Edit tour
Windows
Analysis Report
livechat.exe
Overview
General Information
| Sample Name: | livechat.exe |
| Analysis ID: | 1291241 |
| MD5: | 30c9c57aa570088d745fac7bfd05b805 |
| SHA1: | d579d18848859614e219afa6332d410e0ca71fc3 |
| SHA256: | 8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383 |
| Infos: | |
 | |
Detection
| Score: | 51 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses 32bit PE files
Tries to disable installed Antivirus / HIPS / PFW
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
PE file does not import any functions
Sample file is different than original file name gathered from version info
OS version to string mapping found (often used in BOTs)
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Classification
- System is w7x64
livechat.exe (PID: 1808 cmdline: C:\Users\u ser\Deskto p\livechat .exe MD5: 30C9C57AA570088D745FAC7BFD05B805) - livechat.exe (PID: 2236 cmdline:
"C:\Users\ user\Deskt op\livecha t.exe" --l ocal-servi ce MD5: 30C9C57AA570088D745FAC7BFD05B805) - livechat.exe (PID: 2512 cmdline:
"C:\Users\ user\Deskt op\livecha t.exe" --l ocal-contr ol MD5: 30C9C57AA570088D745FAC7BFD05B805)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | JA3 fingerprint: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary or memory string: | ||
| Source: | Window created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation |   |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_2_006FC428 | |
| Source: | Code function: | 0_2_0070A6C7 | |
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File opened: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Code function: | 0_2_006FAAED | |
| Source: | Code function: | 0_2_0070A6C7 | |
| Source: | Memory protected: | Jump to behavior | ||
| Source: | Code function: | 0_2_006FAAED | |
| Source: | Code function: | 0_2_007038F9 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00594B20 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 421 Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Masquerading | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Disable or Modify Tools | LSASS Memory | 42 Security Software Discovery | Remote Desktop Protocol | 1 Clipboard Data | Exfiltration Over Bluetooth | 1 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 331 Virtualization/Sandbox Evasion | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 11 Process Injection | NTDS | 331 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Scheduled Transfer | 2 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Hidden Files and Directories | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Obfuscated Files or Information | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 Software Packing | DCSync | 134 System Information Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| boot.net.anydesk.com | 49.12.130.235 | true | false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 92.223.88.232 | unknown | Austria | 199524 | GCOREAT | false | |
| 92.223.88.41 | unknown | Austria | 199524 | GCOREAT | false | |
| 49.12.130.235 | boot.net.anydesk.com | Germany | 24940 | HETZNER-ASDE | false | |
| 49.12.130.236 | unknown | Germany | 24940 | HETZNER-ASDE | false | |
| 185.229.191.41 | unknown | Czech Republic | 60068 | CDN77GB | false |
| Joe Sandbox Version: | 38.0.0 Beryl |
| Analysis ID: | 1291241 |
| Start date and time: | 2023-08-15 06:47:33 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 10m 9s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | livechat.exe |
| Detection: | MAL |
| Classification: | mal51.evad.winEXE@5/6@15/5 |
| EGA Information: | Failed |
| HDC Information: | Failed |
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 209.197.3.8, 8.238.191.254, 8.238.190.126, 67.27.237.126, 8.238.137.126, 67.27.237.254
- Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtDeviceIoControlFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 92.223.88.232 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Vidar | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| 92.223.88.41 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | CryptOne, Mofksys | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Vidar | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| boot.net.anydesk.com | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DCRat, EICAR | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| GCOREAT | Get hash | malicious | Mirai | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| GCOREAT | Get hash | malicious | Mirai | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| c91bde19008eefabce276152ccd51457 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\livechat.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 58887 |
| Entropy (8bit): | 4.335819244689175 |
| Encrypted: | false |
| SSDEEP: | 384:QJbtuCdHL0tO/6fl7ye0RCcDXj+svJzwg6kCPoPuDK8d:QptuqHyfQ2ctzSbK8d |
| MD5: | 8D273B627CA8BB610411E7339A90C2A0 |
| SHA1: | FAAEF31C7CF4E8FCD55867DF1E06E5B18F5F2B63 |
| SHA-256: | C77D3638E597E0821E50AB6DB5D97748EAC36F2D71311C6797522C03C02D2E13 |
| SHA-512: | 547DB541ABDB04C15BDC7713C8609F5780C93648A3184059295D3D3A8ADF9E1E6CE6F2D807466895A8AA23F4AD82AA4EF29FA7AC58B0A190B8FB4B873E152581 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\livechat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2762 |
| Entropy (8bit): | 6.02807612561272 |
| Encrypted: | false |
| SSDEEP: | 48:uISTT7iT6/oSHbmGDPINeAkhU+j01CQzoTiIMHhBaptztjKC7+CiaY6OV8D9WndW:uISTXiTOoSHNDP6eAk1YTHhIPzIOiaYg |
