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:21.376097918 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:21.402489901 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:22.124958992 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:22.125165939 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:24.153738976 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:24.180033922 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:24.938194036 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:24.938292027 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:26.967304945 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:26.993714094 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:27.734801054 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:27.734874964 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:29.771919966 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:29.798430920 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:30.551927090 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:30.552977085 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:32.651902914 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:32.678428888 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:33.385802031 CET | 80 | 49709 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:02:33.386007071 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:02:36.148209095 CET | 49707 | 80 | 192.168.2.3 | 45.12.253.56 |
Jan 25, 2023 10:02:36.148299932 CET | 49708 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:02:36.148346901 CET | 49709 | 80 | 192.168.2.3 | 45.12.253.75 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49707 | 45.12.253.56 | 80 | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 25, 2023 10:02:03.866645098 CET | 93 | OUT | |
Jan 25, 2023 10:02:03.906924009 CET | 93 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49708 | 45.12.253.72 | 80 | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 25, 2023 10:02:03.965511084 CET | 94 | OUT | |
Jan 25, 2023 10:02:03.992405891 CET | 94 | IN | |
Jan 25, 2023 10:02:04.017834902 CET | 95 | OUT | |
Jan 25, 2023 10:02:04.044833899 CET | 96 | IN |