Windows
Analysis Report
103-o_Installer.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
103-o_Installer.exe (PID: 5508 cmdline:
"C:\Users\ user\Deskt op\103-o_I nstaller.e xe" MD5: DC4B9BE7A5645D5C7FD18A4AC175830C)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["59.56.110.103"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
JoeSecurity_XWorm | Yara detected XWorm | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Timestamp: | 07/02/24-19:25:10.860430 |
SID: | 2852870 |
Source Port: | 7000 |
Destination Port: | 49701 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 07/02/24-19:21:24.908027 |
SID: | 2855924 |
Source Port: | 49701 |
Destination Port: | 7000 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 07/02/24-19:25:10.861342 |
SID: | 2852923 |
Source Port: | 49701 |
Destination Port: | 7000 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 07/02/24-19:23:11.014576 |
SID: | 2853193 |
Source Port: | 49701 |
Destination Port: | 7000 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 07/02/24-19:24:48.480603 |
SID: | 2852874 |
Source Port: | 7000 |
Destination Port: | 49701 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_003A25C8 |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process Stats: |
Source: | Code function: | 0_2_003B007E | |
Source: | Code function: | 0_2_003B5A2A | |
Source: | Code function: | 0_2_003B738F | |
Source: | Code function: | 0_2_003AFBE9 | |
Source: | Code function: | 0_2_003B0BD6 | |
Source: | Code function: | 0_2_003B041C | |
Source: | Code function: | 0_2_003B54D9 | |
Source: | Code function: | 0_2_003B6657 | |
Source: | Code function: | 0_2_003B5F7B | |
Source: | Code function: | 0_2_003B7F4F | |
Source: | Code function: | 0_2_003B07EE | |
Source: | Code function: | 0_2_053A55D8 | |
Source: | Code function: | 0_2_053AA290 | |
Source: | Code function: | 0_2_053A4D08 | |
Source: | Code function: | 0_2_053AAFD0 | |
Source: | Code function: | 0_2_053AE918 | |
Source: | Code function: | 0_2_053A07A0 | |
Source: | Code function: | 0_2_053A49C0 |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | Code function: | 0_2_003B40E4 |
Source: | Code function: | 0_2_003A4966 | |
Source: | Code function: | 0_2_003AAA08 | |
Source: | Code function: | 0_2_003A665C | |
Source: | Code function: | 0_2_053ACC2D | |
Source: | Code function: | 0_2_053A6B89 |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-25353 | ||
Source: | API call chain: | graph_0-25538 |
Source: | Code function: | 0_2_003A65D1 |
Source: | Code function: | 0_2_003B40E4 |
Source: | Code function: | 0_2_02EE1628 |
Source: | Code function: | 0_2_003B7CB1 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 0_2_003A65D1 | |
Source: | Code function: | 0_2_003AA792 | |
Source: | Code function: | 0_2_003AC78D |
Source: | Memory allocated: | Jump to behavior |
Source: | Code function: | 0_2_003A1671 |
Source: | Code function: | 0_2_003B4859 | |
Source: | Code function: | 0_2_003AE04E | |
Source: | Code function: | 0_2_003AF895 | |
Source: | Code function: | 0_2_003AF955 | |
Source: | Code function: | 0_2_003AF9BC | |
Source: | Code function: | 0_2_003AF9F8 | |
Source: | Code function: | 0_2_003ADC2B | |
Source: | Code function: | 0_2_003B44BA | |
Source: | Code function: | 0_2_003AECAA | |
Source: | Code function: | 0_2_003AF4CD | |
Source: | Code function: | 0_2_003B4594 | |
Source: | Code function: | 0_2_003AF5C2 | |
Source: | Code function: | 0_2_003AF669 | |
Source: | Code function: | 0_2_003AF6C4 | |
Source: | Code function: | 0_2_003AEF98 | |
Source: | Code function: | 0_2_003A5FC5 |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_003A41BA |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Disable or Modify Tools | LSASS Memory | 141 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 11 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 131 Virtualization/Sandbox Evasion | Security Account Manager | 131 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Deobfuscate/Decode Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 34 System Information Discovery | SSH | Keylogging | 12 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Software Packing | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
26% | ReversingLabs | Win32.Trojan.Doina | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
guanlix.cn | 91.208.240.157 | true | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
91.208.240.157 | guanlix.cn | unknown | 139659 | LUCID-AS-APLUCIDACLOUDLIMITEDHK | false | |
59.56.110.103 | unknown | China | 133774 | CHINATELECOM-FUJIAN-FUZHOU-IDC1FuzhouCN | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1466308 |
Start date and time: | 2024-07-02 19:20:11 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 52s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 18 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 103-o_Installer.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@1/2@1/2 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: 103-o_Installer.exe
Time | Type | Description |
---|---|---|
13:21:11 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CHINATELECOM-FUJIAN-FUZHOU-IDC1FuzhouCN | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | CobaltStrike | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai, Gafgyt, Okiru | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
LUCID-AS-APLUCIDACLOUDLIMITEDHK | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | GhostRat | Browse |
| ||
Get hash | malicious | GhostRat | Browse |
| ||
Get hash | malicious | CobaltStrike | Browse |
| ||
Get hash | malicious | CobaltStrike | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
Process: | C:\Users\user\Desktop\103-o_Installer.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 71938 |
Entropy (8bit): | 7.604678512981776 |
Encrypted: | false |
SSDEEP: | 1536:+Sjk79gZOcfNdQdX5kDjfjx1rwa7F0vGmM6eKXBwLsy1ETqfvu+P4Rtsj5o:S5gblOdX50jxJZJmMRKXBwLs/ |
MD5: | 30DD8CD1E4557604F2F904623AC15350 |
SHA1: | 4605B3E8F3FDDA4E22389CC655842D67A5A02D65 |
SHA-256: | 6B3852E6F2BD2DF3A4AD5AD33009227E682BBB25B5C0F7EDFA0124C05B08138B |
SHA-512: | B96490A8F2116250C5AA99F5C76895829F21595E40674AC828EF138598EF3D8BE0D3CA5F3BE4D3E250C2FB6D18B8108868032BE61E68868062A731EE27A23459 |
Malicious: | false |
Yara Hits: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\103-o_Installer.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 71938 |
Entropy (8bit): | 7.604678512981776 |
Encrypted: | false |
SSDEEP: | 1536:+Sjk79gZOcfNdQdX5kDjfjx1rwa7F0vGmM6eKXBwLsy1ETqfvu+P4Rtsj5o:S5gblOdX50jxJZJmMRKXBwLs/ |
MD5: | 30DD8CD1E4557604F2F904623AC15350 |
SHA1: | 4605B3E8F3FDDA4E22389CC655842D67A5A02D65 |
SHA-256: | 6B3852E6F2BD2DF3A4AD5AD33009227E682BBB25B5C0F7EDFA0124C05B08138B |
SHA-512: | B96490A8F2116250C5AA99F5C76895829F21595E40674AC828EF138598EF3D8BE0D3CA5F3BE4D3E250C2FB6D18B8108868032BE61E68868062A731EE27A23459 |
Malicious: | false |
Yara Hits: |
|