| MD5: | B98C9520F44726D142E5072B4BD1E2C9 |
| SHA1: | 3850D2CB5330A53588584445ABE922B014E52A0D |
| SHA-256: | 76CBD310C00AA486418B1EA31F656DB6DBE5B022040037FE8F038F6042A9859F |
| SHA-512: | 735BF3AB71E69A1066C1E4C6033329CAEA1B95FBFF7458D6B88A9DCDB114590B0F4E78ED3D4DCDE886D9B26BB042BE418002A998560E392C9785027B6C08F72F |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\livechat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 424 |
| Entropy (8bit): | 4.541392201749728 |
| Encrypted: | false |
| SSDEEP: | 6:owlCDocaqQAmvbahOmQgRQUQgRQPYQgRQOYQgfxPZxi3B6QgfxPg3qg3B6QgfxPt:o0CD6qQHvWhOLroBGgFBGt |
| MD5: | 102E3A98FAF64561AC7692D586F6BD62 |
| SHA1: | 35BF4F0B63009EDF3A8AE9AF1720C5DCCF53D445 |
| SHA-256: | 27539C143DCE4D98B0A106987D22191B81CC266729A37F92CE3C9B5F59ABDEFE |
| SHA-512: | 901E57CB38D2B4F8F603C74D424B7DD52885F745910A9E01520415A2E7316AC41A49C5902696EA964F85AFFBEAB7209D55A5FC2D92E792DFB290621C51F19732 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\livechat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1907 |
| Entropy (8bit): | 4.663598908268163 |
| Encrypted: | false |
| SSDEEP: | 48:2tkBDaInXhUddTacmzenXYsVHT6PYVMclOLc8gGl:2tkB+Inytacbn9uPuMf |
| MD5: | DBA03E72AAC0032E42A6DC5C097FAB2B |
| SHA1: | B1FD632CA6F1A6CCFB313F48F6268148F549F9E8 |
| SHA-256: | 9D9B6753D2B214D3682A9E7694D5CFF54DF72CF8352C87288DAF3CF3AA4C8925 |
| SHA-512: | C6B1EA77D0A98DE8904DEAE27CD739E0ED9509A2F3EEC0CB6070F695A96BF38687475A034E2CE4A86399EFF845DF5CB9F569B01E03BE8757AE5A9FA69EC5ABD1 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms (copy)
Download File
| Process: | C:\Users\user\Desktop\livechat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3066 |
| Entropy (8bit): | 2.9590238531135635 |
| Encrypted: | false |
| SSDEEP: | 24:244F21mzOOFWoNk7544F28nfOO1jDNk7c:H4y60oNiS4DfJNic |
| MD5: | 8D425FBEF3AF5EF78F1915FF20C38EBA |
| SHA1: | CF06DA5FC25EC962FF2090665947FA8C6BB2DD93 |
| SHA-256: | CA4A8134AE4428E2BEDF485D4079D310E9E79A93C7604EB909EE6F9584AD6B9E |
| SHA-512: | E48BDBE52EB12112BC3B7F240AE512D6DBBBD7DCE967B425489B96A5045635D327C9BBDA70B70D9108F0D76E5E55C063BCE3866A06BBFFF3E903783A3F87A09E |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7PE6VXJP6DLBIUEF42WE.temp
Download File
| Process: | C:\Users\user\Desktop\livechat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3066 |
| Entropy (8bit): | 2.9590238531135635 |
| Encrypted: | false |
| SSDEEP: | 24:244F21mzOOFWoNk7544F28nfOO1jDNk7c:H4y60oNiS4DfJNic |
| MD5: | 8D425FBEF3AF5EF78F1915FF20C38EBA |
| SHA1: | CF06DA5FC25EC962FF2090665947FA8C6BB2DD93 |
| SHA-256: | CA4A8134AE4428E2BEDF485D4079D310E9E79A93C7604EB909EE6F9584AD6B9E |
| SHA-512: | E48BDBE52EB12112BC3B7F240AE512D6DBBBD7DCE967B425489B96A5045635D327C9BBDA70B70D9108F0D76E5E55C063BCE3866A06BBFFF3E903783A3F87A09E |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.9991565509956315 |
| TrID: |
|
| File name: | livechat.exe |
| File size: | 4'040'776 bytes |
| MD5: | 30c9c57aa570088d745fac7bfd05b805 |
| SHA1: | d579d18848859614e219afa6332d410e0ca71fc3 |
| SHA256: | 8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383 |
| SHA512: | 182dc736cf09e8b4e063b29c839999ab28506a71e22173484f9dbc9bf9472456406aa0c8de542d85436200317175f9e32d65f1bb1e567b8c717860348fd3b52c |
| SSDEEP: | 98304:oOmZb0bHkeaRs4WpcF8uztWOiiROB4/Oo1sRF:rmZb0bEds4XFR0OiC/GT |
| TLSH: | 2A1633506BF882E1D1371AB4AE5FE2143F598CFE15F602699C2BA554CDF7C106CC3AA8 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........h.}.;.}.;.}.;..";.}.;..#;.}.;...;.}.;...;.}.;Rich.}.;........................PE..L......d.........."......*...8=............ |
 | |
| Icon Hash: | 499669d8d82916a8 |
| Entrypoint: | 0x401ce9 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x649AD37F [Tue Jun 27 12:18:07 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: |
| Signature Valid: | true |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | EAE713DFC05244CF4301BF1C9F68B1BE |
| Thumbprint SHA-1: | 9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE |
| Thumbprint SHA-256: | 9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF |
| Serial: | 0DBF152DEAF0B981A8A938D53F769DB8 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| sub esp, 64h |
| push esi |
| lea ecx, dword ptr [ebp-64h] |
| call 00007F4FE8751B53h |
| lea eax, dword ptr [ebp-64h] |
| mov ecx, eax |
| mov dword ptr [0147E0E8h], eax |
| call 00007F4FE8751A11h |
| test al, al |
| jne 00007F4FE8752174h |
| mov esi, 000003E8h |
| lea ecx, dword ptr [ebp-64h] |
| call 00007F4FE87519FFh |
| mov eax, esi |
| pop esi |
| leave |
| ret |
| lea eax, dword ptr [ebp-64h] |
| push eax |
| lea ecx, dword ptr [ebp-30h] |
| call 00007F4FE8751833h |
| lea eax, dword ptr [ebp-30h] |
| mov ecx, eax |
| mov dword ptr [0147E0ECh], eax |
| call 00007F4FE87517CBh |
| test al, al |
| jne 00007F4FE8752171h |
| lea ecx, dword ptr [ebp-30h] |
| call 00007F4FE87517B0h |
| mov esi, 000003E9h |
| jmp 00007F4FE8752127h |
| cmp dword ptr [ebp-10h], 00000000h |
| je 00007F4FE875216Ah |
| push 00000800h |
| call dword ptr [ebp-10h] |
| cmp dword ptr [ebp-0Ch], 00000000h |
| je 00007F4FE875216Ah |
| push 00008001h |
| call dword ptr [ebp-0Ch] |
| lea eax, dword ptr [ebp-64h] |
| push eax |
| lea esi, dword ptr [ebp-30h] |
| call 00007F4FE87520B5h |
| pop ecx |
| mov esi, eax |
| push esi |
| call dword ptr [ebp-20h] |
| lea ecx, dword ptr [ebp-30h] |
| call 00007F4FE8751772h |
| jmp 00007F4FE87520EEh |
| mov edx, dword ptr [esp+04h] |
