Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Nymaim
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Obfuscated command line found
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains functionality to launch a program with higher privileges
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- file.exe (PID: 408 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 209DCA1A9633807B9CF36D6447F972DA) - file.tmp (PID: 3600 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-P0S S2.tmp\fil e.tmp" /SL 5="$4025C, 1578849,54 272,C:\Use rs\user\De sktop\file .exe" MD5: D76329B30DB65F61D55B20F36B56DA26) - finalrecovery.exe (PID: 6024 cmdline:
"C:\Progra m Files (x 86)\Fgasof tFR\FinalR ecovery\fi nalrecover y.exe" MD5: 04947B1020E31A5F5A6E41FD279B4E74) - wEQg8.exe (PID: 5996 cmdline:
MD5: 3FB36CB0B7172E5298D2992D42984D06) - cmd.exe (PID: 68 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /im "fin alrecovery .exe" /f & erase "C: \Program F iles (x86) \FgasoftFR \FinalReco very\final recovery.e xe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3092 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 1336 cmdline:
taskkill / im "finalr ecovery.ex e" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
- cleanup
{"C2 addresses": ["45.12.253.56", "45.12.253.72", "45.12.253.98", "45.12.253.75"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 45.12.253.72192.168.2.380497022852925 01/25/23-10:17:06.150578 |
SID: | 2852925 |
Source Port: | 80 |
Destination Port: | 49702 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Code function: | 1_2_0045C524 | |
Source: | Code function: | 1_2_0045C5D8 | |
Source: | Code function: | 1_2_0045C5F0 | |
Source: | Code function: | 1_2_10001000 | |
Source: | Code function: | 1_2_10001130 | |
Source: | Code function: | 2_2_00403770 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Code function: | 1_2_00473B80 | |
Source: | Code function: | 1_2_00451DC0 | |
Source: | Code function: | 1_2_004963A0 | |
Source: | Code function: | 1_2_00463080 | |
Source: | Code function: | 1_2_004634FC | |
Source: | Code function: | 1_2_00461AF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423DAD | |
Source: | Code function: | 2_2_10007E39 |
Networking |
---|
Source: | Snort IDS: |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 2_2_00401B40 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Binary or memory string: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00409420 | |
Source: | Code function: | 1_2_00454800 |
Source: | Code function: | 0_2_004083E4 | |
Source: | Code function: | 1_2_00466728 | |
Source: | Code function: | 1_2_0047EB9C | |
Source: | Code function: | 1_2_0046F304 | |
Source: | Code function: | 1_2_0043D388 | |
Source: | Code function: | 1_2_004440A8 | |
Source: | Code function: | 1_2_0045E468 | |
Source: | Code function: | 1_2_0045A510 | |
Source: | Code function: | 1_2_004447A0 | |
Source: | Code function: | 1_2_004687A0 | |
Source: | Code function: | 1_2_00434900 | |
Source: | Code function: | 1_2_00430B40 | |
Source: | Code function: | 1_2_00444BAC | |
Source: | Code function: | 1_2_00484C90 | |
Source: | Code function: | 1_2_00450D1C | |
Source: | Code function: | 1_2_00443B00 | |
Source: | Code function: | 1_2_00485BC4 | |
Source: | Code function: | 1_2_00433BFC | |
Source: | Code function: | 1_2_0048BECC | |
Source: | Code function: | 1_2_0042FFB4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_004096E8 | |
Source: | Code function: | 2_2_004057C7 | |
Source: | Code function: | 2_2_00406800 | |
Source: | Code function: | 2_2_00406AA0 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00405F40 | |
Source: | Code function: | 2_2_00402F20 | |
Source: | Code function: | 2_2_00415053 | |
Source: | Code function: | 2_2_00415285 | |
Source: | Code function: | 2_2_00422329 | |
Source: | Code function: | 2_2_00419490 | |
Source: | Code function: | 2_2_00409670 | |
Source: | Code function: | 2_2_004267D0 | |
Source: | Code function: | 2_2_00404840 | |
Source: | Code function: | 2_2_004109D0 | |
Source: | Code function: | 2_2_0042AB1A | |
Source: | Code function: | 2_2_00421C08 | |
Source: | Code function: | 2_2_0042AC3A | |
Source: | Code function: | 2_2_00428CB9 | |
Source: | Code function: | 2_2_00447D2D | |
Source: | Code function: | 2_2_00404F20 | |
Source: | Code function: | 2_2_1000E111 | |
Source: | Code function: | 2_2_1000FAC0 |
Source: | Code function: | 1_2_0042F178 | |
Source: | Code function: | 1_2_00423B6C | |
Source: | Code function: | 1_2_004563D8 | |
Source: | Code function: | 1_2_004125C0 | |
Source: | Code function: | 1_2_004771E0 |
Source: | Code function: | 1_2_0042E780 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Dropped File: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_00409420 | |
Source: | Code function: | 1_2_00454800 |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 2_2_00401B40 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 1_2_00455028 |
Source: | Code function: | 2_2_00402C00 |
Source: | Code function: | 2_2_00405350 |
Source: | Mutant created: |
Source: | Code function: | 0_2_00409BC4 |
Source: | File created: | Jump to behavior |
Source: | Command line argument: | 2_2_00409670 | |
Source: | Command line argument: | 2_2_00409670 |
