Edit tour
Windows
Analysis Report
LisectAVT_2403002C_101.dll
Overview
General Information
| Sample name: | LisectAVT_2403002C_101.dll |
| Analysis ID: | 1481559 |
| MD5: | e297538fd11e88f35c51d59361579625 |
| SHA1: | f083c244220424b40d90046003e02f4281d5a5ce |
| SHA256: | 51c5b0c6008197cd7c9a9fcd7e0be8534578f2e5ec4f0b48501b09e427825fd7 |
| Tags: | dllexe |
| Infos: |  |
 | |
Detection
| Score: | 56 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to get notified if a device is plugged in / out
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
loaddll32.exe (PID: 6568 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\Lis ectAVT_240 3002C_101. dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) 
conhost.exe (PID: 6576 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6652 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Lis ectAVT_240 3002C_101. dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
rundll32.exe (PID: 6676 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",#1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6664 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Lisec tAVT_24030 02C_101.dl l,GnrkBltv kx MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6732 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Lisec tAVT_24030 02C_101.dl l,GnrkBmoa ar MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6752 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Lisec tAVT_24030 02C_101.dl l,GnrkCyrp w MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6800 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkBl tvkx MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6808 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkBm oaar MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6816 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkCy rpw MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6824 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkZt dij MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6836 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkZe wk MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6848 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkXz wnp MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6864 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkXa lbb MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6900 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkWy ey MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6912 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkWt lrh MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6920 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkWs nq MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6928 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkWa pq MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6940 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkVn ndq MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6948 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkUs mc MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6964 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkTr g MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6972 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkTj xdo MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6984 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkTc h MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6996 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkTc fv MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7004 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkSt so MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7012 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkSf MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7096 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkSb q MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7104 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkRr dcfn MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7116 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkQu lon MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7132 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkQr MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7144 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkQm MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 1872 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkPp MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6192 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkOx ft MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6232 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkOk sgc MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 3252 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkOi MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 1752 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkOh qbhe MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 1388 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkOd a MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4844 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkNs dwzc MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 5808 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkNr MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 5984 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkNo fovl MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6220 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkNl qh MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Florian Roth (Nextron Systems): | ||
⊘No Snort rule has matched
| Timestamp: | 2024-07-25T11:11:45.735244+0200 |
| SID: | 2022930 |
| Source Port: | 443 |
| Destination Port: | 49721 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T11:13:50.423497+0200 |
| SID: | 2036858 |
| Source Port: | 49736 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-25T11:11:45.667575+0200 |
| SID: | 2036858 |
| Source Port: | 49719 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-25T11:13:11.916981+0200 |
| SID: | 2036858 |
| Source Port: | 49731 |
| Destination Port: | 8080 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-25T11:13:45.386141+0200 |
| SID: | 2036858 |
| Source Port: | 49735 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-25T11:13:06.885851+0200 |
| SID: | 2036858 |
| Source Port: | 49729 |
| Destination Port: | 8080 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-25T11:13:40.323332+0200 |
| SID: | 2036858 |
| Source Port: | 49733 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-25T11:12:57.855350+0200 |
| SID: | 2036858 |
| Source Port: | 49728 |
| Destination Port: | 8080 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-25T11:11:06.913137+0200 |
| SID: | 2022930 |
| Source Port: | 443 |
| Destination Port: | 49712 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T11:12:25.230116+0200 |
| SID: | 2036858 |
| Source Port: | 49724 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-25T11:12:08.042305+0200 |
| SID: | 2036858 |
| Source Port: | 49723 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 0_2_6CCA91E0 | |
| Source: | Code function: | 30_2_6CCA91E0 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_6CCA2C90 | |
Networking | |
|---|
| Source: | Domain query: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 30_2_6CCC2DE0 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_6CCA1880 | |
| Source: | Code function: | 30_2_6CCA1880 | |
| Source: | Code function: | 0_2_6CCAE040 | |
| Source: | Code function: | 0_2_6CCAE2F0 | |
| Source: | Code function: | 0_2_6CCAE308 | |
| Source: | Code function: | 0_2_6CCAE32D | |
| Source: | Code function: | 30_2_6CCAE040 | |
| Source: | Code function: | 30_2_6CCAE2F0 | |
| Source: | Code function: | 30_2_6CCAE308 | |
| Source: | Code function: | 30_2_6CCAE32D | |
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 30_2_6CCB6580 | |
| Source: | Code function: | 0_2_6CCA6690 | |
| Source: | Code function: | 0_2_6CCA6690 | |