| push ebx |
| mov ebx, dword ptr [esp+10h] |
| push esi |
| xor esi, esi |
| test ebx, ebx |
| je 00007F4FE8752191h |
| push edi |
| mov edi, dword ptr [esp+14h] |
| sub edi, 0147E0F0h |
| imul edx, edx, 0019660Dh |
| add edx, 3C6EF35Fh |
| mov eax, edx |
| shr eax, 0Ch |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x107f000 | 0x4850 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x3d6200 | 0x4648 | .itext |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1084000 | 0x84 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xcaf000 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2835 | 0x2a00 | False | 0.5949590773809523 | data | 6.514751266666443 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .itext | 0x4000 | 0xcaae00 | 0x0 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0xcaf000 | 0x2fa | 0x400 | False | 0.7255859375 | Matlab v4 mat-file (little endian) \234\362\312, numeric, rows 1687868287, columns 0, imaginary | 5.646642643065067 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xcb0000 | 0x3ce4f4 | 0x3ce200 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x107f000 | 0x4850 | 0x4a00 | False | 0.5123521959459459 | data | 6.017834090303233 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x1084000 | 0x300 | 0x400 | False | 0.1455078125 | data | 1.181265380704217 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x107f280 | 0x1b8e | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9167848029486816 |
| RT_ICON | 0x1080e10 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 0 | English | United States | 0.299390243902439 |
| RT_ICON | 0x1081478 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | United States | 0.478494623655914 |
| RT_ICON | 0x1081760 | 0x1e8 | Device independent bitmap graphic, 24 x 48 x 4, image size 0 | English | United States | 0.48155737704918034 |
| RT_ICON | 0x1081948 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | United States | 0.597972972972973 |
| RT_ICON | 0x1081ac0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.09404315196998124 |
| RT_ICON | 0x1082b68 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.2047872340425532 |
| RT_GROUP_ICON | 0x1081a70 | 0x4c | data | English | United States | 0.8026315789473685 |
| RT_GROUP_ICON | 0x1082fd0 | 0x22 | data | English | United States | 1.0588235294117647 |
| RT_VERSION | 0x1082ff8 | 0x250 | data | English | United States | 0.4814189189189189 |
| RT_MANIFEST | 0x1083248 | 0x606 | XML 1.0 document, ASCII text | English | United States | 0.45395590142671854 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Aug 15, 2023 06:48:31.882922888 CEST | 49164 | 443 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:31.883002996 CEST | 443 | 49164 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:31.883651018 CEST | 49164 | 443 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:31.930392027 CEST | 49164 | 443 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:31.930449009 CEST | 443 | 49164 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.002444983 CEST | 443 | 49164 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.002590895 CEST | 49164 | 443 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:32.006171942 CEST | 49164 | 443 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:32.006196022 CEST | 443 | 49164 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.006422043 CEST | 443 | 49164 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.006720066 CEST | 49164 | 443 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:32.058820009 CEST | 49164 | 443 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:32.085545063 CEST | 49165 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:32.107865095 CEST | 80 | 49165 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.108040094 CEST | 49165 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:32.126732111 CEST | 49165 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:32.149089098 CEST | 80 | 49165 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.151719093 CEST | 80 | 49165 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.151762962 CEST | 80 | 49165 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.151799917 CEST | 80 | 49165 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.151823044 CEST | 49165 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:32.151838064 CEST | 80 | 49165 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.151879072 CEST | 80 | 49165 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.151889086 CEST | 49165 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:32.164609909 CEST | 49165 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:32.187566996 CEST | 80 | 49165 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.187621117 CEST | 80 | 49165 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.187700987 CEST | 49165 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:32.250919104 CEST | 49165 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:48:32.273418903 CEST | 80 | 49165 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.300904036 CEST | 49166 | 6568 | 192.168.2.22 | 185.229.191.41 |
| Aug 15, 2023 06:48:32.325258970 CEST | 6568 | 49166 | 185.229.191.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.325432062 CEST | 49166 | 6568 | 192.168.2.22 | 185.229.191.41 |
| Aug 15, 2023 06:48:32.358880997 CEST | 49166 | 6568 | 192.168.2.22 | 185.229.191.41 |