Source: | Key value created or modified: | Jump to behavior |
Source: | Key value created or modified: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Static file information: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_004065C5 | |
Source: | Code function: | 0_2_004080E1 | |
Source: | Code function: | 0_2_004040F1 | |
Source: | Code function: | 0_2_00404389 | |
Source: | Code function: | 0_2_00404389 | |
Source: | Code function: | 0_2_0040C219 | |
Source: | Code function: | 0_2_00404389 | |
Source: | Code function: | 0_2_00404389 | |
Source: | Code function: | 0_2_00408F3B | |
Source: | Code function: | 1_2_00409961 | |
Source: | Code function: | 1_2_0040A028 | |
Source: | Code function: | 1_2_00476229 | |
Source: | Code function: | 1_2_004062CD | |
Source: | Code function: | 1_2_004586A8 | |
Source: | Code function: | 1_2_004106BD | |
Source: | Code function: | 1_2_0040A781 | |
Source: | Code function: | 1_2_0041296B | |
Source: | Code function: | 1_2_00442A7C | |
Source: | Code function: | 1_2_00450B83 | |
Source: | Code function: | 1_2_00450D21 | |
Source: | Code function: | 1_2_00456E30 | |
Source: | Code function: | 1_2_00492ECD | |
Source: | Code function: | 1_2_0040D012 | |
Source: | Code function: | 1_2_0045F0C4 | |
Source: | Code function: | 1_2_004054A9 | |
Source: | Code function: | 1_2_0040F572 | |
Source: | Code function: | 1_2_0048353D | |
Source: | Code function: | 1_2_00405741 | |
Source: | Code function: | 1_2_00405741 | |
Source: | Code function: | 1_2_00405741 | |
Source: | Code function: | 1_2_00405741 |
Source: | Static PE information: |
Source: | Code function: | 1_2_0044AC90 |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Code function: | 1_2_00423BF4 | |
Source: | Code function: | 1_2_00423BF4 | |
Source: | Code function: | 1_2_0042417C | |
Source: | Code function: | 1_2_004241C4 | |
Source: | Code function: | 1_2_0041836C | |
Source: | Code function: | 1_2_00422844 | |
Source: | Code function: | 1_2_00417580 | |
Source: | Code function: | 1_2_00481878 | |
Source: | Code function: | 1_2_00417CB6 | |
Source: | Code function: | 1_2_00417CB8 |
Source: | Code function: | 1_2_0044AC90 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-5807 |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Check user administrative privileges: | graph_2-35151 |
Source: | Code function: | 2_2_004057C7 |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_00409B08 |
Source: | Code function: | 1_2_00473B80 | |
Source: | Code function: | 1_2_00451DC0 | |
Source: | Code function: | 1_2_004963A0 | |
Source: | Code function: | 1_2_00463080 | |
Source: | Code function: | 1_2_004634FC | |
Source: | Code function: | 1_2_00461AF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423DAD | |
Source: | Code function: | 2_2_10007E39 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 2_2_004132EB |
Source: | Code function: | 2_2_00402C00 |
Source: | Code function: | 1_2_0044AC90 |
Source: | Code function: | 2_2_00402F20 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 2_2_0044028F | |
Source: | Code function: | 2_2_0042039F | |
Source: | Code function: | 2_2_004429E7 | |
Source: | Code function: | 2_2_00417B2F | |
Source: | Code function: | 2_2_10007A06 | |
Source: | Code function: | 2_2_10005EB5 |
Source: | Code function: | 2_2_0040F709 | |
Source: | Code function: | 2_2_004132EB | |
Source: | Code function: | 2_2_0040F575 | |
Source: | Code function: | 2_2_0040EB52 | |
Source: | Code function: | 2_2_10005630 | |
Source: | Code function: | 2_2_10002A85 | |
Source: | Code function: | 2_2_10002F80 |
Source: | Code function: | 1_2_00476C24 |
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 1_2_0042DF9C |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_004051D4 | |
Source: | Code function: | 0_2_00405220 | |
Source: | Code function: | 1_2_00408548 | |
Source: | Code function: | 1_2_00408594 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_0042700C | |
Source: | Code function: | 2_2_004270A7 | |
Source: | Code function: | 2_2_00427132 | |
Source: | Code function: | 2_2_0041E27F | |
Source: | Code function: | 2_2_00427385 | |
Source: | Code function: | 2_2_004274AB | |
Source: | Code function: | 2_2_004275B1 | |
Source: | Code function: | 2_2_00427680 | |
Source: | Code function: | 2_2_0041E7A1 | |
Source: | Code function: | 2_2_00426D1F | |
Source: | Code function: | 2_2_00426FC1 |
Source: | Code function: | 2_2_0040F773 |
Source: | Code function: | 1_2_00457964 |
Source: | Code function: | 0_2_004026C4 |
Source: | Code function: | 0_2_00405CBC |
Source: | Code function: | 1_2_004547B8 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 1 Exploitation for Privilege Escalation | 1 Disable or Modify Tools | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 2 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | 3 Native API | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 11 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 1 Input Capture | Exfiltration Over Bluetooth | 2 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 12 Command and Scripting Interpreter | Logon Script (Windows) | 13 Process Injection | 3 Obfuscated Files or Information | Security Account Manager | 2 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 23 Software Packing | NTDS | 26 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 2 Masquerading | LSA Secrets | 141 Security Software Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Access Token Manipulation | Cached Domain Credentials | 3 Process Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 13 Process Injection | DCSync | 11 Application Window Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 3 System Owner/User Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