| Source: | Code function: | 30_2_6CCA6690 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | ||
| Source: | File read: | ||
| Source: | Process created: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_6CCA28E0 | |
| Source: | Code function: | 0_2_6CCA6690 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
Malware Analysis System Evasion | |
|---|
| Source: | Code function: | 0_2_6CCA1000 | |
| Source: | Code function: | 30_2_6CCA1000 | |
| Source: | Window / User API: | ||
| Source: | Window / User API: | ||
| Source: | Check user administrative privileges: | graph_30-20969 | ||
| Source: | Code function: | 0_2_6CCA1000 | |
| Source: | Code function: | 30_2_6CCA1000 | |
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep time: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep time: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Last function: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_6CCA28E0 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Domain query: | ||
| Source: | Code function: | 0_2_6CCA6B50 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 30_2_6CCC2B70 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 1 Valid Accounts | 2 Service Execution | 1 Valid Accounts | 1 Valid Accounts | 1 Valid Accounts | OS Credential Dumping | 111 Security Software Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 2 Native API | 3 Windows Service | 11 Access Token Manipulation | 11 Virtualization/Sandbox Evasion | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | 1 DLL Side-Loading | 3 Windows Service | 11 Access Token Manipulation | Security Account Manager | 1 Peripheral Device Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 111 Process Injection | 111 Process Injection | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 3 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 1 DLL Side-Loading | 1 Rundll32 | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | 14 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| ec2-52-90-110-169.compute-1.amazonaws.com | 52.90.110.169 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown | |
| false |
| unknown | |
| false |
| unknown | |
| false |
| unknown | |
| false |
| unknown | |
| false |
| unknown | |
| false |
| unknown | |
| false |
| unknown | |
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 40.127.169.103 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
| 1.1.1.1 | unknown | Australia | 13335 | CLOUDFLARENETUS | false | |
| 40.115.3.253 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
| 52.90.110.169 | ec2-52-90-110-169.compute-1.amazonaws.com | United States | 14618 | AMAZON-AESUS | true | |
| 173.222.162.60 | unknown | United States | 35994 | AKAMAI-ASUS | false | |
| 162.159.36.2 | unknown | United States | 13335 | CLOUDFLARENETUS | false |
| IP |
|---|
| 192.168.2.1 |
| 192.168.2.12 |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1481559 |
| Start date and time: | 2024-07-25 11:09:51 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 32s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 42 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | LisectAVT_2403002C_101.dll |
| Detection: | MAL |
| Classification: | mal56.evad.winDLL@95/0@1/8 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded IPs from analysis (whitelisted): 199.232.214.172, 192.229.221.95
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: LisectAVT_2403002C_101.dll
| Time | Type | Description |
|---|---|---|
| 05:11:56 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 40.127.169.103 | Get hash | malicious | Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT | Browse | ||
| Get hash | malicious | Wannacry | Browse | |||
| 1.1.1.1 | Get hash | malicious | FormBook, NSISDropper | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| 40.115.3.253 | Get hash | malicious | ManusCrypt, Nitol | Browse | ||
| Get hash | malicious | ManusCrypt, Nitol | Browse | |||
| Get hash | malicious | ManusCrypt, Nitol | Browse | |||
| Get hash | malicious | ManusCrypt, Nitol | Browse | |||
| Get hash | malicious | ManusCrypt | Browse | |||
| Get hash | malicious | ManusCrypt | Browse | |||
| 162.159.36.2 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5Systemz | Browse | |||
| Get hash | malicious | Amadey, RisePro Stealer | Browse | |||
| Get hash | malicious | Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT | Browse | |||
| Get hash | malicious | Wannacry | Browse | |||
| Get hash | malicious | Amadey, Babadeda, Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT | Browse | |||
| Get hash | malicious | Amadey, Babadeda, Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | CobaltStrike | Browse |
| |
| Get hash | malicious | Ramnit | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Ramnit | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Bdaejec, Darkbot | Browse |
| ||
| Get hash | malicious | Bdaejec, Sodinokibi | Browse |
| ||
| MICROSOFT-CORP-MSN-AS-BLOCKUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Darkbot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Bdaejec, Darkbot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | DBatLoader | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| MICROSOFT-CORP-MSN-AS-BLOCKUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Darkbot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Bdaejec, Darkbot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | DBatLoader | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 28a2c9bd18a11de089ef85a160da29e4 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Coinhive, Xmrig | Browse |
| ||
| Get hash | malicious | Xmrig | Browse |
| ||
| Get hash | malicious | Revenge | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.529157171131098 |
| TrID: |
|
| File name: | LisectAVT_2403002C_101.dll |
| File size: | 192'512 bytes |
| MD5: | e297538fd11e88f35c51d59361579625 |
| SHA1: | f083c244220424b40d90046003e02f4281d5a5ce |
| SHA256: | 51c5b0c6008197cd7c9a9fcd7e0be8534578f2e5ec4f0b48501b09e427825fd7 |
| SHA512: | bdf488b91477e118d126d774137715f4db744738148fb13e26e54cb827ce483044d75bf7fee377c23f1e507f318cf33615f596fc8813a681917ba6a2b9455f9a |
| SSDEEP: | 3072:HqPO7C6IiSX2hI/rmE8PjguXRY7ArrCEmguU1DNlFJa34kg:HSOu6i2hI/rXGg4RLmED5B |
| TLSH: | 04143915F501873DE8BF00FAC7F9266CA52C9A32935820C3ABC85CA71555AEBBF35193 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............A...............y.......I.......H.......O.....Rich............PE..L......N...........!.....d...6............. |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x10001880 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x10000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4EE21DCE [Fri Dec 9 14:40:14 2011 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | a87240b873c1a5b2b17c559a4ce533e7 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| push ecx |
| mov eax, dword ptr [10030628h] |
| and eax, 01h |
| jne 00007F6610DD457Dh |
| mov ecx, dword ptr [10030628h] |
| or ecx, 01h |
| mov dword ptr [10030628h], ecx |
| mov edx, dword ptr [10028194h] |
| mov dword ptr [10030624h], edx |
| mov eax, dword ptr [ebp+0Ch] |
| mov dword ptr [ebp-04h], eax |
| cmp dword ptr [ebp-04h], 00000000h |
| je 00007F6610DD4571h |
| cmp dword ptr [ebp-04h], 01h |
| je 00007F6610DD4564h |
| jmp 00007F6610DD456Eh |
| call 00007F6610DD3D33h |
| jmp 00007F6610DD4567h |
| call 00007F6610DD3D5Ch |
| mov eax, 00000001h |
| mov esp, ebp |
| pop ebp |
| retn 000Ch |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| sub esp, 08h |
| mov eax, dword ptr [10028120h] |
| mov dword ptr [ebp-04h], eax |
| mov dword ptr [ebp-08h], 00000000h |
| call 00007F6610DD3CFBh |
| call 00007F6610DEA336h |
| mov dword ptr [ebp-08h], eax |
| mov ecx, dword ptr [ebp-08h] |
| push ecx |
| call 00007F6610DD4E0Ah |
| push eax |
| call 00007F6610DD4EC4h |
| test eax, eax |
| jne 00007F6610DD456Bh |
| mov edx, dword ptr [ebp-08h] |
| push edx |
| call 00007F6610DD4FD7h |
| call 00007F6610DD3D02h |