| Aug 15, 2023 06:48:32.383471012 CEST | 6568 | 49166 | 185.229.191.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.385617971 CEST | 6568 | 49166 | 185.229.191.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.385660887 CEST | 6568 | 49166 | 185.229.191.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.385767937 CEST | 6568 | 49166 | 185.229.191.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.385817051 CEST | 6568 | 49166 | 185.229.191.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.385827065 CEST | 49166 | 6568 | 192.168.2.22 | 185.229.191.41 |
| Aug 15, 2023 06:48:32.385869026 CEST | 6568 | 49166 | 185.229.191.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.385917902 CEST | 49166 | 6568 | 192.168.2.22 | 185.229.191.41 |
| Aug 15, 2023 06:48:32.397340059 CEST | 49166 | 6568 | 192.168.2.22 | 185.229.191.41 |
| Aug 15, 2023 06:48:32.421847105 CEST | 6568 | 49166 | 185.229.191.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.421890020 CEST | 6568 | 49166 | 185.229.191.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.422029972 CEST | 49166 | 6568 | 192.168.2.22 | 185.229.191.41 |
| Aug 15, 2023 06:48:32.506670952 CEST | 49166 | 6568 | 192.168.2.22 | 185.229.191.41 |
| Aug 15, 2023 06:48:32.531116009 CEST | 6568 | 49166 | 185.229.191.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.316629887 CEST | 49167 | 443 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.316699982 CEST | 443 | 49167 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.316802979 CEST | 49167 | 443 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.338500977 CEST | 49167 | 443 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.338546991 CEST | 443 | 49167 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.395750046 CEST | 443 | 49167 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.395894051 CEST | 49167 | 443 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.397392035 CEST | 49167 | 443 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.397416115 CEST | 443 | 49167 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.397752047 CEST | 443 | 49167 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.397835016 CEST | 49167 | 443 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.427294970 CEST | 49167 | 443 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.468202114 CEST | 49168 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.488682985 CEST | 80 | 49168 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.488866091 CEST | 49168 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.502417088 CEST | 49168 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.522970915 CEST | 80 | 49168 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.524790049 CEST | 80 | 49168 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.524843931 CEST | 80 | 49168 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.524883986 CEST | 80 | 49168 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.525051117 CEST | 49168 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.545222998 CEST | 49168 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.566121101 CEST | 80 | 49168 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.566209078 CEST | 80 | 49168 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.566411018 CEST | 49168 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.652621984 CEST | 49168 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:37.673084974 CEST | 80 | 49168 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.740778923 CEST | 49169 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:48:37.763571978 CEST | 6568 | 49169 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.763818979 CEST | 49169 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:48:37.802822113 CEST | 49169 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:48:37.825668097 CEST | 6568 | 49169 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.827835083 CEST | 6568 | 49169 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.827872992 CEST | 6568 | 49169 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.827899933 CEST | 6568 | 49169 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.827950001 CEST | 49169 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:48:37.839346886 CEST | 49169 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:48:37.862417936 CEST | 6568 | 49169 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.862463951 CEST | 6568 | 49169 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.862567902 CEST | 49169 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:48:37.896586895 CEST | 49169 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:48:37.919343948 CEST | 6568 | 49169 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.385102034 CEST | 49170 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.385142088 CEST | 443 | 49170 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.385322094 CEST | 49170 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.401144028 CEST | 49170 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.401176929 CEST | 443 | 49170 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.456650972 CEST | 443 | 49170 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.456765890 CEST | 49170 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.459487915 CEST | 49170 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.459502935 CEST | 443 | 49170 