60% | ReversingLabs | Win32.Trojan.GenusAgent |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Dropper.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1250671 | Download File | ||
100% | Avira | TR/Dropper.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.12.253.72 | unknown | Germany | 33657 | CMCSUS | true | |
45.12.253.75 | unknown | Germany | 33657 | CMCSUS | true | |
45.12.253.98 | unknown | Germany | 33657 | CMCSUS | true | |
45.12.253.56 | unknown | Germany | 33657 | CMCSUS | true |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 791306 |
Start date and time: | 2023-01-25 10:16:08 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 56s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | file.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 18 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal92.troj.evad.winEXE@12/24@0/4 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 8.248.113.254, 8.238.190.126, 67.26.139.254, 8.248.139.254, 67.26.137.254, 93.184.221.240
- Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
10:17:04 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.12.253.72 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy) | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 791040 |
Entropy (8bit): | 6.608982798504157 |
Encrypted: | false |
SSDEEP: | 24576:pvfBdvyjNf8cbMtMJjLKRfwaNSkxtkNkYzSYcj0oHyxdpVhNZFGv+56nBb/ExWyt:pBC4rTQnC1QaX4+I |
MD5: | 5C2FE7D4DDE65810152054F3C93C1815 |
SHA1: | 2A19F3FAA78A5072068F7902DB19A248F11FA69B |
SHA-256: | 233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730 |
SHA-512: | 2C01AE918044829FC649F0775BF3FFDB417B1524B47CDABFF0C06B6382B6578A742D9C1D036090D7AD1FC3A8B7D563D28C0CDB94DE572BF883389825F73FD654 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1949 |
Entropy (8bit): | 4.915453283427292 |
Encrypted: | false |
SSDEEP: | 48:Sik3C0nGTAFE3blB/aMO0Mk2fLXVn7K+eq9hb6Suf:pkvGTAFELlB/A4GXVnWU9BNuf |
MD5: | C0AE85DB30FE9027DBBF3BA758FA78BE |
SHA1: | 95E69DB95504A9F61D090690F32FB5D2F685C604 |
SHA-256: | CF63BBFD735C18757AC2AA6CB8A14C82745B6158F9FD299BD189D9CA3E7A2DE7 |
SHA-512: | DA53177074E79F96C1C7E477E0E7B63CD1D2B836DB9E8066F20B60897FC5770D2B16594A84A953A9CD56BD4C0DDB7D5EFBDDF881EEA840D6B106552C5AC6815E |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6452 |
Entropy (8bit): | 4.734154041089812 |
Encrypted: | false |
SSDEEP: | 96:EonMpdbxw/+9MjLKJ9+LsxS/wV2iderMRyLjQ1WsL+9w/SxEDz8bONAPujBUTjkv:E7nb |
MD5: | 247D3A0C3B0C53CA33D032A561619495 |
SHA1: | F30570C48749FE427FACCBDF925048B149D22460 |
SHA-256: | 783AC8FBA1DD88291A4F331EC2459DDE4005CF70FAFB4F19F9061713FFD580EB |
SHA-512: | 9D18FDC8A32C86A0F8C2BB408A33A71645632289CA0D684B58B98862AA1A67E75258D39C621F4E647753A1480D50444756D125C273B16323A757270CD94B7BBD |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6452 |
Entropy (8bit): | 4.734154041089812 |
Encrypted: | false |
SSDEEP: | 96:EonMpdbxw/+9MjLKJ9+LsxS/wV2iderMRyLjQ1WsL+9w/SxEDz8bONAPujBUTjkv:E7nb |
MD5: | 247D3A0C3B0C53CA33D032A561619495 |
SHA1: | F30570C48749FE427FACCBDF925048B149D22460 |
SHA-256: | 783AC8FBA1DD88291A4F331EC2459DDE4005CF70FAFB4F19F9061713FFD580EB |
SHA-512: | 9D18FDC8A32C86A0F8C2BB408A33A71645632289CA0D684B58B98862AA1A67E75258D39C621F4E647753A1480D50444756D125C273B16323A757270CD94B7BBD |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 553405 |
Entropy (8bit): | 7.979175020825392 |
Encrypted: | false |
SSDEEP: | 12288:G8kCp81IkXlwDvsttKcoKRWqZPP4owP1G2uQeDyXwaWt:HJp3kXlDvKwRWg4owdGueDiwaWt |
MD5: | 37E6EEA8C4E469F6439F3790166815DD |
SHA1: | E0A3768F291CC7FCE178A001F0356D4FBA29D81F |
SHA-256: | 606D66026DA226D1AA1C1A4CA6416F3B9F6C66791F4116EB3FFF9E8E28E6B113 |
SHA-512: | 68D3DA77F272A382D800EBB07F02156957CB14C96728896BBB5F6A1E9AEA9A1A5DA4EFCCB09D49096E986A3FCE3F86685B5AFD790887DB28F8F9F5C76D9435A9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | modified |
Size (bytes): | 1327101 |
Entropy (8bit): | 6.5808664941884 |
Encrypted: | false |
SSDEEP: | 24576:ao3RaJaXyPGnMQO9hLCbg5bm/GAiiXWDwpz2n60uKACK7p33r3L++fNlol:toECPpvj6GAQwzKqG |
MD5: | 04947B1020E31A5F5A6E41FD279B4E74 |
SHA1: | 815B42143F71CC7FFD1943E9E1971F9ABEA82BF0 |
SHA-256: | 2F220AEDF9ADF351EDCC62CD2917E1590C8DA932D3BCCE276AC082B3DEBCFF8C |
SHA-512: | CE8D691F9BF52ECFF8C26CAC3D3D444E2ADB01DAAF32138923B1E6E7D0CCE373F060A1F719808A35852FE70AB7AB8670F91C3B7775A9B3754323521FD4BEBD7C |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1327101 |
Entropy (8bit): | 6.58086621775031 |
Encrypted: | false |
SSDEEP: | 24576:fo3RaJaXyPGnMQO9hLCbg5bm/GAiiXWDwpz2n60uKACK7p33r3L++fNlol:6oECPpvj6GAQwzKqG |
MD5: | 05C8159B5028CE14F3DE0C2F38D01DED |
SHA1: | 0C0FAEE09CE3F28530A56955611422902D1F101C |
SHA-256: | 57B1E1B366C667078FE2E1203900E7E139A1AAB0704654D9906B5A1C4C15EB4C |