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.939939761503241 |
TrID: |
|
File name: | 103-o_Installer.exe |
File size: | 249'344 bytes |
MD5: | dc4b9be7a5645d5c7fd18a4ac175830c |
SHA1: | 3b2a0dc310a1af35629fca61ae1ccc530b8c9a30 |
SHA256: | 233e15fe06e10eb85efdd62345a90c62d43d30f2d01122d79fbc5299c25f3d81 |
SHA512: | aca2108ae93ff5be7c9196d6b92101c8bd83d48302847f69ed785fce146098e7753e62c14efa9c4b50122130e46bb8aacb283ea4cd0f4ba8491a2aa7a0a518da |
SSDEEP: | 3072:3uWmO3uTwghfpRBCa5XrD5sxTQ1wb7QNaV4ZQeAnuTCt2xbzmyoaq6rcYsc8kOee:3uW4TwSR57aTQCQN4njZ2x0p |
TLSH: | D4346B92F6C0C4B6D81711B5D83ADEB2126BBD798974010B36A4372F5EB72831937E0B |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.q>...m...m...mj..m...mj..m...m...m...m...m_..mj..m1..mj..m...mj..m...mRich...m........PE..L...o..f.................v...T..... |
Icon Hash: | 20246c0c56e20926 |
Entrypoint: | 0x405b41 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6682066F [Mon Jul 1 01:29:19 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 0b47c746b58dc722dcec07246158fda2 |
Instruction |
---|
call 00007FAB40D675B5h |
jmp 00007FAB40D6001Eh |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
test eax, eax |
je 00007FAB40D601A4h |
sub eax, 08h |
cmp dword ptr [eax], 0000DDDDh |
jne 00007FAB40D60199h |
push eax |
call 00007FAB40D5EA7Fh |
pop ecx |
pop ebp |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
push esi |
mov esi, ecx |
mov byte ptr [esi+0Ch], 00000000h |
test eax, eax |
jne 00007FAB40D601F5h |
call 00007FAB40D63DAEh |
mov dword ptr [esi+08h], eax |
mov ecx, dword ptr [eax+6Ch] |
mov dword ptr [esi], ecx |
mov ecx, dword ptr [eax+68h] |
mov dword ptr [esi+04h], ecx |
mov ecx, dword ptr [esi] |
cmp ecx, dword ptr [004201F8h] |
je 00007FAB40D601A4h |
mov ecx, dword ptr [0041FFB0h] |
test dword ptr [eax+70h], ecx |
jne 00007FAB40D60199h |
call 00007FAB40D67F8Fh |
mov dword ptr [esi], eax |
mov eax, dword ptr [esi+04h] |
cmp eax, dword ptr [0041FEB8h] |
je 00007FAB40D601A8h |
mov eax, dword ptr [esi+08h] |
mov ecx, dword ptr [0041FFB0h] |
test dword ptr [eax+70h], ecx |
jne 00007FAB40D6019Ah |
call 00007FAB40D677EEh |
mov dword ptr [esi+04h], eax |
mov eax, dword ptr [esi+08h] |
test byte ptr [eax+70h], 00000002h |
jne 00007FAB40D601A6h |
or dword ptr [eax+70h], 02h |
mov byte ptr [esi+0Ch], 00000001h |
jmp 00007FAB40D6019Ch |
mov ecx, dword ptr [eax] |
mov dword ptr [esi], ecx |
mov eax, dword ptr [eax+04h] |
mov dword ptr [esi+04h], eax |
mov eax, esi |
pop esi |
pop ebp |
retn 0004h |
mov edi, edi |
push ebp |
mov ebp, esp |
sub esp, 10h |
mov eax, dword ptr [0041F920h] |
xor eax, ebp |
mov dword ptr [ebp-04h], eax |
mov edx, dword ptr [ebp+18h] |
push ebx |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1d96c | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x23000 | 0x1c6ec | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x40000 | 0x138c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1c378 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x19000 | 0x150 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x17548 | 0x17600 | 4a4de4552a8a05cfea4c4ff1b4e9532e | False | 0.5845901570855615 | data | 6.644459188479388 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x19000 | 0x50f0 | 0x5200 | 9d8b011d99158eb44878bffbe94c4c0b | False | 0.3601371951219512 | data | 4.9319202453236715 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1f000 | 0x37c4 | 0x1a00 | 45f752e15a14fca1b3ff2706b42091af | False | 0.3167067307692308 | data | 3.8749828218454043 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x23000 | 0x1c6ec | 0x1c800 | f7f67e74808bd8e37d727b9023fabdcb | False | 0.2743540981359649 | data | 4.804387241910113 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x40000 | 0x1e2e | 0x2000 | fdaa21fac2a6fbee01e606c2b1b84ce7 | False | 0.4864501953125 | data | 4.81697133250145 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x233a0 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | Chinese | China | 0.2554878048780488 |
RT_ICON | 0x23a08 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | Chinese | China | 0.3602150537634409 |
RT_ICON | 0x23cf0 | 0x1e8 | Device independent bitmap graphic, 24 x 48 x 4, image size 288 | Chinese | China | 0.39344262295081966 |
RT_ICON | 0x23ed8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | Chinese | China | 0.4358108108108108 |
RT_ICON | 0x24000 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Chinese | China | 0.4986673773987207 |
RT_ICON | 0x24ea8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Chinese | China | 0.5888989169675091 |
RT_ICON | 0x25750 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Chinese | China | 0.548963133640553 |
RT_ICON | 0x25e18 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Chinese | China | 0.40534682080924855 |
RT_ICON | 0x26380 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | Chinese | China | 0.18236129184904767 |
RT_ICON | 0x36ba8 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | Chinese | China | 0.3425838450637695 |
RT_ICON | 0x3add0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Chinese | China | 0.3924273858921162 |
RT_ICON | 0x3d378 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Chinese | China | 0.49953095684803 |
RT_ICON | 0x3e420 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | Chinese | China | 0.580327868852459 |
RT_ICON | 0x3eda8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Chinese | China | 0.6906028368794326 |
RT_GROUP_ICON | 0x3f210 | 0xca | data | Chinese | China | 0.6089108910891089 |
RT_VERSION | 0x3f2dc | 0x2a8 | data | Chinese | China | 0.4602941176470588 |
RT_MANIFEST | 0x3f584 | 0x165 | ASCII text, with CRLF line terminators | English | United States | 0.5434173669467787 |
DLL | Import |
---|---|
KERNEL32.dll | CloseHandle, ReadFile, VirtualAlloc, GetFileSize, CreateFileA, Sleep, GetTickCount64, VirtualFree, SetEndOfFile, CreateFileW, SetStdHandle, WriteConsoleW, LoadLibraryW, IsValidLocale, InterlockedIncrement, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, GetSystemTimeAsFileTime, GetLastError, HeapFree, RaiseException, RtlUnwind, GetCommandLineA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, HeapAlloc, IsProcessorFeaturePresent, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, GetProcAddress, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, ExitProcess, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, GetLocaleInfoW, HeapReAlloc, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, GetProcessHeap |
WININET.dll | InternetCloseHandle, InternetReadFile, InternetOpenUrlA, InternetOpenA |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | China | |
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
07/02/24-19:25:10.860430 | TCP | 2852870 | ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
07/02/24-19:21:24.908027 | TCP | 2855924 | ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