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.459929943 CEST | 443 | 49170 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.460002899 CEST | 49170 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.509404898 CEST | 49170 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.546001911 CEST | 49171 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:51.566543102 CEST | 80 | 49171 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.566773891 CEST | 49171 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:51.581813097 CEST | 49171 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:51.602313995 CEST | 80 | 49171 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.604188919 CEST | 80 | 49171 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.604219913 CEST | 80 | 49171 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.604239941 CEST | 80 | 49171 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.604409933 CEST | 49171 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:51.624496937 CEST | 49171 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:51.645709038 CEST | 80 | 49171 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.645766020 CEST | 80 | 49171 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.646028996 CEST | 49171 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:51.693538904 CEST | 49171 | 80 | 192.168.2.22 | 92.223.88.232 |
| Aug 15, 2023 06:48:51.714102030 CEST | 80 | 49171 | 92.223.88.232 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.731597900 CEST | 49172 | 6568 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.752099991 CEST | 6568 | 49172 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.752291918 CEST | 49172 | 6568 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.765619993 CEST | 49172 | 6568 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.786251068 CEST | 6568 | 49172 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.788081884 CEST | 6568 | 49172 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.788136959 CEST | 6568 | 49172 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.788181067 CEST | 6568 | 49172 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.788285017 CEST | 49172 | 6568 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.813600063 CEST | 49172 | 6568 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.834752083 CEST | 6568 | 49172 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.834835052 CEST | 6568 | 49172 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.834988117 CEST | 49172 | 6568 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.893935919 CEST | 49172 | 6568 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:48:51.914494038 CEST | 6568 | 49172 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.384979963 CEST | 49173 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:49:34.385046959 CEST | 443 | 49173 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.385138035 CEST | 49173 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:49:34.400163889 CEST | 49173 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:49:34.400204897 CEST | 443 | 49173 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.454215050 CEST | 443 | 49173 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.454381943 CEST | 49173 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:49:34.456758022 CEST | 49173 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:49:34.456785917 CEST | 443 | 49173 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.457087040 CEST | 443 | 49173 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.457160950 CEST | 49173 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:49:34.497407913 CEST | 49173 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:49:34.539185047 CEST | 49174 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.562365055 CEST | 80 | 49174 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.562572956 CEST | 49174 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.573987961 CEST | 49174 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.597157001 CEST | 80 | 49174 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.601001024 CEST | 80 | 49174 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.601079941 CEST | 80 | 49174 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.601135015 CEST | 80 | 49174 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.601191998 CEST | 80 | 49174 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.601242065 CEST | 80 | 49174 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.601327896 CEST | 49174 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.601327896 CEST | 49174 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.621819019 CEST | 49174 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.645045042 CEST | 80 | 49174 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.645078897 CEST | 80 | 49174 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.645172119 CEST | 49174 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.689728975 CEST | 49174 | 80 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.712721109 CEST | 80 | 49174 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.731012106 CEST | 49175 | 6568 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.754139900 CEST | 6568 | 49175 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.754215002 CEST | 49175 | 6568 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.762346983 