SHA-512: | 2680B3AE8B5986ACC9F9548094799F27EC120CE00C89CF2A624F73423630D397F7D7F20A3BCF013A0E45FF8A2B8A672E2414426B1DDAC8B94A3D8BCCC92CFDF0 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1949 |
Entropy (8bit): | 4.915453283427292 |
Encrypted: | false |
SSDEEP: | 48:Sik3C0nGTAFE3blB/aMO0Mk2fLXVn7K+eq9hb6Suf:pkvGTAFELlB/A4GXVnWU9BNuf |
MD5: | C0AE85DB30FE9027DBBF3BA758FA78BE |
SHA1: | 95E69DB95504A9F61D090690F32FB5D2F685C604 |
SHA-256: | CF63BBFD735C18757AC2AA6CB8A14C82745B6158F9FD299BD189D9CA3E7A2DE7 |
SHA-512: | DA53177074E79F96C1C7E477E0E7B63CD1D2B836DB9E8066F20B60897FC5770D2B16594A84A953A9CD56BD4C0DDB7D5EFBDDF881EEA840D6B106552C5AC6815E |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 723230 |
Entropy (8bit): | 6.49191904892708 |
Encrypted: | false |
SSDEEP: | 12288:1QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kSW:WtCUA4arPEn37TzH7A6nw9yzeESUFWHF |
MD5: | D0E4493CD1CEC1B97F24BAB12A942543 |
SHA1: | CEE352F43F982FCB36A337D2C15FFDD28B04B80D |
SHA-256: | C5851530669107DF77FD7079EC7C6F0C668003D6094643D6E723FB74F1DEB5D9 |
SHA-512: | D2A02702AEDE0509AC81785DBECBA312CABD6D83E064DCAA7E95B43FF4E373D538327539290288CED6A6837F44819A6A7CCC912285E5E1407F9B79C086B6C58F |
Malicious: | true |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 553405 |
Entropy (8bit): | 7.979175020825392 |
Encrypted: | false |
SSDEEP: | 12288:G8kCp81IkXlwDvsttKcoKRWqZPP4owP1G2uQeDyXwaWt:HJp3kXlDvKwRWg4owdGueDiwaWt |
MD5: | 37E6EEA8C4E469F6439F3790166815DD |
SHA1: | E0A3768F291CC7FCE178A001F0356D4FBA29D81F |
SHA-256: | 606D66026DA226D1AA1C1A4CA6416F3B9F6C66791F4116EB3FFF9E8E28E6B113 |
SHA-512: | 68D3DA77F272A382D800EBB07F02156957CB14C96728896BBB5F6A1E9AEA9A1A5DA4EFCCB09D49096E986A3FCE3F86685B5AFD790887DB28F8F9F5C76D9435A9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 791040 |
Entropy (8bit): | 6.608982798504157 |
Encrypted: | false |
SSDEEP: | 24576:pvfBdvyjNf8cbMtMJjLKRfwaNSkxtkNkYzSYcj0oHyxdpVhNZFGv+56nBb/ExWyt:pBC4rTQnC1QaX4+I |
MD5: | 5C2FE7D4DDE65810152054F3C93C1815 |
SHA1: | 2A19F3FAA78A5072068F7902DB19A248F11FA69B |
SHA-256: | 233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730 |
SHA-512: | 2C01AE918044829FC649F0775BF3FFDB417B1524B47CDABFF0C06B6382B6578A742D9C1D036090D7AD1FC3A8B7D563D28C0CDB94DE572BF883389825F73FD654 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4340 |
Entropy (8bit): | 4.710584129714836 |
Encrypted: | false |
SSDEEP: | 96:WyWx5pJU+oIahqwOIhdc87ICSss/LBtbgfjf:WyWx5pJU+KEIhZICSsATgfr |
MD5: | 3B5506D7E7E0F3FF3FD02721245AB513 |
SHA1: | 2F37FA895A32EA49673C61411FCB373ACDD91CD4 |
SHA-256: | 699BD1692AA255B3291F6ECD60B5B7AB512CE10CB008B2CBD18F8B12A166D01C |
SHA-512: | 47EF21909EDB36900B14F100DCC9BBFECBF7B2482AFAFD232093D92C41FF440160B924D1B582B5FBC960A0F35EBA99C6479707E5F244B601F6D770CAECFA79EC |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 723230 |
Entropy (8bit): | 6.49191904892708 |
Encrypted: | false |
SSDEEP: | 12288:1QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kSW:WtCUA4arPEn37TzH7A6nw9yzeESUFWHF |
MD5: | D0E4493CD1CEC1B97F24BAB12A942543 |
SHA1: | CEE352F43F982FCB36A337D2C15FFDD28B04B80D |
SHA-256: | C5851530669107DF77FD7079EC7C6F0C668003D6094643D6E723FB74F1DEB5D9 |
SHA-512: | D2A02702AEDE0509AC81785DBECBA312CABD6D83E064DCAA7E95B43FF4E373D538327539290288CED6A6837F44819A6A7CCC912285E5E1407F9B79C086B6C58F |
Malicious: | true |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll
Download File
Process: | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 95248 |
Entropy (8bit): | 7.998277474001343 |
Encrypted: | true |
SSDEEP: | 1536:1ajIVNDkCngyeaL3ZC7cjgn35QgjaeiPr6idOZAkOLfTRCaLQhAboaAkepTXnkY5:1vVpj3ZC72gnJQg2eikik4FC9/RX+f6 |
MD5: | 636E3CA21F2541B5EE3AB9922A183C79 |
SHA1: | 4B98C5432E534AF5FA17424C907E61CCFA6880D9 |
SHA-256: | 9B97BF40465ACFBAB5D61EE45ECAC1E485A988ADC66E1A859F950605DC5677B9 |
SHA-512: | 6AA99DFAB439063332383EBA737F34A5929353794245E8E4469EAEB2F7055889891D5A3F3CD3C9F20E37DCDEBFA78C5B5749F3BFDF40263970C880F047A0BDBB |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 21 |
Entropy (8bit): | 3.975418017913833 |
Encrypted: | false |
SSDEEP: | 3:iIxcsJE:iyE |
MD5: | C0236A8F8EB0411CC373CD432E252990 |
SHA1: | 49CA519830FADD97FA7BFB7C3404ED2DB29DF4E0 |
SHA-256: | 375CD2A305050C0ECDC8EF9A417194DB2955F3C99B04C76F1B2CD5A88369A242 |
SHA-512: | 3EDFDF13D9AE53C3DC77B299137C7F318B689F4880D72E50CF037F5A4F5C2A6CBC24CB5FE557C10F458CD1658B65E27EF994794FAB2D8E1562694E7DE5039E7E |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4096 |
Entropy (8bit): | 4.026670007889822 |
Encrypted: | false |
SSDEEP: | 48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc |
MD5: | 0EE914C6F0BB93996C75941E1AD629C6 |
SHA1: | 12E2CB05506EE3E82046C41510F39A258A5E5549 |
SHA-256: | 4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2 |
SHA-512: | A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2560 |
Entropy (8bit): | 2.8818118453929262 |
Encrypted: | false |
SSDEEP: | 24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG |
MD5: | A69559718AB506675E907FE49DEB71E9 |
SHA1: | BC8F404FFDB1960B50C12FF9413C893B56F2E36F |
SHA-256: | 2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
SHA-512: | E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6144 |
Entropy (8bit): | 4.215994423157539 |
Encrypted: | false |