| mov eax, dword ptr [ebp-08h] |
| mov esp, ebp |
| pop ebp |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| pop ebp |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| pop ebp |
| ret |
| int3 |
| int3 |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x2bfc0 | 0x3d4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2b590 | 0x64 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x9a000 | 0x3e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x9b000 | 0x2188 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x28000 | 0x1b4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x262de | 0x26400 | fb8bd1b81ccfb4f534f3daef7cbb4cca | False | 0.47029462826797386 | data | 6.33246806574087 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x28000 | 0x4394 | 0x4400 | 82b918d77a044f40686ae5809c89ddbd | False | 0.759765625 | data | 7.055205472510572 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x2d000 | 0x6c551 | 0xa00 | c81870d3c545b9989522cccbbdbde726 | False | 0.913671875 | data | 7.449705734565964 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x9a000 | 0x3e0 | 0x400 | 6117fb448b882a3030c2aff8efcd289b | False | 0.4248046875 | data | 3.0643979755835313 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x9b000 | 0x26fc | 0x2800 | 745f439c351f3878b92a5df493588d95 | False | 0.62431640625 | data | 6.137144019251764 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_DIALOG | 0x9a340 | 0x9c | data | Chinese | China | 0.6794871794871795 |
| RT_VERSION | 0x9a0a0 | 0x29c | data | Chinese | China | 0.4550898203592814 |
| DLL | Import |
|---|---|
| KERNEL32.dll | EnumTimeFormatsW, GlobalAddAtomW, TryEnterCriticalSection, HeapAlloc, EnumResourceNamesW, GlobalFix, HeapCompact, TlsSetValue, FindResourceExA, MoveFileA, CompareFileTime, WriteProfileSectionW, InitializeSListHead, UpdateResourceA, ClearCommBreak, GetDevicePowerState, Sleep, EnumResourceTypesW, SetConsoleTitleA, IsSystemResumeAutomatic, GetShortPathNameA, GetPrivateProfileStringW, IsBadStringPtrA, CreateMailslotW, LoadLibraryA, GetProcAddress, PeekConsoleInputA, GetSystemWindowsDirectoryW, OpenWaitableTimerA, CreateFileW, GetLastError, SetFilePointer, WriteFile, CloseHandle, SetConsoleActiveScreenBuffer, SetCurrentDirectoryW, EnumSystemCodePagesA, GetCalendarInfoA, GetTickCount, FindResourceW |
| USER32.dll | DefDlgProcA, DrawAnimatedRects, ArrangeIconicWindows, SetWindowRgn, HideCaret, ScrollWindowEx, ShowWindowAsync, RegisterClipboardFormatA, AnimateWindow, FillRect, GetClassInfoExW, IsDialogMessageW, CharLowerBuffA, LoadStringW, GetKBCodePage, DlgDirSelectComboBoxExA, ClipCursor, IsWindowUnicode, SendMessageTimeoutA, PostMessageA, OemToCharA, GetClipboardFormatNameA, UnregisterDeviceNotification, ExitWindowsEx, SetPropA, SystemParametersInfoA, UnregisterClassA, GetDlgItemInt, IsWindowEnabled, LoadCursorFromFileA |
| GDI32.dll | CloseFigure, SetBitmapBits, GetPixel, PlayMetaFileRecord, GetMiterLimit, GetEnhMetaFileHeader, SetICMProfileA, SetColorSpace, SetICMMode, SetTextColor, SetDeviceGammaRamp, SelectPalette, GetWindowExtEx, CreateEnhMetaFileA, DeleteDC, LPtoDP, GetBitmapBits |
| ADVAPI32.dll | IsValidSid, SetSecurityDescriptorSacl, RegDisablePredefinedCache, FileEncryptionStatusW, LookupPrivilegeNameW, OpenBackupEventLogW, LogonUserW, RegEnumKeyW, StartServiceCtrlDispatcherW, InitiateSystemShutdownExW, SetKernelObjectSecurity, AreAllAccessesGranted, QueryServiceConfigA, LookupPrivilegeNameA, RegOpenUserClassesRoot, ImpersonateLoggedOnUser, ReadEventLogW, RegEnumKeyExA |
| Name | Ordinal | Address |
|---|---|---|
| GnrkBltvkx | 1 | 0x10001a90 |
| GnrkBmoaar | 2 | 0x10001aa0 |
| GnrkCyrpw | 3 | 0x10001a40 |
| GnrkEkp | 4 | 0x10001be0 |
| GnrkEnjzs | 5 | 0x10001d80 |
| GnrkFa | 6 | 0x10001d60 |
| GnrkFsx | 7 | 0x10001940 |
| GnrkGm | 8 | 0x10001c70 |
| GnrkGt | 9 | 0x10001b30 |
| GnrkHhcpo | 10 | 0x10001c20 |
| GnrkHjtl | 11 | 0x10001c10 |
| GnrkIiip | 12 | 0x10001d90 |
| GnrkJird | 13 | 0x10001d50 |
| GnrkJstv | 14 | 0x10001e20 |
| GnrkKhlhca | 15 | 0x10001e10 |
| GnrkKhqbbu | 16 | 0x10001f00 |
| GnrkLmkamk | 17 | 0x10001dc0 |
| GnrkLoc | 18 | 0x10001a10 |
| GnrkNlqh | 19 | 0x10001e00 |
| GnrkNofovl | 20 | 0x10001da0 |
| GnrkNr | 21 | 0x10001970 |
| GnrkNsdwzc | 22 | 0x10001a70 |
| GnrkOda | 23 | 0x10001ca0 |
| GnrkOhqbhe | 24 | 0x10001ee0 |
| GnrkOi | 25 | 0x10001db0 |
| GnrkOksgc | 26 | 0x10001cb0 |
| GnrkOxft | 27 | 0x10001960 |
| GnrkPp | 28 | 0x10001b00 |
| GnrkQm | 29 | 0x10001bf0 |
| GnrkQr | 30 | 0x10001770 |
| GnrkQulon | 31 | 0x10001c90 |
| GnrkRrdcfn | 32 | 0x10001c50 |
| GnrkSbq | 33 | 0x10001990 |
| GnrkSf | 34 | 0x10001ec0 |
| GnrkStso | 35 | 0x10001ae0 |
| GnrkTcfv | 36 | 0x10001eb0 |
| GnrkTch | 37 | 0x10001c30 |
| GnrkTjxdo | 38 | 0x10001ab0 |
| GnrkTrg | 39 | 0x10001e60 |
| GnrkUsmc | 40 | 0x10001930 |
| GnrkVnndq | 41 | 0x10001b10 |
| GnrkWapq | 42 | 0x10001de0 |
| GnrkWsnq | 43 | 0x10001ad0 |
| GnrkWtlrh | 44 | 0x10001c00 |
| GnrkWyey | 45 | 0x10001c40 |
| GnrkXalbb | 46 | 0x10001950 |
| GnrkXzwnp | 47 | 0x10001a50 |
| GnrkZewk | 48 | 0x10001d20 |
| GnrkZtdij | 49 | 0x10001b70 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Chinese | China |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Signature | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 2024-07-25T11:11:45.735244+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| 2024-07-25T11:13:50.423497+0200 | TCP | 2036858 | ET MALWARE PlugX CnC Beacon | 49736 | 80 | 192.168.2.12 | 52.90.110.169 |
| 2024-07-25T11:11:45.667575+0200 | TCP | 2036858 | ET MALWARE PlugX CnC Beacon | 49719 | 80 | 192.168.2.12 | 52.90.110.169 |
| 2024-07-25T11:13:11.916981+0200 | TCP | 2036858 | ET MALWARE PlugX CnC Beacon | 49731 | 8080 | 192.168.2.12 | 52.90.110.169 |
| 2024-07-25T11:13:45.386141+0200 | TCP | 2036858 | ET MALWARE PlugX CnC Beacon | 49735 | 80 | 192.168.2.12 | 52.90.110.169 |
| 2024-07-25T11:13:06.885851+0200 | TCP | 2036858 | ET MALWARE PlugX CnC Beacon | 49729 | 8080 | 192.168.2.12 | 52.90.110.169 |
| 2024-07-25T11:13:40.323332+0200 | TCP | 2036858 | ET MALWARE PlugX CnC Beacon | 49733 | 80 | 192.168.2.12 | 52.90.110.169 |
| 2024-07-25T11:12:57.855350+0200 | TCP | 2036858 | ET MALWARE PlugX CnC Beacon | 49728 | 8080 | 192.168.2.12 | 52.90.110.169 |
| 2024-07-25T11:11:06.913137+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| 2024-07-25T11:12:25.230116+0200 | TCP | 2036858 | ET MALWARE PlugX CnC Beacon | 49724 | 80 | 192.168.2.12 | 52.90.110.169 |
| 2024-07-25T11:12:08.042305+0200 | TCP | 2036858 | ET MALWARE PlugX CnC Beacon | 49723 | 80 | 192.168.2.12 | 52.90.110.169 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 25, 2024 11:10:44.570202112 CEST | 49709 | 443 | 192.168.2.12 | 40.113.110.67 |
| Jul 25, 2024 11:10:44.570255041 CEST | 443 | 49709 | 40.113.110.67 | 192.168.2.12 |
| Jul 25, 2024 11:10:44.570420980 CEST | 49709 | 443 | 192.168.2.12 | 40.113.110.67 |
| Jul 25, 2024 11:10:44.571167946 CEST | 49709 | 443 | 192.168.2.12 | 40.113.110.67 |
| Jul 25, 2024 11:10:44.571183920 CEST | 443 | 49709 | 40.113.110.67 | 192.168.2.12 |
| Jul 25, 2024 11:10:45.260437965 CEST | 49673 | 443 | 192.168.2.12 | 173.222.162.60 |
| Jul 25, 2024 11:10:45.260469913 CEST | 49674 | 443 | 192.168.2.12 | 173.222.162.60 |
| Jul 25, 2024 11:10:45.378591061 CEST | 443 | 49709 | 40.113.110.67 | 192.168.2.12 |
| Jul 25, 2024 11:10:45.378762007 CEST | 49709 | 443 | 192.168.2.12 | 40.113.110.67 |
| Jul 25, 2024 11:10:45.388504028 CEST | 49709 | 443 | 192.168.2.12 | 40.113.110.67 |
| Jul 25, 2024 11:10:45.388530016 CEST | 443 | 49709 | 40.113.110.67 | 192.168.2.12 |
| Jul 25, 2024 11:10:45.388861895 CEST | 443 | 49709 | 40.113.110.67 | 192.168.2.12 |
| Jul 25, 2024 11:10:45.390181065 CEST | 49709 | 443 | 192.168.2.12 | 40.113.110.67 |
| Jul 25, 2024 11:10:45.390374899 CEST | 49709 | 443 | 192.168.2.12 | 40.113.110.67 |
| Jul 25, 2024 11:10:45.390374899 CEST | 49709 | 443 | 192.168.2.12 | 40.113.110.67 |
| Jul 25, 2024 11:10:45.390382051 CEST | 443 | 49709 | 40.113.110.67 | 192.168.2.12 |
| Jul 25, 2024 11:10:45.436508894 CEST | 443 | 49709 | 40.113.110.67 | 192.168.2.12 |
| Jul 25, 2024 11:10:45.566596031 CEST | 443 | 49709 | 40.113.110.67 | 192.168.2.12 |
| Jul 25, 2024 11:10:45.567048073 CEST | 443 | 49709 | 40.113.110.67 | 192.168.2.12 |
| Jul 25, 2024 11:10:45.567138910 CEST | 49709 | 443 | 192.168.2.12 | 40.113.110.67 |
| Jul 25, 2024 11:10:45.568756104 CEST | 49709 | 443 | 192.168.2.12 | 40.113.110.67 |
| Jul 25, 2024 11:10:45.568778038 CEST | 443 | 49709 | 40.113.110.67 | 192.168.2.12 |
| Jul 25, 2024 11:10:45.568851948 CEST | 49709 | 443 | 192.168.2.12 | 40.113.110.67 |
| Jul 25, 2024 11:10:45.713582039 CEST | 49672 | 443 | 192.168.2.12 | 173.222.162.60 |
| Jul 25, 2024 11:10:54.869852066 CEST | 49673 | 443 | 192.168.2.12 | 173.222.162.60 |
| Jul 25, 2024 11:10:54.869852066 CEST | 49674 | 443 | 192.168.2.12 | 173.222.162.60 |
| Jul 25, 2024 11:10:55.323025942 CEST | 49672 | 443 | 192.168.2.12 | 173.222.162.60 |
| Jul 25, 2024 11:11:00.663856983 CEST | 49710 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:11:00.670835018 CEST | 80 | 49710 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:11:00.670905113 CEST | 49710 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:11:00.671124935 CEST | 49710 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:11:00.675981998 CEST | 80 | 49710 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:11:04.908689976 CEST | 49711 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:04.908741951 CEST | 443 | 49711 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:04.908829927 CEST | 49711 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:04.909656048 CEST | 49711 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:04.909677982 CEST | 443 | 49711 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:05.311115980 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:05.311155081 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:05.311264992 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:05.317986965 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:05.318021059 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:05.712655067 CEST | 443 | 49711 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:05.712860107 CEST | 49711 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:05.716002941 CEST | 49711 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:05.716018915 CEST | 443 | 49711 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:05.716273069 CEST | 443 | 49711 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:05.725389004 CEST | 49711 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:05.725513935 CEST | 49711 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:05.725522041 CEST | 443 | 49711 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:05.725692034 CEST | 49711 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:05.768492937 CEST | 443 | 49711 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:05.899162054 CEST | 443 | 49711 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:05.899246931 CEST | 443 | 49711 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:05.899310112 CEST | 49711 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:05.899533033 CEST | 49711 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:05.899548054 CEST | 443 | 49711 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:05.916142941 CEST | 49708 | 443 | 192.168.2.12 | 173.222.162.60 |
| Jul 25, 2024 11:11:05.921258926 CEST | 443 | 49708 | 173.222.162.60 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.081285000 CEST | 443 | 49708 | 173.222.162.60 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.081321955 CEST | 443 | 49708 | 173.222.162.60 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.081332922 CEST | 443 | 49708 | 173.222.162.60 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.081342936 CEST | 49708 | 443 | 192.168.2.12 | 173.222.162.60 |
| Jul 25, 2024 11:11:06.081346989 CEST | 443 | 49708 | 173.222.162.60 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.081377983 CEST | 49708 | 443 | 192.168.2.12 | 173.222.162.60 |
| Jul 25, 2024 11:11:06.081413031 CEST | 49708 | 443 | 192.168.2.12 | 173.222.162.60 |
| Jul 25, 2024 11:11:06.092227936 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.092397928 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:06.107975960 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:06.107995987 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.108525038 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.151093960 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:06.641474962 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:06.688503981 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.904345989 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.904382944 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.904391050 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.904402971 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.904423952 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.904500961 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:06.904500961 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:06.904532909 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.904889107 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.904943943 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:06.904943943 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:06.904953003 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.905339956 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:06.912992001 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.913053989 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:06.913125992 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:07.774128914 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:07.774158955 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:07.774187088 CEST | 49712 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:07.774194956 CEST | 443 | 49712 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:11.685561895 CEST | 443 | 49708 | 173.222.162.60 | 192.168.2.12 |
| Jul 25, 2024 11:11:11.685719967 CEST | 49708 | 443 | 192.168.2.12 | 173.222.162.60 |
| Jul 25, 2024 11:11:22.097045898 CEST | 80 | 49710 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:11:22.097162008 CEST | 49710 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:11:22.097234011 CEST | 49710 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:11:22.102564096 CEST | 80 | 49710 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:11:24.256771088 CEST | 49719 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:11:24.261995077 CEST | 80 | 49719 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:11:24.262115002 CEST | 49719 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:11:24.265717983 CEST | 49719 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:11:24.271452904 CEST | 80 | 49719 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:11:25.263250113 CEST | 49720 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:25.263308048 CEST | 443 | 49720 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:25.263384104 CEST | 49720 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:25.264324903 CEST | 49720 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:25.264344931 CEST | 443 | 49720 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:26.253465891 CEST | 443 | 49720 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:26.253632069 CEST | 49720 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:26.259244919 CEST | 49720 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:26.259265900 CEST | 443 | 49720 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:26.259522915 CEST | 443 | 49720 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:26.260993004 CEST | 49720 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:26.261097908 CEST | 49720 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:26.261106014 CEST | 443 | 49720 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:26.261246920 CEST | 49720 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:26.304502010 CEST | 443 | 49720 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:26.435277939 CEST | 443 | 49720 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:26.435364962 CEST | 443 | 49720 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:26.435471058 CEST | 49720 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:26.435600042 CEST | 49720 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:26.435620070 CEST | 443 | 49720 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:43.955302000 CEST | 49721 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:43.955341101 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:43.955463886 CEST | 49721 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:43.955831051 CEST | 49721 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:43.955847025 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.411545038 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.411612988 CEST | 49721 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:45.413280964 CEST | 49721 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:45.413290024 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.413535118 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.415894985 CEST | 49721 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:45.460501909 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.667452097 CEST | 80 | 49719 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.667574883 CEST | 49719 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:11:45.668133020 CEST | 49719 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:11:45.672990084 CEST | 80 | 49719 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.733313084 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.733341932 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.733378887 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.733563900 CEST | 49721 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:45.733583927 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.733727932 CEST | 49721 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:45.734909058 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.735007048 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.735044956 CEST | 49721 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:45.735053062 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.735114098 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.735219002 CEST | 49721 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:45.736120939 CEST | 49721 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:45.736140013 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:45.736157894 CEST | 49721 | 443 | 192.168.2.12 | 40.127.169.103 |
| Jul 25, 2024 11:11:45.736162901 CEST | 443 | 49721 | 40.127.169.103 | 192.168.2.12 |
| Jul 25, 2024 11:11:46.406972885 CEST | 49722 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:46.407015085 CEST | 443 | 49722 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:46.407131910 CEST | 49722 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:46.407834053 CEST | 49722 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:46.407851934 CEST | 443 | 49722 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:46.684525967 CEST | 49723 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:11:46.689843893 CEST | 80 | 49723 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:11:46.689913988 CEST | 49723 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:11:46.690191031 CEST | 49723 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:11:46.696548939 CEST | 80 | 49723 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:11:47.317466974 CEST | 443 | 49722 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:47.317596912 CEST | 49722 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:47.319674015 CEST | 49722 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:47.319688082 CEST | 443 | 49722 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:47.320096970 CEST | 443 | 49722 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:47.321290016 CEST | 49722 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:47.321379900 CEST | 49722 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:47.321384907 CEST | 443 | 49722 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:47.321577072 CEST | 49722 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:47.368489981 CEST | 443 | 49722 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:47.691683054 CEST | 443 | 49722 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:47.691776991 CEST | 443 | 49722 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:11:47.691839933 CEST | 49722 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:47.701251984 CEST | 49722 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:11:47.701272964 CEST | 443 | 49722 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:08.042108059 CEST | 80 | 49723 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:12:08.042304993 CEST | 49723 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:08.042486906 CEST | 49723 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:08.047454119 CEST | 80 | 49723 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:12:09.058258057 CEST | 49724 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:09.207551956 CEST | 80 | 49724 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:12:09.207653046 CEST | 49724 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:09.207794905 CEST | 49724 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:09.212735891 CEST | 80 | 49724 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:12:09.530399084 CEST | 49725 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:09.530488968 CEST | 443 | 49725 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:09.530636072 CEST | 49725 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:09.531358004 CEST | 49725 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:09.531388044 CEST | 443 | 49725 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:10.317323923 CEST | 443 | 49725 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:10.317393064 CEST | 49725 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:10.319236040 CEST | 49725 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:10.319247961 CEST | 443 | 49725 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:10.319489002 CEST | 443 | 49725 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:10.320785046 CEST | 49725 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:10.320863008 CEST | 49725 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:10.320868015 CEST | 443 | 49725 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:10.321285963 CEST | 49725 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:10.364490032 CEST | 443 | 49725 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:10.492309093 CEST | 443 | 49725 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:10.492785931 CEST | 443 | 49725 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:10.492839098 CEST | 49725 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:10.492877960 CEST | 443 | 49725 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:10.492894888 CEST | 49725 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:10.492902040 CEST | 443 | 49725 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:10.492909908 CEST | 49725 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:25.230115891 CEST | 49724 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:26.277650118 CEST | 49726 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:26.406955004 CEST | 8080 | 49726 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:12:26.407146931 CEST | 49726 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:26.407351971 CEST | 49726 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:26.414213896 CEST | 8080 | 49726 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:12:36.953804016 CEST | 49727 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:36.953859091 CEST | 443 | 49727 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:36.953986883 CEST | 49727 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:36.955780029 CEST | 49727 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:36.955815077 CEST | 443 | 49727 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:37.918157101 CEST | 443 | 49727 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:37.918262005 CEST | 49727 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:37.922511101 CEST | 49727 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:37.922544003 CEST | 443 | 49727 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:37.922836065 CEST | 443 | 49727 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:37.925429106 CEST | 49727 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:37.930514097 CEST | 49727 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:37.930530071 CEST | 443 | 49727 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:37.930934906 CEST | 49727 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:37.972516060 CEST | 443 | 49727 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:38.114993095 CEST | 443 | 49727 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:38.115156889 CEST | 443 | 49727 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:38.115243912 CEST | 49727 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:38.115390062 CEST | 49727 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:12:38.115415096 CEST | 443 | 49727 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:12:47.794095039 CEST | 8080 | 49726 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:12:47.794500113 CEST | 49726 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:47.794646025 CEST | 49726 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:47.800009966 CEST | 8080 | 49726 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:12:49.828356981 CEST | 49728 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:49.835432053 CEST | 8080 | 49728 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:12:49.835637093 CEST | 49728 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:49.836275101 CEST | 49728 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:49.843426943 CEST | 8080 | 49728 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:12:57.855350018 CEST | 49728 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:58.870856047 CEST | 49729 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:58.876935959 CEST | 8080 | 49729 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:12:58.877075911 CEST | 49729 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:58.877234936 CEST | 49729 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:12:58.886894941 CEST | 8080 | 49729 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:06.843990088 CEST | 49730 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:06.844043016 CEST | 443 | 49730 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:06.844331026 CEST | 49730 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:06.845211983 CEST | 49730 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:06.845225096 CEST | 443 | 49730 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:06.885850906 CEST | 49729 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:07.803219080 CEST | 443 | 49730 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:07.803311110 CEST | 49730 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:07.805387974 CEST | 49730 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:07.805397034 CEST | 443 | 49730 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:07.805634975 CEST | 443 | 49730 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:07.806953907 CEST | 49730 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:07.807050943 CEST | 49730 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:07.807058096 CEST | 443 | 49730 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:07.807239056 CEST | 49730 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:07.852490902 CEST | 443 | 49730 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:07.901927948 CEST | 49731 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:07.907021999 CEST | 8080 | 49731 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:07.907279968 CEST | 49731 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:07.907819033 CEST | 49731 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:07.914235115 CEST | 8080 | 49731 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:07.991499901 CEST | 443 | 49730 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:07.992810011 CEST | 49730 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:07.992835999 CEST | 443 | 49730 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:07.993036032 CEST | 49730 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:11.916980982 CEST | 49731 | 8080 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:12.951339960 CEST | 49732 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:12.956367016 CEST | 80 | 49732 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:12.957277060 CEST | 49732 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:12.957422972 CEST | 49732 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:12.962272882 CEST | 80 | 49732 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:34.307452917 CEST | 80 | 49732 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:34.307557106 CEST | 49732 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:34.307835102 CEST | 49732 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:34.312632084 CEST | 80 | 49732 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:36.313630104 CEST | 49733 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:36.319442987 CEST | 80 | 49733 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:36.319610119 CEST | 49733 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:36.319840908 CEST | 49733 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:36.325314045 CEST | 80 | 49733 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:38.858165979 CEST | 49734 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:38.858233929 CEST | 443 | 49734 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:38.858437061 CEST | 49734 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:38.859195948 CEST | 49734 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:38.859208107 CEST | 443 | 49734 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:39.685934067 CEST | 443 | 49734 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:39.686444998 CEST | 49734 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:39.689986944 CEST | 49734 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:39.690011978 CEST | 443 | 49734 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:39.690795898 CEST | 443 | 49734 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:39.692738056 CEST | 49734 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:39.692869902 CEST | 49734 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:39.692879915 CEST | 443 | 49734 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:39.693059921 CEST | 49734 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:39.736545086 CEST | 443 | 49734 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:39.872833014 CEST | 443 | 49734 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:39.873187065 CEST | 443 | 49734 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:39.873265028 CEST | 49734 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:39.873799086 CEST | 49734 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:39.873851061 CEST | 443 | 49734 | 40.115.3.253 | 192.168.2.12 |
| Jul 25, 2024 11:13:39.873883009 CEST | 49734 | 443 | 192.168.2.12 | 40.115.3.253 |
| Jul 25, 2024 11:13:40.323332071 CEST | 49733 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:41.368468046 CEST | 49735 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:41.373413086 CEST | 80 | 49735 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:41.373658895 CEST | 49735 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:41.373878002 CEST | 49735 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:41.378724098 CEST | 80 | 49735 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:45.386141062 CEST | 49735 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:46.404609919 CEST | 49736 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:46.409812927 CEST | 80 | 49736 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:46.409960032 CEST | 49736 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:46.410187006 CEST | 49736 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:46.415158033 CEST | 80 | 49736 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:50.423496962 CEST | 49736 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:51.506362915 CEST | 49737 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:51.511554956 CEST | 80 | 49737 | 52.90.110.169 | 192.168.2.12 |
| Jul 25, 2024 11:13:51.511759043 CEST | 49737 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:51.512116909 CEST | 49737 | 80 | 192.168.2.12 | 52.90.110.169 |
| Jul 25, 2024 11:13:51.519845963 CEST | 80 | 49737 | 52.90.110.169 | 192.168.2.12 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 25, 2024 11:11:00.648468971 CEST | 61201 | 53 | 192.168.2.12 | 8.8.8.8 |
| Jul 25, 2024 11:11:00.659136057 CEST | 53 | 61201 | 8.8.8.8 | 192.168.2.12 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jul 25, 2024 11:11:00.648468971 CEST | 192.168.2.12 | 8.8.8.8 | 0x3202 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jul 25, 2024 11:11:00.659136057 CEST | 8.8.8.8 | 192.168.2.12 | 0x3202 | No error (0) | 52.90.110.169 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.12 | 49710 | 52.90.110.169 | 80 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:11:00.671124935 CEST | 61 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.12 | 49719 | 52.90.110.169 | 80 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:11:24.265717983 CEST | 258 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.12 | 49723 | 52.90.110.169 | 80 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:11:46.690191031 CEST | 258 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.12 | 49724 | 52.90.110.169 | 80 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:12:09.207794905 CEST | 258 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.12 | 49728 | 52.90.110.169 | 8080 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:12:49.836275101 CEST | 263 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.12 | 49729 | 52.90.110.169 | 8080 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:12:58.877234936 CEST | 263 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.12 | 49731 | 52.90.110.169 | 8080 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:13:07.907819033 CEST | 263 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.12 | 49732 | 52.90.110.169 | 80 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:13:12.957422972 CEST | 34 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.12 | 49733 | 52.90.110.169 | 80 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:13:36.319840908 CEST | 258 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 9 | 192.168.2.12 | 49735 | 52.90.110.169 | 80 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:13:41.373878002 CEST | 258 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 10 | 192.168.2.12 | 49736 | 52.90.110.169 | 80 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:13:46.410187006 CEST | 258 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 11 | 192.168.2.12 | 49737 | 52.90.110.169 | 80 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:13:51.512116909 CEST | 23 | OUT |
| Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
|---|---|---|---|---|---|---|---|---|---|---|
| Jul 25, 2024 11:11:06.081332922 CEST | 173.222.162.60 | 443 | 192.168.2.12 | 49708 | CN=r.bing.com, O=Microsoft Corporation, L=Redmond, ST=WA, C=US CN=Microsoft Azure ECC TLS Issuing CA 04, O=Microsoft Corporation, C=US | CN=Microsoft Azure ECC TLS Issuing CA 04, O=Microsoft Corporation, C=US CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US | Mon Jun 24 18:16:15 CEST 2024 Thu Jun 08 02:00:00 CEST 2023 | Thu Jun 19 18:16:15 CEST 2025 Wed Aug 26 01:59:59 CEST 2026 | 771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-16-23-65281,29-23-24,0 | 28a2c9bd18a11de089ef85a160da29e4 |
| CN=Microsoft Azure ECC TLS Issuing CA 04, O=Microsoft Corporation, C=US | CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US | Thu Jun 08 02:00:00 CEST 2023 | Wed Aug 26 01:59:59 CEST 2026 |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.12 | 49709 | 40.113.110.67 | 443 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:10:45 UTC | 71 | OUT | |
| 2024-07-25 09:10:45 UTC | 249 | OUT | |
| 2024-07-25 09:10:45 UTC | 1064 | OUT | |
| 2024-07-25 09:10:45 UTC | 74 | OUT | |
| 2024-07-25 09:10:45 UTC | 14 | IN | |
| 2024-07-25 09:10:45 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 1 | 192.168.2.12 | 49711 | 40.115.3.253 | 443 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:11:05 UTC | 71 | OUT | |
| 2024-07-25 09:11:05 UTC | 249 | OUT | |
| 2024-07-25 09:11:05 UTC | 1064 | OUT | |
| 2024-07-25 09:11:05 UTC | 74 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.12 | 49711 | 40.115.3.253 | 443 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:11:05 UTC | 14 | IN | |
| 2024-07-25 09:11:05 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 3 | 192.168.2.12 | 49712 | 40.127.169.103 | 443 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:11:06 UTC | 306 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.12 | 49712 | 40.127.169.103 | 443 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:11:06 UTC | 560 | IN | |
| 2024-07-25 09:11:06 UTC | 15824 | IN | |
| 2024-07-25 09:11:06 UTC | 8666 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 5 | 192.168.2.12 | 49720 | 40.115.3.253 | 443 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:11:26 UTC | 71 | OUT | |
| 2024-07-25 09:11:26 UTC | 249 | OUT | |
| 2024-07-25 09:11:26 UTC | 1064 | OUT | |
| 2024-07-25 09:11:26 UTC | 74 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.12 | 49720 | 40.115.3.253 | 443 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:11:26 UTC | 14 | IN | |
| 2024-07-25 09:11:26 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 7 | 192.168.2.12 | 49721 | 40.127.169.103 | 443 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:11:45 UTC | 306 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.12 | 49721 | 40.127.169.103 | 443 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:11:45 UTC | 560 | IN | |
| 2024-07-25 09:11:45 UTC | 15824 | IN | |
| 2024-07-25 09:11:45 UTC | 14181 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 9 | 192.168.2.12 | 49722 | 40.115.3.253 | 443 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:11:47 UTC | 71 | OUT | |
| 2024-07-25 09:11:47 UTC | 249 | OUT | |
| 2024-07-25 09:11:47 UTC | 1064 | OUT | |
| 2024-07-25 09:11:47 UTC | 74 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 10 | 192.168.2.12 | 49722 | 40.115.3.253 | 443 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:11:47 UTC | 14 | IN | |
| 2024-07-25 09:11:47 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 11 | 192.168.2.12 | 49725 | 40.115.3.253 | 443 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:12:10 UTC | 71 | OUT | |
| 2024-07-25 09:12:10 UTC | 249 | OUT | |
| 2024-07-25 09:12:10 UTC | 1064 | OUT | |
| 2024-07-25 09:12:10 UTC | 74 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 12 | 192.168.2.12 | 49725 | 40.115.3.253 | 443 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:12:10 UTC | 14 | IN | |
| 2024-07-25 09:12:10 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 13 | 192.168.2.12 | 49727 | 40.115.3.253 | 443 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:12:37 UTC | 71 | OUT | |
| 2024-07-25 09:12:37 UTC | 249 | OUT | |
| 2024-07-25 09:12:37 UTC | 1064 | OUT | |
| 2024-07-25 09:12:37 UTC | 74 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 14 | 192.168.2.12 | 49727 | 40.115.3.253 | 443 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:12:38 UTC | 14 | IN | |
| 2024-07-25 09:12:38 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 15 | 192.168.2.12 | 49730 | 40.115.3.253 | 443 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:13:07 UTC | 71 | OUT | |
| 2024-07-25 09:13:07 UTC | 249 | OUT | |
| 2024-07-25 09:13:07 UTC | 1064 | OUT | |
| 2024-07-25 09:13:07 UTC | 74 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 16 | 192.168.2.12 | 49730 | 40.115.3.253 | 443 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:13:07 UTC | 14 | IN | |
| 2024-07-25 09:13:07 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 17 | 192.168.2.12 | 49734 | 40.115.3.253 | 443 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:13:39 UTC | 70 | OUT | |
| 2024-07-25 09:13:39 UTC | 249 | OUT | |
| 2024-07-25 09:13:39 UTC | 1063 | OUT | |
| 2024-07-25 09:13:39 UTC | 73 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 18 | 192.168.2.12 | 49734 | 40.115.3.253 | 443 | 7132 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:13:39 UTC | 14 | IN | |
| 2024-07-25 09:13:39 UTC | 58 | IN |
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 05:10:46 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x460000 |
| File size: | 126'464 bytes |
| MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 1 |
| Start time: | 05:10:46 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff704000000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 3 |
| Start time: | 05:10:46 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1f0000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 05:10:46 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 05:10:46 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 05:10:49 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 05:10:52 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd20000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 18 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 20 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 21 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 22 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 23 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 24 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 25 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 26 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 27 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 28 |
| Start time: | 05:10:57 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 29 |
| Start time: | 05:10:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 30 |
| Start time: | 05:10:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 31 |
| Start time: | 05:10:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 32 |
| Start time: | 05:10:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 33 |
| Start time: | 05:10:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 34 |
| Start time: | 05:10:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 35 |
| Start time: | 05:10:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 36 |
| Start time: | 05:10:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 37 |
| Start time: | 05:10:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 38 |
| Start time: | 05:10:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 39 |
| Start time: | 05:10:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 40 |
| Start time: | 05:10:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 41 |
| Start time: | 05:10:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 1.6% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 15.2% |
| Total number of Nodes: | 46 |
| Total number of Limit Nodes: | 1 |
Graph
Function 6CCA1000 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA1880 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA36C0 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA23F0 Relevance: 1.3, APIs: 1, Instructions: 28stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA28E0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA2C90 Relevance: .3, Instructions: 345COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCAE2F0 Relevance: .2, Instructions: 245COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCAE040 Relevance: .2, Instructions: 213COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCAE308 Relevance: .1, Instructions: 133COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCAE32D Relevance: .1, Instructions: 127COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA6B50 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA6690 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA91E0 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA2680 Relevance: 7.6, APIs: 5, Instructions: 63fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCBE650 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 8.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 1.3% |
| Total number of Nodes: | 1170 |
| Total number of Limit Nodes: | 113 |
Graph
Function 6CCA1000 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCB6580 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC2DE0 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC2B70 Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCB3D10 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC6E00 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC50B0 Relevance: 1.5, APIs: 1, Instructions: 40networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC6FE0 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC6F60 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC1CA0 Relevance: 1.5, APIs: 1, Instructions: 36networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCAF810 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCB6730 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC1AF0 Relevance: 1.5, APIs: 1, Instructions: 34networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC2BE0 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCB3E70 Relevance: 1.5, APIs: 1, Instructions: 32timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC6D90 Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCB6510 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC2D10 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC6E80 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA27C0 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA2830 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC2B00 Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC6CD0 Relevance: 1.5, APIs: 1, Instructions: 28networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC2C50 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC4F90 Relevance: 1.5, APIs: 1, Instructions: 28threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC2CB0 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCC1C40 Relevance: 1.5, APIs: 1, Instructions: 26networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCBD910 Relevance: 1.5, APIs: 1, Instructions: 26networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA36C0 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA23F0 Relevance: 1.3, APIs: 1, Instructions: 28stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA2210 Relevance: 1.3, APIs: 1, Instructions: 26sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCA2680 Relevance: 7.6, APIs: 5, Instructions: 63fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CCBE650 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|