CEST | 49175 | 6568 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.785080910 CEST | 6568 | 49175 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.788023949 CEST | 6568 | 49175 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.788058043 CEST | 6568 | 49175 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.788074970 CEST | 6568 | 49175 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.788188934 CEST | 49175 | 6568 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.811399937 CEST | 49175 | 6568 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.834155083 CEST | 6568 | 49175 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.834182024 CEST | 6568 | 49175 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.834422112 CEST | 49175 | 6568 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.880327940 CEST | 49175 | 6568 | 192.168.2.22 | 49.12.130.235 |
| Aug 15, 2023 06:49:34.903183937 CEST | 6568 | 49175 | 49.12.130.235 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.394979000 CEST | 49177 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.395023108 CEST | 443 | 49177 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.395203114 CEST | 49177 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.409029961 CEST | 49177 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.409056902 CEST | 443 | 49177 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.468251944 CEST | 443 | 49177 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.468425989 CEST | 49177 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.469743967 CEST | 49177 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.469763994 CEST | 443 | 49177 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.470168114 CEST | 443 | 49177 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.470263004 CEST | 49177 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.704591036 CEST | 49177 | 443 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.733907938 CEST | 49178 | 80 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.754364967 CEST | 80 | 49178 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.754463911 CEST | 49178 | 80 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.763545990 CEST | 49178 | 80 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.784843922 CEST | 80 | 49178 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.786745071 CEST | 80 | 49178 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.786808014 CEST | 80 | 49178 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.786840916 CEST | 80 | 49178 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.786860943 CEST | 80 | 49178 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.786892891 CEST | 80 | 49178 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.786921024 CEST | 49178 | 80 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.799259901 CEST | 49178 | 80 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.819789886 CEST | 80 | 49178 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.819832087 CEST | 80 | 49178 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.819917917 CEST | 49178 | 80 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.907671928 CEST | 49178 | 80 | 192.168.2.22 | 92.223.88.41 |
| Aug 15, 2023 06:50:45.928145885 CEST | 80 | 49178 | 92.223.88.41 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.937537909 CEST | 49179 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:50:45.960822105 CEST | 6568 | 49179 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.960957050 CEST | 49179 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:50:45.971092939 CEST | 49179 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:50:45.993822098 CEST | 6568 | 49179 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.996736050 CEST | 6568 | 49179 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.996761084 CEST | 6568 | 49179 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.996787071 CEST | 6568 | 49179 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.996800900 CEST | 6568 | 49179 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.996813059 CEST | 6568 | 49179 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.996857882 CEST | 49179 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:50:45.996857882 CEST | 49179 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:50:46.008624077 CEST | 49179 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:50:46.032532930 CEST | 6568 | 49179 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:50:46.032567978 CEST | 6568 | 49179 | 49.12.130.236 | 192.168.2.22 |
| Aug 15, 2023 06:50:46.032623053 CEST | 49179 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:50:46.078350067 CEST | 49179 | 6568 | 192.168.2.22 | 49.12.130.236 |