SSDEEP: | 96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF |
MD5: | 4FF75F505FDDCC6A9AE62216446205D9 |
SHA1: | EFE32D504CE72F32E92DCF01AA2752B04D81A342 |
SHA-256: | A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81 |
SHA-512: | BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 23312 |
Entropy (8bit): | 4.596242908851566 |
Encrypted: | false |
SSDEEP: | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
MD5: | 92DC6EF532FBB4A5C3201469A5B5EB63 |
SHA1: | 3E89FF837147C16B4E41C30D6C796374E0B8E62C |
SHA-256: | 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 |
SHA-512: | 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 712704 |
Entropy (8bit): | 6.4837542632664515 |
Encrypted: | false |
SSDEEP: | 12288:9QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kS0:+tCUA4arPEn37TzH7A6nw9yzeESUFWH/ |
MD5: | D76329B30DB65F61D55B20F36B56DA26 |
SHA1: | 5E4C77B723AE8F05B3AE6AFEEE735A4355F00663 |
SHA-256: | 229FBCB11EE7D1F082B6411610E95F726EEC4E6737E6B6392719DF4F0FE3FA1D |
SHA-512: | A291AED0897315E88B6378B1DB10ADA05BDA8C1ECCAF73DE23F409FE61860EBD1DBB422063E00996584D3B4B100122931D5BBAB54A88951706D75EFCC660F70D |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73728 |
Entropy (8bit): | 6.20389308045717 |
Encrypted: | false |
SSDEEP: | 1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi |
MD5: | 3FB36CB0B7172E5298D2992D42984D06 |
SHA1: | 439827777DF4A337CBB9FA4A4640D0D3FA1738B7 |
SHA-256: | 27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
SHA-512: | 6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C |
Malicious: | true |
Antivirus: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.993082674497476 |
TrID: |
|
File name: | file.exe |
File size: | 1825141 |
MD5: | 209dca1a9633807b9cf36d6447f972da |
SHA1: | c4235ac91cd8e3c0e70ede54e43f857709f00859 |
SHA256: | 2004da2c60d73a66c6feffe50f130483750da799b90a78c76da90f61208101e6 |
SHA512: | d965feebe07c36d6e5b2b465a3639423c64ed293dde059e130c6586145d547745ed53bfcd9e3085f9d176960b746892efe5aea526aebf647609894f30a257295 |
SSDEEP: | 49152:ZLlc1oFvcnMNVYwUblC5LPUuQ6iArG7WUD8aXBCLCgv2MR:TzvcMjzcJ/qqTDLBqv2MR |
TLSH: | DD8533454E82D871E0236D76583E81DACD77BF2B247471402B4CFB9E37EB2D6920AB91 |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | a2a0b496b2caca72 |
Entrypoint: | 0x409c18 |
Entrypoint Section: | CODE |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 1 |
OS Version Minor: | 0 |
File Version Major: | 1 |
File Version Minor: | 0 |
Subsystem Version Major: | 1 |
Subsystem Version Minor: | 0 |
Import Hash: | 884310b1928934402ea6fec1dbd3cf5e |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFC4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-10h], eax |
mov dword ptr [ebp-24h], eax |
call 00007F2B449DEA43h |
call 00007F2B449DFC4Ah |
call 00007F2B449DFED9h |
call 00007F2B449E1EE8h |
call 00007F2B449E1F2Fh |
call 00007F2B449E485Eh |
call 00007F2B449E49C5h |
xor eax, eax |
push ebp |
push 0040A2D4h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 0040A29Dh |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [0040C014h] |
call 00007F2B449E542Bh |
call 00007F2B449E505Eh |
lea edx, dword ptr [ebp-10h] |
xor eax, eax |
call 00007F2B449E2518h |
mov edx, dword ptr [ebp-10h] |
mov eax, 0040CDE8h |
call 00007F2B449DEAEFh |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [0040CDE8h] |
mov dl, 01h |
mov eax, 00407364h |
call 00007F2B449E2DA7h |
mov dword ptr [0040CDECh], eax |
xor edx, edx |
push ebp |
push 0040A255h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
call 00007F2B449E549Bh |
mov dword ptr [0040CDF4h], eax |
mov eax, dword ptr [0040CDF4h] |
cmp dword ptr [eax+0Ch], 01h |
jne 00007F2B449E55DAh |
mov eax, dword ptr [0040CDF4h] |
mov edx, 00000028h |
call 00007F2B449E31A8h |
mov edx, dword ptr [000000F4h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xd000 | 0x950 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x11000 | 0x2c00 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xf000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
CODE | 0x1000 | 0x933c | 0x9400 | False | 0.6138883023648649 | data | 6.557291120606636 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
DATA | 0xb000 | 0x24c | 0x400 | False | 0.3134765625 | data | 2.7679914923058866 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
BSS | 0xc000 | 0xe4c | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xd000 | 0x950 | 0xa00 | False | 0.414453125 | data | 4.430733069799036 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xe000 | 0x8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xf000 | 0x18 | 0x200 | False | 0.052734375 | data | 0.2044881574398449 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.reloc | 0x10000 | 0x8b4 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.rsrc | 0x11000 | 0x2c00 | 0x2c00 | False | 0.32421875 | data | 4.466554376757956 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x11354 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | Dutch | Netherlands |
RT_ICON | 0x1147c | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | Dutch | Netherlands |
RT_ICON | 0x119e4 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | Dutch | Netherlands |
RT_ICON | 0x11ccc | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | Dutch | Netherlands |