07/02/24-19:25:10.861342 | TCP | 2852923 | ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
07/02/24-19:23:11.014576 | TCP | 2853193 | ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
07/02/24-19:24:48.480603 | TCP | 2852874 | ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 2, 2024 19:21:07.091839075 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:07.096668959 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:07.096760988 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:07.130027056 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:07.134804010 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.047209024 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.047261953 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.047297001 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.047307968 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.047343969 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.047343969 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.047348022 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.047382116 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.047389030 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.047425032 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.047431946 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.047467947 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.047494888 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.047509909 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.047616959 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.047650099 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.047657967 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.047686100 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.047692060 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.047724962 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.052433968 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.052484035 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.052582026 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.052623034 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.284626961 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.284704924 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.284739017 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.284773111 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.284807920 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.284857035 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.284857035 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.284857035 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.284857035 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.284926891 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.284956932 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.284956932 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.284965038 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.285000086 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.285007000 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.285043001 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.285396099 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.285449982 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.285453081 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.285484076 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.285485983 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.285520077 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.285531998 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.285553932 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.285564899 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.285595894 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.286293983 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.286331892 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.286345005 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.286374092 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.286384106 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.286417007 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.286432028 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.286449909 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.286458969 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.286489964 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.287111044 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.287147045 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.287163019 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.287182093 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.287188053 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.287215948 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.287224054 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.287257910 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.377496958 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.377532959 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.377568007 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.377610922 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.377650976 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.522603989 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.522650003 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.522703886 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.522721052 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.523201942 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.523236990 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.523257017 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.523271084 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.523288965 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.523304939 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.523319006 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.523340940 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.523348093 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.523382902 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.523401022 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.523423910 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.523896933 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.523930073 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.523951054 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.523964882 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.523973942 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.524010897 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.524019003 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.524053097 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.524065018 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.524101019 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.524102926 