| Aug 15, 2023 06:50:46.101998091 CEST | 6568 | 49179 | 49.12.130.236 | 192.168.2.22 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Aug 15, 2023 06:48:31.794975996 CEST | 54719 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:48:31.818660975 CEST | 53 | 54719 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.066459894 CEST | 49881 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:48:32.081852913 CEST | 53 | 49881 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:48:32.281542063 CEST | 54998 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:48:32.296669006 CEST | 53 | 54998 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.258038998 CEST | 52781 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:48:37.281791925 CEST | 53 | 52781 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.439814091 CEST | 63926 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:48:37.463609934 CEST | 53 | 63926 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:48:37.707189083 CEST | 65510 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:48:37.731978893 CEST | 53 | 65510 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.356440067 CEST | 62672 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:48:51.372061014 CEST | 53 | 62672 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.520697117 CEST | 56475 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:48:51.541033030 CEST | 53 | 56475 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:48:51.702800035 CEST | 49384 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:48:51.726766109 CEST | 53 | 49384 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.353532076 CEST | 54842 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:49:34.369153023 CEST | 53 | 54842 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.511739969 CEST | 58105 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:49:34.535772085 CEST | 53 | 58105 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:49:34.698950052 CEST | 64928 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:49:34.722986937 CEST | 53 | 64928 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.361629009 CEST | 57390 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:50:45.377839088 CEST | 53 | 57390 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.714335918 CEST | 58095 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:50:45.730376005 CEST | 53 | 58095 | 8.8.8.8 | 192.168.2.22 |
| Aug 15, 2023 06:50:45.918450117 CEST | 54261 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 15, 2023 06:50:45.935054064 CEST | 53 | 54261 | 8.8.8.8 | 192.168.2.22 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Aug 15, 2023 06:48:31.794975996 CEST | 192.168.2.22 | 8.8.8.8 | 0x566f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:48:32.066459894 CEST | 192.168.2.22 | 8.8.8.8 | 0x6486 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:48:32.281542063 CEST | 192.168.2.22 | 8.8.8.8 | 0xe6ad | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:48:37.258038998 CEST | 192.168.2.22 | 8.8.8.8 | 0x4613 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:48:37.439814091 CEST | 192.168.2.22 | 8.8.8.8 | 0xc3dc | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:48:37.707189083 CEST | 192.168.2.22 | 8.8.8.8 | 0x5c12 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:48:51.356440067 CEST | 192.168.2.22 | 8.8.8.8 | 0x3b8a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:48:51.520697117 CEST | 192.168.2.22 | 8.8.8.8 | 0x9eec | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:48:51.702800035 CEST | 192.168.2.22 | 8.8.8.8 | 0xbd97 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:49:34.353532076 CEST | 192.168.2.22 | 8.8.8.8 | 0xc860 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:49:34.511739969 CEST | 192.168.2.22 | 8.8.8.8 | 0x58bf | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:49:34.698950052 CEST | 192.168.2.22 | 8.8.8.8 | 0x73fc | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:50:45.361629009 CEST | 192.168.2.22 | 8.8.8.8 | 0xf1b1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:50:45.714335918 CEST | 192.168.2.22 | 8.8.8.8 | 0xe0d3 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Aug 15, 2023 06:50:45.918450117 CEST | 192.168.2.22 | 8.8.8.8 | 0x79da | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Aug 15, 2023 06:48:31.818660975 CEST | 8.8.8.8 | 192.168.2.22 | 0x566f | No error (0) | 49.12.130.235 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:48:32.081852913 CEST | 8.8.8.8 | 192.168.2.22 | 0x6486 | No error (0) | 49.12.130.235 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:48:32.296669006 CEST | 8.8.8.8 | 192.168.2.22 | 0xe6ad | No error (0) | 185.229.191.41 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:48:37.281791925 CEST | 8.8.8.8 | 192.168.2.22 | 0x4613 | No error (0) | 92.223.88.232 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:48:37.463609934 CEST | 8.8.8.8 | 192.168.2.22 | 0xc3dc | No error (0) | 92.223.88.232 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:48:37.731978893 CEST | 8.8.8.8 | 192.168.2.22 | 0x5c12 | No error (0) | 49.12.130.236 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:48:51.372061014 CEST | 8.8.8.8 | 192.168.2.22 | 0x3b8a | No error (0) | 92.223.88.41 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:48:51.541033030 CEST | 8.8.8.8 | 192.168.2.22 | 0x9eec | No error (0) | 92.223.88.232 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:48:51.726766109 CEST | 8.8.8.8 | 192.168.2.22 | 0xbd97 | No error (0) | 92.223.88.41 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:49:34.369153023 CEST | 8.8.8.8 | 192.168.2.22 | 0xc860 | No error (0) | 92.223.88.41 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:49:34.535772085 CEST | 8.8.8.8 | 192.168.2.22 | 0x58bf | No error (0) | 49.12.130.235 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:49:34.722986937 CEST | 8.8.8.8 | 192.168.2.22 | 0x73fc | No error (0) | 49.12.130.235 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:50:45.377839088 CEST | 8.8.8.8 | 192.168.2.22 | 0xf1b1 | No error (0) | 92.223.88.41 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:50:45.730376005 CEST | 8.8.8.8 | 192.168.2.22 | 0xe0d3 | No error (0) | 92.223.88.41 | A (IP address) | IN (0x0001) | false | ||