RT_STRING | 0x12574 | 0x2f2 | data | ||
RT_STRING | 0x12868 | 0x30c | data | ||
RT_STRING | 0x12b74 | 0x2ce | data | ||
RT_STRING | 0x12e44 | 0x68 | data | ||
RT_STRING | 0x12eac | 0xb4 | data | ||
RT_STRING | 0x12f60 | 0xae | data | ||
RT_RCDATA | 0x13010 | 0x2c | data | ||
RT_GROUP_ICON | 0x1303c | 0x3e | data | English | United States |
RT_VERSION | 0x1307c | 0x4b8 | COM executable for DOS | English | United States |
RT_MANIFEST | 0x13534 | 0x560 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
user32.dll | MessageBoxA |
oleaut32.dll | VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA |
kernel32.dll | WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle |
user32.dll | TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA |
comctl32.dll | InitCommonControls |
advapi32.dll | AdjustTokenPrivileges |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Dutch | Netherlands | |
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
45.12.253.72192.168.2.380497022852925 01/25/23-10:17:06.150578 | TCP | 2852925 | ETPRO TROJAN GCleaner Downloader - Payload Response | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 25, 2023 10:17:05.936774969 CET | 49701 | 80 | 192.168.2.3 | 45.12.253.56 |
Jan 25, 2023 10:17:05.963335037 CET | 80 | 49701 | 45.12.253.56 | 192.168.2.3 |
Jan 25, 2023 10:17:05.963465929 CET | 49701 | 80 | 192.168.2.3 | 45.12.253.56 |
Jan 25, 2023 10:17:05.963747978 CET | 49701 | 80 | 192.168.2.3 | 45.12.253.56 |
Jan 25, 2023 10:17:05.989998102 CET | 80 | 49701 | 45.12.253.56 | 192.168.2.3 |
Jan 25, 2023 10:17:05.996356964 CET | 80 | 49701 | 45.12.253.56 | 192.168.2.3 |
Jan 25, 2023 10:17:05.996470928 CET | 49701 | 80 | 192.168.2.3 | 45.12.253.56 |
Jan 25, 2023 10:17:06.035572052 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.062125921 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.062306881 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.064057112 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.090361118 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.090794086 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.090888977 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.123739958 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.150029898 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.150578022 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.150629044 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.150657892 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.150680065 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.150760889 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.150805950 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.150826931 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.150862932 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.150893927 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.150949001 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.150964022 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.151006937 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.151025057 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.151068926 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.151088953 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.151125908 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.151149988 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.151205063 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.151218891 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.151254892 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.177668095 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.177733898 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.177781105 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.177809954 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.177809954 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.177839994 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.177886009 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.177938938 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.177953005 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.177988052 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.178018093 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178070068 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178083897 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.178118944 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.178145885 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178194046 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178240061 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178282976 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178304911 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.178333998 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.178368092 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178412914 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178432941 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.178476095 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178497076 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.178524971 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.178559065 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178603888 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178648949 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178719044 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178734064 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.178778887 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178822994 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.178843021 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.179163933 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.205178022 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.205246925 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.205295086 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.205324888 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.205351114 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.205351114 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.205401897 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.205446005 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.205466032 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.205502033 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.205529928 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.205581903 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.205595970 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.205629110 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.205657959 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.205708981 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.205723047 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.205759048 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.205785036 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.205833912 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.205848932 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.205882072 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.205913067 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.205966949 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.205981016 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206015110 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206042051 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206094027 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206108093 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206142902 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206171036 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206221104 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206243038 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206296921 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206310034 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206343889 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206372976 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206425905 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206439018 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206474066 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206501007 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206546068 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206563950 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206597090 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206628084 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206676960 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206722975 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206779003 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206793070 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206826925 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206855059 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206907988 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.206922054 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206955910 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.206983089 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.207034111 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.207047939 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.207082987 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.207108021 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.207159996 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.207176924 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.207206964 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.207238913 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.207292080 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.207305908 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.207340002 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.207367897 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.207420111 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.207433939 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.207470894 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.207495928 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.207546949 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.207561016 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.207595110 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.207623959 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.207676888 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.207691908 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.207726002 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.207756042 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.207803965 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.234148979 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.234215975 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.234245062 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.234271049 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.234317064 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.234363079 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.234384060 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.234422922 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.234443903 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:06.234502077 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:06.264995098 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:06.291728973 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:06.291848898 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:06.295759916 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:06.322328091 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:07.075913906 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:07.076040983 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:09.119163036 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:09.145793915 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:09.918061972 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:09.918248892 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:10.999629021 CET | 80 | 49701 | 45.12.253.56 | 192.168.2.3 |
Jan 25, 2023 10:17:10.999754906 CET | 49701 | 80 | 192.168.2.3 | 45.12.253.56 |
Jan 25, 2023 10:17:11.209275961 CET | 80 | 49702 | 45.12.253.72 | 192.168.2.3 |
Jan 25, 2023 10:17:11.209537029 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:11.979602098 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:12.006222963 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:12.699846029 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:12.700129032 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:14.731812954 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:14.758482933 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:15.554142952 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:15.554393053 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:17.660996914 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:17.687696934 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:18.467777014 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:18.468105078 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:20.510540009 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:20.537166119 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:21.287874937 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:21.288031101 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:23.369944096 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:23.396539927 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:24.127933979 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:24.129899979 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:26.173420906 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:26.199814081 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:26.928711891 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:26.930175066 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:28.964869976 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:28.991398096 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:29.705705881 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:29.705902100 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:31.858100891 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:31.884876013 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:32.598121881 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:32.598685026 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:34.784204006 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:34.810858011 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:35.519422054 CET | 80 | 49703 | 45.12.253.75 | 192.168.2.3 |
Jan 25, 2023 10:17:35.519545078 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
Jan 25, 2023 10:17:38.274372101 CET | 49701 | 80 | 192.168.2.3 | 45.12.253.56 |
Jan 25, 2023 10:17:38.274393082 CET | 49702 | 80 | 192.168.2.3 | 45.12.253.72 |
Jan 25, 2023 10:17:38.274427891 CET | 49703 | 80 | 192.168.2.3 | 45.12.253.75 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49701 | 45.12.253.56 | 80 | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 25, 2023 10:17:05.963747978 CET | 135 | OUT | |
Jan 25, 2023 10:17:05.996356964 CET | 135 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49702 | 45.12.253.72 | 80 | C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 25, 2023 10:17:06.064057112 CET | 136 | OUT | |
Jan 25, 2023 10:17:06.090794086 CET | 136 | IN | |
Jan 25, 2023 10:17:06.123739958 CET | 137 | OUT | |
Jan 25, 2023 10:17:06.150578022 CET | 138 | IN |