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.524147987 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.524713039 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.524765968 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.524902105 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.524935007 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.524949074 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.524976969 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.525044918 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.525094986 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.525196075 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.525230885 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.525243998 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.525273085 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.525681019 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.525713921 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.525737047 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.525748014 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.525805950 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.525855064 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:08.526001930 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:21:08.526051044 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:21:12.369244099 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:21:12.374228954 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:21:12.375041962 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:21:12.555515051 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:21:12.560466051 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:21:18.405559063 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:21:18.451350927 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:21:24.908026934 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:21:24.913109064 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:21:25.239106894 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:21:25.251718998 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:21:25.256757021 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:21:37.248673916 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:21:37.253637075 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:21:37.579106092 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:21:37.581741095 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:21:37.586499929 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:21:48.408865929 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:21:48.451528072 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:21:49.592675924 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:21:49.597676039 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:21:49.923222065 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:21:49.925056934 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:21:49.929840088 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:01.936230898 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:01.942306042 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:02.272283077 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:02.275707960 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:02.280525923 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:13.526135921 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:22:13.526206017 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:22:14.279934883 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:14.284923077 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:14.610127926 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:14.611660957 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:14.616693020 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:18.399045944 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:18.451576948 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:18.811208963 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:18.816230059 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:19.141590118 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:19.143176079 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:19.148042917 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:31.155392885 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:31.160295010 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:31.492727995 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:31.498728037 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:31.503551960 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:43.498914957 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:43.503895998 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:43.830312014 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:43.832710981 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:43.837500095 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:44.582777977 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:44.587605000 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:44.914001942 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:44.915582895 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:44.920960903 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:48.428494930 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:48.483201027 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:56.517488956 CEST | 49700 | 881 | 192.168.2.7 | 91.208.240.157 |
Jul 2, 2024 19:22:56.522409916 CEST | 881 | 49700 | 91.208.240.157 | 192.168.2.7 |
Jul 2, 2024 19:22:56.922808886 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:56.928459883 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:57.256305933 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:22:57.258774996 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:22:57.263572931 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:00.842760086 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:00.847913027 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:01.301975012 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:01.304338932 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:01.311928988 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:01.686532021 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:01.691389084 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:01.702322960 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:01.707118034 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:01.733445883 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:01.738379002 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:02.018934965 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:02.020246983 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:02.027419090 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:02.254447937 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:02.255919933 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:02.261595964 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:02.497845888 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:02.503144026 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:02.507953882 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:08.611064911 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:08.616569996 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:08.942352057 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:08.946899891 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:08.951750994 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:11.014575958 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:11.019619942 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:11.347960949 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:11.350441933 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:11.355262041 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:18.436980009 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:18.486814022 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:22.514760971 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:22.520595074 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:22.845993042 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:22.848952055 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:22.853737116 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:34.860963106 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:34.865866899 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:35.192121029 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:35.198065996 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:35.202848911 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:47.202284098 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:47.207838058 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:47.532839060 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:47.534765005 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:47.540164948 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:48.108588934 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:48.113837957 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:48.155503035 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:48.160295010 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:48.436232090 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:48.483181000 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:48.670794010 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:48.677608013 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:48.682471037 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:48.955590010 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:23:48.958981991 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:23:48.963840008 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:00.499178886 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:00.504049063 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:00.832663059 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:00.857225895 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:00.863181114 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:02.842993975 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:02.847891092 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:03.173149109 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:03.175014973 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:03.180046082 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:04.030421972 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:04.035553932 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:04.361036062 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:04.362552881 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:04.367476940 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:16.374275923 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:16.379201889 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:16.707318068 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:16.710900068 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:16.715789080 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:18.457242966 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:18.498965979 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:27.983815908 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:27.988684893 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:28.313559055 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:28.315072060 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:28.320049047 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:30.546158075 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:30.551146984 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:30.877288103 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:30.881458998 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:30.887142897 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:35.780728102 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:35.785949945 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:35.889899015 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:35.894917011 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:35.905709028 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:35.911847115 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:36.111815929 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:36.113749027 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:36.118689060 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:36.345601082 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:36.347584009 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:36.353611946 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:36.579180002 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:36.580519915 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:36.585402012 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:46.624531031 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:46.629390955 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:46.956166983 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:46.957577944 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:46.962506056 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:48.480602980 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:48.530288935 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:49.452451944 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:49.457381010 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:49.782613993 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:49.784506083 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:49.789484024 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:52.077572107 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:52.083112955 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:52.124396086 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:52.342902899 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:52.457667112 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:52.457775116 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:52.457781076 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:52.457860947 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:52.459369898 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:52.462790966 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:52.465485096 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:53.029284954 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:53.031183004 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:53.036181927 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:53.077976942 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:53.084229946 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:53.120083094 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:53.123332977 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:53.170042992 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:53.662409067 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:53.664506912 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:53.669692993 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:58.671253920 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:58.676076889 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:59.001698017 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:24:59.006995916 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:24:59.014929056 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:25:10.530611992 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:25:10.535440922 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:25:10.860430002 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Jul 2, 2024 19:25:10.861341953 CEST | 49701 | 7000 | 192.168.2.7 | 59.56.110.103 |
Jul 2, 2024 19:25:10.866197109 CEST | 7000 | 49701 | 59.56.110.103 | 192.168.2.7 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 2, 2024 19:21:06.538072109 CEST | 62013 | 53 | 192.168.2.7 | 1.1.1.1 |
Jul 2, 2024 19:21:07.085867882 CEST | 53 | 62013 | 1.1.1.1 | 192.168.2.7 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jul 2, 2024 19:21:06.538072109 CEST | 192.168.2.7 | 1.1.1.1 | 0x3dc9 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jul 2, 2024 19:21:07.085867882 CEST | 1.1.1.1 | 192.168.2.7 | 0x3dc9 | No error (0) | 91.208.240.157 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.7 | 49700 | 91.208.240.157 | 881 | 5508 | C:\Users\user\Desktop\103-o_Installer.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Jul 2, 2024 19:21:07.130027056 CEST | 94 | OUT | |
Jul 2, 2024 19:21:08.047209024 CEST | 1236 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 13:21:05 |
Start date: | 02/07/2024 |
Path: | C:\Users\user\Desktop\103-o_Installer.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3a0000 |
File size: | 249'344 bytes |
MD5 hash: | DC4B9BE7A5645D5C7FD18A4AC175830C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 11.3% |
Dynamic/Decrypted Code Coverage: | 4.7% |
Signature Coverage: | 2.1% |
Total number of Nodes: | 746 |
Total number of Limit Nodes: | 64 |
Graph
Function 053AAFD0 Relevance: 9.7, Strings: 7, Instructions: 908COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 053AA290 Relevance: 4.6, Strings: 3, Instructions: 889COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 053AE918 Relevance: 2.2, Strings: 1, Instructions: 966COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A25C8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 053A4D08 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 053A55D8 Relevance: .3, Instructions: 266COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A11E1 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 89filesleepmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A2E5D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71networkfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A2E58 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64networkfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EE00CD Relevance: 6.1, APIs: 4, Instructions: 90memoryCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003A2F3D Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 053A75E0 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A184B Relevance: 1.6, APIs: 1, Instructions: 78COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 053A6FC9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 053A6F50 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A2D2E Relevance: 1.6, APIs: 1, Instructions: 59COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A2D33 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 053A76B0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 053A6F64 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A2488 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A2483 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02F2D5FC Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02F2D5F7 Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02F2D01D Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02F2D005 Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A65D1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003AF4CD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 053A07A0 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003AC78D Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 053A49C0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003B0BD6 Relevance: .4, Instructions: 355COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003B07EE Relevance: .3, Instructions: 349COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003B041C Relevance: .3, Instructions: 332COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003B007E Relevance: .3, Instructions: 326COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EE1628 Relevance: .0, Instructions: 27COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003A1671 Relevance: .0, Instructions: 13COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A98E5 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A966F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A1B06 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A262B Relevance: 6.2, APIs: 4, Instructions: 171COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A168B Relevance: 6.0, APIs: 4, Instructions: 42COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A67E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A7AB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|