| Aug 15, 2023 06:50:45.935054064 CEST | 8.8.8.8 | 192.168.2.22 | 0x79da | No error (0) | 49.12.130.236 | A (IP address) | IN (0x0001) | false |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.22 | 49165 | 49.12.130.235 | 80 | C:\Users\user\Desktop\livechat.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Aug 15, 2023 06:48:32.126732111 CEST | 6 | OUT | |
| Aug 15, 2023 06:48:32.151719093 CEST | 7 | IN | |
| Aug 15, 2023 06:48:32.151762962 CEST | 8 | IN | |
| Aug 15, 2023 06:48:32.151799917 CEST | 8 | IN | |
| Aug 15, 2023 06:48:32.151838064 CEST | 9 | IN | |
| Aug 15, 2023 06:48:32.151879072 CEST | 9 | IN | |
| Aug 15, 2023 06:48:32.164609909 CEST | 10 | OUT | |
| Aug 15, 2023 06:48:32.187566996 CEST | 11 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 192.168.2.22 | 49168 | 92.223.88.232 | 80 | C:\Users\user\Desktop\livechat.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Aug 15, 2023 06:48:37.502417088 CEST | 21 | OUT | |
| Aug 15, 2023 06:48:37.524790049 CEST | 22 | IN | |
| Aug 15, 2023 06:48:37.524843931 CEST | 24 | IN | |
| Aug 15, 2023 06:48:37.524883986 CEST | 24 | IN | |
| Aug 15, 2023 06:48:37.545222998 CEST | 25 | OUT | |
| Aug 15, 2023 06:48:37.566121101 CEST | 25 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 2 | 192.168.2.22 | 49171 | 92.223.88.232 | 80 | C:\Users\user\Desktop\livechat.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Aug 15, 2023 06:48:51.581813097 CEST | 35 | OUT | |
| Aug 15, 2023 06:48:51.604188919 CEST | 37 | IN | |
| Aug 15, 2023 06:48:51.604219913 CEST | 38 | IN | |
| Aug 15, 2023 06:48:51.604239941 CEST | 38 | IN | |
| Aug 15, 2023 06:48:51.624496937 CEST | 39 | OUT | |
| Aug 15, 2023 06:48:51.645709038 CEST | 39 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 3 | 192.168.2.22 | 49174 | 49.12.130.235 | 80 | C:\Users\user\Desktop\livechat.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Aug 15, 2023 06:49:34.573987961 CEST | 50 | OUT | |
| Aug 15, 2023 06:49:34.601001024 CEST | 51 | IN | |
| Aug 15, 2023 06:49:34.601079941 CEST | 52 | IN | |
| Aug 15, 2023 06:49:34.601135015 CEST | 52 | IN | |
| Aug 15, 2023 06:49:34.601191998 CEST | 53 | IN | |
| Aug 15, 2023 06:49:34.601242065 CEST | 53 | IN | |
| Aug 15, 2023 06:49:34.621819019 CEST | 54 | OUT | |
| Aug 15, 2023 06:49:34.645045042 CEST | 54 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 4 | 192.168.2.22 | 49178 | 92.223.88.41 | 80 | C:\Users\user\Desktop\livechat.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Aug 15, 2023 06:50:45.763545990 CEST | 65 | OUT | |
| Aug 15, 2023 06:50:45.786745071 CEST | 66 | IN | |
| Aug 15, 2023 06:50:45.786808014 CEST | 66 | IN | |
| Aug 15, 2023 06:50:45.786840916 CEST | 67 | IN | |
| Aug 15, 2023 06:50:45.786860943 CEST | 67 | IN | |
| Aug 15, 2023 06:50:45.786892891 CEST | 68 | IN | |
| Aug 15, 2023 06:50:45.799259901 CEST | 69 | OUT | |
| Aug 15, 2023 06:50:45.819789886 CEST | 69 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 06:48:24 |
| Start date: | 15/08/2023 |
| Path: | C:\Users\user\Desktop\livechat.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x120000 |
| File size: | 4'040'776 bytes |
| MD5 hash: | 30C9C57AA570088D745FAC7BFD05B805 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 2 |
| Start time: | 06:48:27 |
| Start date: | 15/08/2023 |
| Path: | C:\Users\user\Desktop\livechat.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x120000 |
| File size: | 4'040'776 bytes |
| MD5 hash: | 30C9C57AA570088D745FAC7BFD05B805 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 3 |
| Start time: | 06:48:28 |
| Start date: | 15/08/2023 |
| Path: | C:\Users\user\Desktop\livechat.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x120000 |
| File size: | 4'040'776 bytes |
| MD5 hash: | 30C9C57AA570088D745FAC7BFD05B805 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
Function 00594B20 Relevance: 70.4, APIs: 24, Strings: 16, Instructions: 361filesynchronizationtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00594A00 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005947F0 Relevance: 12.1, APIs: 8, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005FE340 Relevance: 7.5, APIs: 5, Instructions: 44comCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001219FE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00600D10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00600D90 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00121000 Relevance: 1.6, APIs: 1, Instructions: 107memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00700E3A Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006F187A Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00121E30 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006FBA5E Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00121E47 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007038F9 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003642D0 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 61libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006FB264 Relevance: 9.0, APIs: 6, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006F3449 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0070AEDF Relevance: 6.1, APIs: 4, Instructions: 103COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |