Edit tour

Windows Analysis Report
Payload 94.75.225.exe

Overview

General Information

Sample name:	Payload 94.75.225.exe
Analysis ID:	1547867
MD5:	c1cd02403f4ca49c8547b397dad11a21
SHA1:	cee43976d68fb7f56af41e1bcfb42227a6e6e225
SHA256:	69e7acf427dbfc86650bd4dad8c97c399a5c921cb1b8cca5dfc7b4a53d849ca0
Tags:	94-75-225-81exeuser-JAMESWT_MHT
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Installs new ROOT certificates

Connects to several IPs in different countries

Detected TCP or UDP traffic on non-standard ports

IP address seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Sigma detected: Suspicious Outbound SMTP Connections

Stores large binary data to the registry

Classification

Process Tree

System is w10x64

Payload 94.75.225.exe (PID: 6708 cmdline: "C:\Users\user\Desktop\Payload 94.75.225.exe" MD5: C1CD02403F4CA49C8547B397DAD11A21)

conhost.exe (PID: 2616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 50.230.231.85, DestinationIsIpv6: false, DestinationPort: 465, EventID: 3, Image: C:\Users\user\Desktop\Payload 94.75.225.exe, Initiated: true, ProcessId: 6708, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49805

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.7% probability

Source: Payload 94.75.225.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: unknown

Network traffic detected: IP country count 23

Source: global traffic	TCP traffic: 192.168.2.6:49710 -> 185.40.4.95:10443
Source: global traffic	TCP traffic: 192.168.2.6:49713 -> 2.204.219.86:9001
Source: global traffic	TCP traffic: 192.168.2.6:49714 -> 185.241.208.71:9000
Source: global traffic	TCP traffic: 192.168.2.6:49716 -> 107.173.148.133:9001
Source: global traffic	TCP traffic: 192.168.2.6:49718 -> 95.99.30.188:9001
Source: global traffic	TCP traffic: 192.168.2.6:49719 -> 51.195.119.159:30443
Source: global traffic	TCP traffic: 192.168.2.6:49721 -> 45.141.215.95:8430
Source: global traffic	TCP traffic: 192.168.2.6:49723 -> 207.127.91.1:9021
Source: global traffic	TCP traffic: 192.168.2.6:49724 -> 185.227.82.15:15259
Source: global traffic	TCP traffic: 192.168.2.6:49726 -> 109.70.100.71:9005
Source: global traffic	TCP traffic: 192.168.2.6:49727 -> 45.11.229.132:9001
Source: global traffic	TCP traffic: 192.168.2.6:49728 -> 138.68.9.184:9001
Source: global traffic	TCP traffic: 192.168.2.6:49730 -> 87.98.243.204:9000
Source: global traffic	TCP traffic: 192.168.2.6:49731 -> 194.164.16.95:9001
Source: global traffic	TCP traffic: 192.168.2.6:49734 -> 209.127.117.90:1004
Source: global traffic	TCP traffic: 192.168.2.6:49737 -> 85.10.205.56:1003
Source: global traffic	TCP traffic: 192.168.2.6:49739 -> 185.220.100.253:9100
Source: global traffic	TCP traffic: 192.168.2.6:49741 -> 193.239.86.133:9001
Source: global traffic	TCP traffic: 192.168.2.6:49743 -> 185.220.101.206:8443
Source: global traffic	TCP traffic: 192.168.2.6:49744 -> 202.61.196.212:9001
Source: global traffic	TCP traffic: 192.168.2.6:49745 -> 80.92.204.251:9001
Source: global traffic	TCP traffic: 192.168.2.6:49746 -> 152.53.111.174:9088
Source: global traffic	TCP traffic: 192.168.2.6:49749 -> 88.80.26.2:9001
Source: global traffic	TCP traffic: 192.168.2.6:49750 -> 37.114.57.182:9001
Source: global traffic	TCP traffic: 192.168.2.6:49751 -> 57.129.44.38:9300
Source: global traffic	TCP traffic: 192.168.2.6:49752 -> 94.131.171.105:32616
Source: global traffic	TCP traffic: 192.168.2.6:49754 -> 84.247.178.134:9002
Source: global traffic	TCP traffic: 192.168.2.6:49755 -> 31.220.72.103:61040
Source: global traffic	TCP traffic: 192.168.2.6:49756 -> 178.142.134.20:9001
Source: global traffic	TCP traffic: 192.168.2.6:49757 -> 82.64.150.101:9001
Source: global traffic	TCP traffic: 192.168.2.6:49759 -> 185.220.101.30:9002
Source: global traffic	TCP traffic: 192.168.2.6:49748 -> 107.189.12.88:9001
Source: global traffic	TCP traffic: 192.168.2.6:49760 -> 75.119.135.230:9001
Source: global traffic	TCP traffic: 192.168.2.6:49761 -> 209.127.245.250:9000
Source: global traffic	TCP traffic: 192.168.2.6:49762 -> 103.252.90.217:9200
Source: global traffic	TCP traffic: 192.168.2.6:49758 -> 68.8.241.30:9001
Source: global traffic	TCP traffic: 192.168.2.6:49765 -> 188.165.194.209:9001
Source: global traffic	TCP traffic: 192.168.2.6:49767 -> 185.220.101.21:9001
Source: global traffic	TCP traffic: 192.168.2.6:49769 -> 45.141.215.61:8430
Source: global traffic	TCP traffic: 192.168.2.6:49770 -> 23.184.48.13:9001
Source: global traffic	TCP traffic: 192.168.2.6:49771 -> 23.163.200.46:9000
Source: global traffic	TCP traffic: 192.168.2.6:49773 -> 68.134.176.234:44433
Source: global traffic	TCP traffic: 192.168.2.6:49774 -> 45.89.54.11:9001
Source: global traffic	TCP traffic: 192.168.2.6:49777 -> 136.35.138.88:444
Source: global traffic	TCP traffic: 192.168.2.6:49779 -> 94.26.73.162:9201
Source: global traffic	TCP traffic: 192.168.2.6:49781 -> 15.204.143.192:8443
Source: global traffic	TCP traffic: 192.168.2.6:49782 -> 82.65.150.138:20901
Source: global traffic	TCP traffic: 192.168.2.6:49784 -> 23.88.72.105:1001
Source: global traffic	TCP traffic: 192.168.2.6:49786 -> 185.220.101.48:10048
Source: global traffic	TCP traffic: 192.168.2.6:49787 -> 65.21.98.72:11118
Source: global traffic	TCP traffic: 192.168.2.6:49788 -> 185.220.101.50:10050
Source: global traffic	TCP traffic: 192.168.2.6:49789 -> 194.88.105.30:9001
Source: global traffic	TCP traffic: 192.168.2.6:49790 -> 51.68.155.147:444
Source: global traffic	TCP traffic: 192.168.2.6:49793 -> 161.97.132.254:9001
Source: global traffic	TCP traffic: 192.168.2.6:49794 -> 71.163.253.207:9001
Source: global traffic	TCP traffic: 192.168.2.6:49795 -> 162.247.74.31:9091
Source: global traffic	TCP traffic: 192.168.2.6:49797 -> 5.39.185.164:9001
Source: global traffic	TCP traffic: 192.168.2.6:49798 -> 185.220.101.35:10035
Source: global traffic	TCP traffic: 192.168.2.6:49799 -> 190.211.254.192:9001
Source: global traffic	TCP traffic: 192.168.2.6:49796 -> 70.39.91.101:1080
Source: global traffic	TCP traffic: 192.168.2.6:49803 -> 45.148.17.56:9001
Source: global traffic	TCP traffic: 192.168.2.6:49806 -> 45.141.215.4:143
Source: global traffic	TCP traffic: 192.168.2.6:49809 -> 81.201.202.101:9001
Source: global traffic	TCP traffic: 192.168.2.6:49807 -> 95.148.2.122:9001
Source: global traffic	TCP traffic: 192.168.2.6:49810 -> 209.141.47.207:9001
Source: global traffic	TCP traffic: 192.168.2.6:49811 -> 84.247.160.4:9001
Source: global traffic	TCP traffic: 192.168.2.6:49813 -> 178.63.41.183:8000

Source: Joe Sandbox View

IP Address: 185.220.101.206 185.220.101.206

Source: unknown	TCP traffic detected without corresponding DNS query: 185.40.4.95
Source: unknown	TCP traffic detected without corresponding DNS query: 185.107.57.64
Source: unknown	TCP traffic detected without corresponding DNS query: 185.107.57.64
Source: unknown	TCP traffic detected without corresponding DNS query: 185.220.101.201
Source: unknown	TCP traffic detected without corresponding DNS query: 185.220.101.201
Source: unknown	TCP traffic detected without corresponding DNS query: 2.204.219.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.220.101.204
Source: unknown	TCP traffic detected without corresponding DNS query: 185.220.101.204
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.148.133
Source: unknown	TCP traffic detected without corresponding DNS query: 192.42.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 95.99.30.188
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.119.159
Source: unknown	TCP traffic detected without corresponding DNS query: 95.111.230.178
Source: unknown	TCP traffic detected without corresponding DNS query: 95.111.230.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.215.95
Source: unknown	TCP traffic detected without corresponding DNS query: 67.219.107.200
Source: unknown	TCP traffic detected without corresponding DNS query: 67.219.107.200
Source: unknown	TCP traffic detected without corresponding DNS query: 207.127.91.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.82.15
Source: unknown	TCP traffic detected without corresponding DNS query: 109.70.100.3
Source: unknown	TCP traffic detected without corresponding DNS query: 109.70.100.3
Source: unknown	TCP traffic detected without corresponding DNS query: 185.40.4.95
Source: unknown	TCP traffic detected without corresponding DNS query: 2.204.219.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.71
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.148.133
Source: unknown	TCP traffic detected without corresponding DNS query: 192.42.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 95.99.30.188
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.119.159
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.215.95
Source: unknown	TCP traffic detected without corresponding DNS query: 207.127.91.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.82.15
Source: unknown	TCP traffic detected without corresponding DNS query: 109.70.100.71
Source: unknown	TCP traffic detected without corresponding DNS query: 45.11.229.132
Source: unknown	TCP traffic detected without corresponding DNS query: 138.68.9.184
Source: unknown	TCP traffic detected without corresponding DNS query: 153.120.42.137
Source: unknown	TCP traffic detected without corresponding DNS query: 87.98.243.204
Source: unknown	TCP traffic detected without corresponding DNS query: 194.164.16.95
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 192.42.116.189
Source: unknown	TCP traffic detected without corresponding DNS query: 209.127.117.90
Source: unknown	TCP traffic detected without corresponding DNS query: 20.224.145.181
Source: unknown	TCP traffic detected without corresponding DNS query: 20.224.145.181
Source: unknown	TCP traffic detected without corresponding DNS query: 57.128.180.74
Source: unknown	TCP traffic detected without corresponding DNS query: 57.128.180.74
Source: unknown	TCP traffic detected without corresponding DNS query: 85.90.207.39
Source: unknown	TCP traffic detected without corresponding DNS query: 85.90.207.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.220.100.253
Source: unknown	TCP traffic detected without corresponding DNS query: 51.81.56.136

Source: global traffic

HTTP traffic detected: GET /details?type=relay&running=true&fields=fingerprint,or_addresses HTTP/1.1Host: onionoo.torproject.orgUser-Agent: tor-relay-scannerAccept-Encoding: gzip

Source: global traffic

DNS traffic detected: DNS query: onionoo.torproject.org

Source: Payload 94.75.225.exe	String found in binary or memory: https://github.com/ValdikSS/tor-onionoo-mirror/raw/master/details-running-relays-fingerprint-address
Source: Payload 94.75.225.exe	String found in binary or memory: https://icors.vercel.app/?flag
Source: Payload 94.75.225.exe, 00000000.00000002.2126488008.000000C000192000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://icors.vercel.app/?https%3A%2F%2Fonionoo.torproject.org%2Fdetails%3Ftype%3Drelay%26running%3D
Source: Payload 94.75.225.exe	String found in binary or memory: https://onionoo.torproject.org/details?type=relay&running=true&fields=fingerprint

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: classification engine

Classification label: mal48.winEXE@2/0@1/100

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2616:120:WilError_03

Source: C:\Users\user\Desktop\Payload 94.75.225.exe

File opened: C:\Windows\system32\bdad9b525372a60bb98dde1d5ec1eba66f5b4cfe6a7f91bf3e8e1dea2ba2e292AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: Payload 94.75.225.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payload 94.75.225.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payload 94.75.225.exe	String found in binary or memory: b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5fhttp: RoundTripper implementation (%T) returned a *Response with content length %d but a nil BodyNoClientCertRequestClientCertRequireAnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCertcipher: the nonce can't have zero length, or the security of the key will be immediately compromisedcgocheck > 1 mode is no longer supported at runtime. Use GOEXPERIMENT=cgocheck2 at build time instead.asn1: time did not serialize back to the original value and may be invalid: given %q, but serialized as %qhttps://github.com/ValdikSS/tor-onionoo-mirror/raw/master/details-running-relays-fingerprint-address-only.jsonhttps://bitbucket.org/ValdikSS/tor-onionoo-mirror/raw/master/details-running-relays-fingerprint-address-only.jsonhttp2: Transport: cannot retry err [%v] after Request.Body was written; define Request.GetBody to avoid this error39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319394020061963944792122790401001436138050797392704654466679469052796276593991132635693989563081522949135544336539426430051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f0000c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd166506864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151686479766013060971498190079908139321726943530014330540939446345918554318339765539424505774633321719753296399637136332111386476861244038034037280889270700544900010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Source: Payload 94.75.225.exe	String found in binary or memory: /home/runner/go/pkg/mod/github.com/xo/terminfo@v0.0.0-20210125001918-ca9a967f8778/load.go
Source: Payload 94.75.225.exe	String found in binary or memory: /opt/hostedtoolcache/go/1.21.5/x64/src/net/addrselect.go

Source: unknown	Process created: C:\Users\user\Desktop\Payload 94.75.225.exe "C:\Users\user\Desktop\Payload 94.75.225.exe"
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Section loaded: gpapi.dll	Jump to behavior

Source: Payload 94.75.225.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Payload 94.75.225.exe

Static file information: File size 6365184 > 1048576

Source: Payload 94.75.225.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2b6400
Source: Payload 94.75.225.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2d9200

Source: Payload 94.75.225.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Payload 94.75.225.exe	Static PE information: section name: .xdata
Source: Payload 94.75.225.exe	Static PE information: section name: .symtab

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Users\user\Desktop\Payload 94.75.225.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Source: C:\Users\user\Desktop\Payload 94.75.225.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Users\user\Desktop\Payload 94.75.225.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\Payload 94.75.225.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: Payload 94.75.225.exe, 00000000.00000002.2128233497.0000015522E7C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllVV

Source: C:\Users\user\Desktop\Payload 94.75.225.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Install Root Certificate	OS Credential Dumping	1 Query Registry	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Ingress Tool Transfer	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Payload 94.75.225.exe	0%	ReversingLabs
Payload 94.75.225.exe	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
onionoo.torproject.org	0%	Virustotal		Browse
s-part-0017.t-0009.t-msedge.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Link
https://github.com/ValdikSS/tor-onionoo-mirror/raw/master/details-running-relays-fingerprint-address	0%	Virustotal	Browse
https://icors.vercel.app/?flag	0%	Virustotal	Browse
https://onionoo.torproject.org/details?type=relay&running=true&fields=fingerprint	0%	Virustotal	Browse
https://onionoo.torproject.org/details?type=relay&running=true&fields=fingerprint,or_addresses	0%	Virustotal	Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onionoo.torproject.org	204.8.99.156	true	false	0%, Virustotal, Browse	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onionoo.torproject.org/details?type=relay&running=true&fields=fingerprint,or_addresses	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://onionoo.torproject.org/details?type=relay&running=true&fields=fingerprint	Payload 94.75.225.exe	false	0%, Virustotal, Browse	unknown
https://github.com/ValdikSS/tor-onionoo-mirror/raw/master/details-running-relays-fingerprint-address	Payload 94.75.225.exe	false	0%, Virustotal, Browse	unknown
https://icors.vercel.app/?https%3A%2F%2Fonionoo.torproject.org%2Fdetails%3Ftype%3Drelay%26running%3D	Payload 94.75.225.exe, 00000000.00000002.2126488008.000000C000192000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://icors.vercel.app/?flag	Payload 94.75.225.exe	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
137.220.37.214	unknown	United States	20473	AS-CHOOPAUS	false
107.173.148.133	unknown	United States	36352	AS-COLOCROSSINGUS	false
209.127.117.90	unknown	Canada	55286	SERVER-MANIACA	false
137.74.5.135	unknown	France	16276	OVHFR	false
45.11.229.132	unknown	Germany	397525	ALPHAONE-ASUS	false
192.42.116.179	unknown	Netherlands	1101	IP-EEND-ASIP-EENDBVNL	false
85.10.205.56	unknown	Germany	24940	HETZNER-ASDE	false
185.227.82.15	unknown	Netherlands	208258	ACCESS2ITNL	false
23.184.48.13	unknown	Reserved	394656	CPA-AS1US	false
23.88.72.105	unknown	United States	18978	ENZUINC-US	false
84.247.160.4	unknown	Norway	29300	AS-DIRECTCONNECTNO	false
83.11.190.165	unknown	Poland	5617	TPNETPL	false
185.220.101.48	unknown	Germany	208294	ASMKNL	false
207.127.91.1	unknown	United States	14135	NAVISITE-EAST-2US	false
68.8.241.30	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
185.220.101.206	unknown	Germany	208294	ASMKNL	false
209.127.245.250	unknown	Canada	27163	INTERACTIVE-BROKERS-CORPUS	false
185.220.101.204	unknown	Germany	208294	ASMKNL	false
202.61.196.212	unknown	Australia	4842	TH-AS-APTianhaiInfoTechCN	false
185.220.101.201	unknown	Germany	208294	ASMKNL	false
95.211.205.138	unknown	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	false
23.154.177.2	unknown	Reserved	397270	NETINF-PRIMARY-ASUS	false
68.134.176.234	unknown	United States	701	UUNETUS	false
81.201.202.101	unknown	Switzerland	25353	BAR-ASGliserallee16CH	false
2.204.219.86	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
88.80.26.2	unknown	Sweden	33837	PRQ-AS________________________SE	false
178.142.134.20	unknown	Germany	9145	EWETELCloppenburgerStrasse310DE	false
185.220.101.30	unknown	Germany	208294	ASMKNL	false
185.220.101.35	unknown	Germany	208294	ASMKNL	false
20.224.145.181	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.220.100.253	unknown	Germany	205100	F3NETZEDE	false
45.141.215.95	unknown	Netherlands	62068	SPECTRAIPSpectraIPBVNL	false
95.111.230.178	unknown	Ukraine	51167	CONTABODE	false
95.216.33.58	unknown	Germany	24940	HETZNER-ASDE	false
5.39.185.164	unknown	Netherlands	58291	COLOCENTERNL	false
51.68.155.147	unknown	France	16276	OVHFR	false
5.161.247.161	unknown	Germany	24940	HETZNER-ASDE	false
188.165.194.209	unknown	France	16276	OVHFR	false
75.119.135.230	unknown	United States	13645	BROADBANDONEUS	false
57.128.180.74	unknown	Belgium	2686	ATGS-MMD-ASUS	false
94.26.73.162	unknown	United States	40244	TURNKEY-INTERNETUS	false
82.64.150.101	unknown	France	12322	PROXADFR	false
103.252.90.217	unknown	Germany	59592	BACKBONE-ASDE	false
84.247.178.134	unknown	Norway	29300	AS-DIRECTCONNECTNO	false
190.211.254.192	unknown	Panama	51852	PLI-ASCH	false
65.21.98.72	unknown	United States	199592	CP-ASDE	false
185.183.194.90	unknown	Switzerland	13030	INIT7CH	false
178.79.154.219	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	false
162.247.74.202	unknown	United States	4224	CALYX-ASUS	false
15.204.143.192	unknown	United States	71	HP-INTERNET-ASUS	false
162.247.74.200	unknown	United States	4224	CALYX-ASUS	false
185.220.101.50	unknown	Germany	208294	ASMKNL	false
46.38.233.211	unknown	Germany	197540	NETCUP-ASnetcupGmbHDE	false
95.99.30.188	unknown	Netherlands	31615	TMO-NL-ASNL	false
136.35.138.88	unknown	United States	16591	GOOGLE-FIBERUS	false
71.163.253.207	unknown	United States	701	UUNETUS	false
85.90.207.39	unknown	Ukraine	34248	VELTON-TC-ASKharkovUkraineUA	false
185.40.4.95	unknown	Russian Federation	50113	SUPERSERVERSDATACENTERRU	false
129.151.198.94	unknown	United States	4192	STORTEK-INTUS	false
193.239.86.133	unknown	Romania	35215	MERITAPL	false
198.24.164.98	unknown	United States	19437	SS-ASHUS	false
162.247.74.31	unknown	United States	4224	CALYX-ASUS	false
23.163.200.46	unknown	Reserved	62969	ABCCOMMCA	false
45.89.54.11	unknown	Russian Federation	44676	VMAGE-ASRU	false
178.63.41.183	unknown	Germany	24940	HETZNER-ASDE	false
204.8.99.156	onionoo.torproject.org	United States	22581	ACE-STXVI	false
109.70.100.71	unknown	Austria	208323	APPLIEDPRIVACY-ASAT	false
45.148.17.56	unknown	Sweden	197595	OBE-EUROPEObenetworkEuropeSE	false
194.88.105.30	unknown	Netherlands	49981	WORLDSTREAMNL	false
51.195.119.159	unknown	France	16276	OVHFR	false
31.220.72.103	unknown	Spain	16372	OWSES	false
152.53.111.174	unknown	United States	81	NCRENUS	false
70.39.91.101	unknown	United States	46844	ST-BGPUS	false
152.67.112.12	unknown	United States	31898	ORACLE-BMC-31898US	false
138.68.9.184	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
67.219.107.200	unknown	United States	19529	RAZOR-PHLUS	false
37.114.57.182	unknown	Germany	12586	ASGHOSTNETDE	false
45.138.16.107	unknown	Netherlands	62068	SPECTRAIPSpectraIPBVNL	false
209.141.47.207	unknown	United States	53667	PONYNETUS	false
45.141.215.4	unknown	Netherlands	62068	SPECTRAIPSpectraIPBVNL	false
87.98.243.204	unknown	France	16276	OVHFR	false
172.114.8.83	unknown	United States	20001	TWC-20001-PACWESTUS	false
161.97.132.254	unknown	United States	51167	CONTABODE	false
109.70.100.3	unknown	Austria	208323	APPLIEDPRIVACY-ASAT	false
185.129.61.3	unknown	Denmark	57860	ZENCURITY-NETDK	false
95.148.2.122	unknown	United Kingdom	12576	EELtdGB	false
192.42.116.195	unknown	Netherlands	1101	IP-EEND-ASIP-EENDBVNL	false
168.181.185.147	unknown	Argentina	27823	DattateccomAR	false
204.8.96.112	unknown	United States	22581	ACE-STXVI	false
185.107.57.64	unknown	Netherlands	43350	NFORCENL	false
194.164.16.95	unknown	United Kingdom	8897	KCOM-SPNService-ProviderNetworkex-MistralGB	false
185.220.101.21	unknown	Germany	208294	ASMKNL	false
50.230.231.85	unknown	United States	7922	COMCAST-7922US	false
107.189.12.88	unknown	United States	53667	PONYNETUS	false
51.81.56.136	unknown	United States	16276	OVHFR	false
153.120.42.137	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	false
80.92.204.251	unknown	Russian Federation	21240	HELIOSNET-ASRU	false
45.141.215.61	unknown	Netherlands	62068	SPECTRAIPSpectraIPBVNL	false
192.42.116.189	unknown	Netherlands	1101	IP-EEND-ASIP-EENDBVNL	false
185.241.208.71	unknown	Moldova Republic of	26636	GBTCLOUDUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1547867
Start date and time:	2024-11-03 09:34:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payload 94.75.225.exe
Detection:	MAL
Classification:	mal48.winEXE@2/0@1/100
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
Execution Graph export aborted for target Payload 94.75.225.exe, PID 6708 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.220.101.206	Mcb5K3TOWT.exe	Get hash	malicious	Unknown	Browse
	KWwpSm0Cec.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse
	IIBXMzS0zN.exe	Get hash	malicious	Glupteba, SmokeLoader, Socks5Systemz, Stealc, Xmrig	Browse
	aif31Spjyi.exe	Get hash	malicious	Glupteba, SmokeLoader	Browse
	82YWwkVfIS.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	g5oo6DQ4pd.exe	Get hash	malicious	Unknown	Browse
	puzykxm8rg.exe	Get hash	malicious	Amadey, RedLine, SmokeLoader	Browse
23.154.177.2	fK5LTFDKXC.exe	Get hash	malicious	Kronos	Browse	23.154.177.2/tor/server/fp/856fff1a581da7b4db81f2bf21ef2c82b2c97841
185.220.101.204	906o5yr1NE.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse
	Zxf5vHRSrw.exe	Get hash	malicious	BazaLoader	Browse
	KJN55hQKh2.exe	Get hash	malicious	Phorpiex Xmrig	Browse
185.220.101.201	A2G6pO40qG.exe	Get hash	malicious	CMSBrute	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.45
	https://alerts.redeem.myrewardsaccess.com/H/2/v600000192eeba5095b7d0656e96c660f0/a6ca8bf7-2895-4560-b8c8-c42904590ea4/HTML	Get hash	malicious	Unknown	Browse	13.107.246.45
	CDT.ps1	Get hash	malicious	AsyncRAT	Browse	13.107.246.45
	VsXpA6fSbk.js	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.45
	SecuriteInfo.com.Win64.CrypterX-gen.2448.5331.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	13.107.246.45
	https://studla.b-cdn.net/mine/carted/delta/chaloos.zip	Get hash	malicious	LummaC	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	New_Order_#070824_Order_November-2024-pdf.exe	Get hash	malicious	Remcos	Browse	198.46.178.148
	Warm_UP.rtf	Get hash	malicious	Unknown	Browse	107.172.130.147
	greatthingswithmegoods.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	198.46.178.151
	seethebestthingswithgreatthingshrewithme.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	107.175.130.36
	creatednewthingsformee.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	198.46.178.151
	A & C Metrology OC 545714677889Materiale.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	107.175.130.20
	http://xn--gba7iaacaabba0ab51nca04ecacdad9203oearjjb191bfa.mkto-sj030022.com	Get hash	malicious	Unknown	Browse	192.3.96.254
	greatthingswithmegood.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	198.46.178.151
	Orden de Compra.xlam.xlsx	Get hash	malicious	Unknown	Browse	192.3.220.20
	PO.2407010.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	198.46.178.151
OVHFR	4GPlus.bat	Get hash	malicious	Unknown	Browse	51.195.251.11
	Reservation Detail Booking.com ID4336.vbs	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse	94.23.17.185
	aba.bat	Get hash	malicious	Unknown	Browse	51.195.251.11
	park.bat	Get hash	malicious	Unknown	Browse	51.195.251.11
	ICBM.exe	Get hash	malicious	Xmrig	Browse	51.210.150.92
	nuklear.arm.elf	Get hash	malicious	Mirai	Browse	198.27.68.52
	debug.dbg.elf	Get hash	malicious	Gafgyt, Mirai	Browse	178.32.95.205
	ICBM.exe	Get hash	malicious	Xmrig	Browse	51.195.138.197
	ICBM.exe	Get hash	malicious	Xmrig	Browse	51.195.43.17
	D4FX3QYunY.exe	Get hash	malicious	DarkVision Rat	Browse	144.217.96.196
AS-CHOOPAUS	sh4.elf	Get hash	malicious	Mirai	Browse	45.63.53.226
	Setup.exe	Get hash	malicious	Unknown	Browse	207.246.91.177
	Setup.exe	Get hash	malicious	Unknown	Browse	207.246.91.177
	https://pcapp.store/pixel.gif	Get hash	malicious	Unknown	Browse	45.32.1.23
	createbestthingswithmegoodthingswithgoodthings.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	66.42.65.6
	Setup.exe	Get hash	malicious	Unknown	Browse	45.32.1.23
	Setup.exe	Get hash	malicious	Unknown	Browse	207.246.91.177
	wZU2edEGL3.elf	Get hash	malicious	Unknown	Browse	204.80.129.14
	belks.spc.elf	Get hash	malicious	Mirai	Browse	95.179.203.61
	jew.arm.elf	Get hash	malicious	Unknown	Browse	66.42.126.74
SERVER-MANIACA	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	104.227.93.164
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	107.152.158.164
	i586.elf	Get hash	malicious	Mirai	Browse	104.144.70.38
	na.elf	Get hash	malicious	Mirai	Browse	104.144.232.206
	na.elf	Get hash	malicious	Unknown	Browse	23.229.36.224
	na.elf	Get hash	malicious	Mirai	Browse	23.250.5.197
	jade.spc.elf	Get hash	malicious	Mirai	Browse	23.229.36.239
	http://ugwebstore.com	Get hash	malicious	Unknown	Browse	192.157.56.142
	sh4.elf	Get hash	malicious	Unknown	Browse	104.144.21.94
	pUBl5tg90v.exe	Get hash	malicious	AgentTesla	Browse	209.127.20.21

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.182038544986381
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payload 94.75.225.exe
File size:	6'365'184 bytes
MD5:	c1cd02403f4ca49c8547b397dad11a21
SHA1:	cee43976d68fb7f56af41e1bcfb42227a6e6e225
SHA256:	69e7acf427dbfc86650bd4dad8c97c399a5c921cb1b8cca5dfc7b4a53d849ca0
SHA512:	b457d625e7929786ed8f6ce8e416085cf095ac73fbdbfef676d907916ca6ad50c7be3efc35241f4477cabe6766ebfcae607f74cc09fb7f3271c2b60ff0c4f302
SSDEEP:	49152:k0qABj4dbqWdAfj3HW3PlTx50y4ND8pe8wf29nrQm80XSGYja5ErDMATCqgQdWGT:u0pmNjpe1snEbUiWWXZ
TLSH:	66563947FCA441E4C4ADA6318A769262BB717C484B3123D33B50F7382F76BD0AA7A754
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........a......."......d+..4...... .........@..............................@g...........`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x468420
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	4f2f006e2ecf7172ad368f8289dc96c1

Entrypoint Preview

Instruction
jmp 00007F4F410DA3E0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [005E2AEEh]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007F4F410DDCE5h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007F4F410C04DFh
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x664000	0x516	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x652000	0x10848	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x665000	0xdbac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x592840	0x170	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2b63b4	0x2b6400	3c953c828b96e37f66cdfd3cc865b389	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b8000	0x2d9058	0x2d9200	17ca041790a3a9447eb79a4913782771	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x592000	0xbf9b0	0x63400	d8299e45d12855dd17c8457696fb9fca	False	0.3247549984256927	data	4.210385800855117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x652000	0x10848	0x10a00	06e4bbd359bd569b71948ff987c618f8	False	0.39812911184210525	data	5.472628714520099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x663000	0xa8	0x200	2a5152ffc3a52ca1d276acd572c41b9a	False	0.19921875	shared library	1.6345075234569126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x664000	0x516	0x600	ed2f474267862dceaeb8cdc37e7887fc	False	0.3639322916666667	data	3.8700139346555313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x665000	0xdbac	0xdc00	62f9a2ba71eb294bd994ea6410e003d5	False	0.24170809659090908	data	5.443640473880409	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x673000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2024 09:35:02.735732079 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:02.735760927 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:02.735826969 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:02.736196995 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:02.736208916 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.570758104 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.575566053 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:03.575581074 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.575829983 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:03.575834990 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.577295065 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.577368021 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:03.650505066 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:03.650610924 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:03.650609970 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.695334911 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.698158979 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:03.698167086 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.746592999 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:03.895766973 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.895816088 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.895824909 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.895848989 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.895870924 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.895872116 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:03.895879030 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.895910025 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.895926952 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:03.895956993 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:03.987236023 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.987250090 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.987279892 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.987330914 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:03.987339020 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:03.987370968 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:03.987389088 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.043764114 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.043787956 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.043898106 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.043908119 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.043977976 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.133114100 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.133136988 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.133188009 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.133197069 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.133248091 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.134900093 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.134915113 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.134973049 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.134979963 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.135020018 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.136727095 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.136740923 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.136795998 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.136802912 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.136851072 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.192121029 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.192137957 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.192210913 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.192219019 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.192264080 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.282377005 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.282401085 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.282525063 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.282535076 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.282576084 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.283449888 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.283467054 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.283503056 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.283509970 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.283535957 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.283550024 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.284853935 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.284868956 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.284943104 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.284950018 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.284982920 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.285906076 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.285921097 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.285958052 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.285964966 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.285988092 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.286006927 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.286902905 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.286920071 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.286958933 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.286966085 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.286989927 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.287008047 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.287808895 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.287823915 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.287867069 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.287873983 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.287911892 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.347661972 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.347677946 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.347790003 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.347800970 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.347811937 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.347831011 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.347845078 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.347851038 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.347876072 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.347903967 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.429289103 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.429311037 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.429372072 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.429382086 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.429409027 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.429430962 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.429678917 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.429694891 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.429749966 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.429758072 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.429794073 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.430537939 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.430552959 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.430600882 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.430608034 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.430646896 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.430982113 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.430998087 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.431062937 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.431070089 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.431106091 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.431540966 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.431555986 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.431595087 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.431602001 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.431637049 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.431648970 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.431983948 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.432388067 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.432404041 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.432456970 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.432462931 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.432498932 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.432619095 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.432638884 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.432679892 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.432687044 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.432708025 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.432715893 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.433470964 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.433486938 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.433527946 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.433535099 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.433572054 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.434163094 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.434180021 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.434226990 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.434235096 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.434273005 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.434415102 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.434428930 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.434462070 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.434468031 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.434493065 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.434510946 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.435375929 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.435391903 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.435432911 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.435440063 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.435460091 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.435480118 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.436431885 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.436444998 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.436492920 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.436500072 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.436538935 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.440967083 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.485706091 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.485740900 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.485788107 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.485827923 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.485831976 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.485847950 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.485898972 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.485938072 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.485953093 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.485996008 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.486002922 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.486277103 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.486295938 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.486329079 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.486336946 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.486370087 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.491833925 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.491847992 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.491918087 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.491926908 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.545849085 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.576247931 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.576266050 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.576320887 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.576342106 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.576350927 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.576390982 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.576421976 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.576641083 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.576659918 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.576709032 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.576714993 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.576735020 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.576752901 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.576780081 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.576786995 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.576798916 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.581273079 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.581294060 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.581347942 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.581356049 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.581501961 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.581532955 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.581558943 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.581566095 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.581589937 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.581734896 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.581749916 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.581794024 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.581800938 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.581928968 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.581952095 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.581980944 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.581988096 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.582015038 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.582287073 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.582300901 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.582349062 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.582355976 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.582387924 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.582423925 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.582442999 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.582483053 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.582489014 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.582494974 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.582515001 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.582528114 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.582547903 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.582555056 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.582577944 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.582602978 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.582691908 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.582706928 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.582753897 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.582760096 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.582806110 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.583239079 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.583256006 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.583329916 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.583337069 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.583369970 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.583512068 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.583527088 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.583573103 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.583579063 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.583595991 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.583630085 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.583632946 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.583650112 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.583653927 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.583688021 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.583846092 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.583859921 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.583904028 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.583910942 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.583955050 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.584109068 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.584135056 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.584177017 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.584182978 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.584213018 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.584213018 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.584341049 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.584355116 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.584399939 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.584405899 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.584446907 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.584481955 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.584496021 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.584531069 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.584536076 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.584563971 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.584570885 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.584645987 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.584667921 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.584717035 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.584726095 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.584763050 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.585140944 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.585155010 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.585200071 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.585206032 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.585241079 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.585278988 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.585293055 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.585331917 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.585336924 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.585347891 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.585366011 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.585376024 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.585381031 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.585407972 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.585433006 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.632863045 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.632879972 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.632937908 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.632966042 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.632971048 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.632991076 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.633004904 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.633044004 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.633052111 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.633069992 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.633090973 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.633127928 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.633253098 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.633265018 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.633291960 CET	49708	443	192.168.2.6	204.8.99.156
Nov 3, 2024 09:35:04.633296967 CET	443	49708	204.8.99.156	192.168.2.6
Nov 3, 2024 09:35:04.767601013 CET	49710	10443	192.168.2.6	185.40.4.95
Nov 3, 2024 09:35:04.767739058 CET	49711	443	192.168.2.6	185.107.57.64
Nov 3, 2024 09:35:04.767772913 CET	443	49711	185.107.57.64	192.168.2.6
Nov 3, 2024 09:35:04.767842054 CET	49711	443	192.168.2.6	185.107.57.64
Nov 3, 2024 09:35:04.767945051 CET	49712	443	192.168.2.6	185.220.101.201
Nov 3, 2024 09:35:04.767961979 CET	443	49712	185.220.101.201	192.168.2.6
Nov 3, 2024 09:35:04.768007994 CET	49712	443	192.168.2.6	185.220.101.201
Nov 3, 2024 09:35:04.768101931 CET	49713	9001	192.168.2.6	2.204.219.86
Nov 3, 2024 09:35:04.768229961 CET	49714	9000	192.168.2.6	185.241.208.71
Nov 3, 2024 09:35:04.768352032 CET	49715	443	192.168.2.6	185.220.101.204
Nov 3, 2024 09:35:04.768392086 CET	443	49715	185.220.101.204	192.168.2.6
Nov 3, 2024 09:35:04.768440008 CET	49715	443	192.168.2.6	185.220.101.204
Nov 3, 2024 09:35:04.768507957 CET	49716	9001	192.168.2.6	107.173.148.133
Nov 3, 2024 09:35:04.768616915 CET	49717	9002	192.168.2.6	192.42.116.179
Nov 3, 2024 09:35:04.768737078 CET	49718	9001	192.168.2.6	95.99.30.188
Nov 3, 2024 09:35:04.768846989 CET	49719	30443	192.168.2.6	51.195.119.159
Nov 3, 2024 09:35:04.768963099 CET	49720	443	192.168.2.6	95.111.230.178
Nov 3, 2024 09:35:04.768970966 CET	443	49720	95.111.230.178	192.168.2.6
Nov 3, 2024 09:35:04.769016027 CET	49720	443	192.168.2.6	95.111.230.178
Nov 3, 2024 09:35:04.769104958 CET	49721	8430	192.168.2.6	45.141.215.95
Nov 3, 2024 09:35:04.769242048 CET	49722	443	192.168.2.6	67.219.107.200
Nov 3, 2024 09:35:04.769270897 CET	443	49722	67.219.107.200	192.168.2.6
Nov 3, 2024 09:35:04.769321918 CET	49722	443	192.168.2.6	67.219.107.200
Nov 3, 2024 09:35:04.769386053 CET	49723	9021	192.168.2.6	207.127.91.1
Nov 3, 2024 09:35:04.769534111 CET	49724	15259	192.168.2.6	185.227.82.15
Nov 3, 2024 09:35:04.769675016 CET	49725	443	192.168.2.6	109.70.100.3
Nov 3, 2024 09:35:04.769701958 CET	443	49725	109.70.100.3	192.168.2.6
Nov 3, 2024 09:35:04.769752026 CET	49725	443	192.168.2.6	109.70.100.3
Nov 3, 2024 09:35:04.772505045 CET	10443	49710	185.40.4.95	192.168.2.6
Nov 3, 2024 09:35:04.772558928 CET	49710	10443	192.168.2.6	185.40.4.95
Nov 3, 2024 09:35:04.772941113 CET	9001	49713	2.204.219.86	192.168.2.6
Nov 3, 2024 09:35:04.772988081 CET	49713	9001	192.168.2.6	2.204.219.86
Nov 3, 2024 09:35:04.773034096 CET	9000	49714	185.241.208.71	192.168.2.6
Nov 3, 2024 09:35:04.773077011 CET	49714	9000	192.168.2.6	185.241.208.71
Nov 3, 2024 09:35:04.773442030 CET	9001	49716	107.173.148.133	192.168.2.6
Nov 3, 2024 09:35:04.773483992 CET	49716	9001	192.168.2.6	107.173.148.133
Nov 3, 2024 09:35:04.773514032 CET	9002	49717	192.42.116.179	192.168.2.6
Nov 3, 2024 09:35:04.773529053 CET	9001	49718	95.99.30.188	192.168.2.6
Nov 3, 2024 09:35:04.773561954 CET	49717	9002	192.168.2.6	192.42.116.179
Nov 3, 2024 09:35:04.773585081 CET	49718	9001	192.168.2.6	95.99.30.188
Nov 3, 2024 09:35:04.773634911 CET	30443	49719	51.195.119.159	192.168.2.6
Nov 3, 2024 09:35:04.773682117 CET	49719	30443	192.168.2.6	51.195.119.159
Nov 3, 2024 09:35:04.773916960 CET	8430	49721	45.141.215.95	192.168.2.6
Nov 3, 2024 09:35:04.773962975 CET	49721	8430	192.168.2.6	45.141.215.95
Nov 3, 2024 09:35:04.774183035 CET	9021	49723	207.127.91.1	192.168.2.6
Nov 3, 2024 09:35:04.774228096 CET	49723	9021	192.168.2.6	207.127.91.1
Nov 3, 2024 09:35:04.774352074 CET	15259	49724	185.227.82.15	192.168.2.6
Nov 3, 2024 09:35:04.774427891 CET	49724	15259	192.168.2.6	185.227.82.15
Nov 3, 2024 09:35:04.774506092 CET	49726	9005	192.168.2.6	109.70.100.71
Nov 3, 2024 09:35:04.776001930 CET	49727	9001	192.168.2.6	45.11.229.132
Nov 3, 2024 09:35:04.776171923 CET	49728	9001	192.168.2.6	138.68.9.184
Nov 3, 2024 09:35:04.776320934 CET	49729	110	192.168.2.6	153.120.42.137
Nov 3, 2024 09:35:04.776437044 CET	49730	9000	192.168.2.6	87.98.243.204
Nov 3, 2024 09:35:04.776571989 CET	49731	9001	192.168.2.6	194.164.16.95
Nov 3, 2024 09:35:04.776689053 CET	49732	443	192.168.2.6	185.183.194.90
Nov 3, 2024 09:35:04.776695967 CET	443	49732	185.183.194.90	192.168.2.6
Nov 3, 2024 09:35:04.776751041 CET	49732	443	192.168.2.6	185.183.194.90
Nov 3, 2024 09:35:04.776823044 CET	49733	9000	192.168.2.6	192.42.116.189
Nov 3, 2024 09:35:04.777019978 CET	49734	1004	192.168.2.6	209.127.117.90
Nov 3, 2024 09:35:04.777158022 CET	49735	443	192.168.2.6	20.224.145.181
Nov 3, 2024 09:35:04.777165890 CET	443	49735	20.224.145.181	192.168.2.6
Nov 3, 2024 09:35:04.777213097 CET	49735	443	192.168.2.6	20.224.145.181
Nov 3, 2024 09:35:04.777298927 CET	49736	443	192.168.2.6	57.128.180.74
Nov 3, 2024 09:35:04.777307987 CET	443	49736	57.128.180.74	192.168.2.6
Nov 3, 2024 09:35:04.777352095 CET	49736	443	192.168.2.6	57.128.180.74
Nov 3, 2024 09:35:04.777441025 CET	49737	1003	192.168.2.6	85.10.205.56
Nov 3, 2024 09:35:04.777539015 CET	49738	443	192.168.2.6	85.90.207.39
Nov 3, 2024 09:35:04.777544975 CET	443	49738	85.90.207.39	192.168.2.6
Nov 3, 2024 09:35:04.777594090 CET	49738	443	192.168.2.6	85.90.207.39
Nov 3, 2024 09:35:04.777682066 CET	49739	9100	192.168.2.6	185.220.100.253
Nov 3, 2024 09:35:04.777793884 CET	49740	443	192.168.2.6	51.81.56.136
Nov 3, 2024 09:35:04.777801037 CET	443	49740	51.81.56.136	192.168.2.6
Nov 3, 2024 09:35:04.777843952 CET	49740	443	192.168.2.6	51.81.56.136
Nov 3, 2024 09:35:04.777928114 CET	49741	9001	192.168.2.6	193.239.86.133
Nov 3, 2024 09:35:04.779000998 CET	49742	443	192.168.2.6	23.154.177.2
Nov 3, 2024 09:35:04.779015064 CET	443	49742	23.154.177.2	192.168.2.6
Nov 3, 2024 09:35:04.779072046 CET	49742	443	192.168.2.6	23.154.177.2
Nov 3, 2024 09:35:04.779195070 CET	49743	8443	192.168.2.6	185.220.101.206
Nov 3, 2024 09:35:04.779292107 CET	9005	49726	109.70.100.71	192.168.2.6
Nov 3, 2024 09:35:04.779310942 CET	49744	9001	192.168.2.6	202.61.196.212
Nov 3, 2024 09:35:04.779356956 CET	49726	9005	192.168.2.6	109.70.100.71
Nov 3, 2024 09:35:04.779515028 CET	49745	9001	192.168.2.6	80.92.204.251
Nov 3, 2024 09:35:04.779628038 CET	49746	9088	192.168.2.6	152.53.111.174
Nov 3, 2024 09:35:04.779957056 CET	49747	443	192.168.2.6	152.67.112.12
Nov 3, 2024 09:35:04.779973984 CET	443	49747	152.67.112.12	192.168.2.6
Nov 3, 2024 09:35:04.780026913 CET	49747	443	192.168.2.6	152.67.112.12
Nov 3, 2024 09:35:04.780481100 CET	49749	9001	192.168.2.6	88.80.26.2
Nov 3, 2024 09:35:04.780525923 CET	49750	9001	192.168.2.6	37.114.57.182
Nov 3, 2024 09:35:04.780677080 CET	49751	9300	192.168.2.6	57.129.44.38
Nov 3, 2024 09:35:04.780766964 CET	49752	32616	192.168.2.6	94.131.171.105
Nov 3, 2024 09:35:04.780838966 CET	49753	445	192.168.2.6	137.74.5.135
Nov 3, 2024 09:35:04.780945063 CET	49754	9002	192.168.2.6	84.247.178.134
Nov 3, 2024 09:35:04.780986071 CET	9001	49727	45.11.229.132	192.168.2.6
Nov 3, 2024 09:35:04.781040907 CET	49727	9001	192.168.2.6	45.11.229.132
Nov 3, 2024 09:35:04.781086922 CET	49755	61040	192.168.2.6	31.220.72.103
Nov 3, 2024 09:35:04.781095028 CET	9001	49728	138.68.9.184	192.168.2.6
Nov 3, 2024 09:35:04.781145096 CET	49728	9001	192.168.2.6	138.68.9.184
Nov 3, 2024 09:35:04.781191111 CET	49756	9001	192.168.2.6	178.142.134.20
Nov 3, 2024 09:35:04.781256914 CET	110	49729	153.120.42.137	192.168.2.6
Nov 3, 2024 09:35:04.781311035 CET	49729	110	192.168.2.6	153.120.42.137
Nov 3, 2024 09:35:04.781333923 CET	49757	9001	192.168.2.6	82.64.150.101
Nov 3, 2024 09:35:04.781341076 CET	9000	49730	87.98.243.204	192.168.2.6
Nov 3, 2024 09:35:04.781383991 CET	49730	9000	192.168.2.6	87.98.243.204
Nov 3, 2024 09:35:04.781434059 CET	49759	9002	192.168.2.6	185.220.101.30
Nov 3, 2024 09:35:04.781512976 CET	49748	9001	192.168.2.6	107.189.12.88
Nov 3, 2024 09:35:04.781538010 CET	49760	9001	192.168.2.6	75.119.135.230
Nov 3, 2024 09:35:04.781550884 CET	9001	49731	194.164.16.95	192.168.2.6
Nov 3, 2024 09:35:04.781594992 CET	49731	9001	192.168.2.6	194.164.16.95
Nov 3, 2024 09:35:04.781646967 CET	49761	9000	192.168.2.6	209.127.245.250
Nov 3, 2024 09:35:04.781785011 CET	49762	9200	192.168.2.6	103.252.90.217
Nov 3, 2024 09:35:04.781810045 CET	9000	49733	192.42.116.189	192.168.2.6
Nov 3, 2024 09:35:04.781837940 CET	49758	9001	192.168.2.6	68.8.241.30
Nov 3, 2024 09:35:04.781857014 CET	49733	9000	192.168.2.6	192.42.116.189
Nov 3, 2024 09:35:04.782012939 CET	1004	49734	209.127.117.90	192.168.2.6
Nov 3, 2024 09:35:04.782063007 CET	49734	1004	192.168.2.6	209.127.117.90
Nov 3, 2024 09:35:04.782252073 CET	49763	443	192.168.2.6	83.11.190.165
Nov 3, 2024 09:35:04.782259941 CET	443	49763	83.11.190.165	192.168.2.6
Nov 3, 2024 09:35:04.782305002 CET	49763	443	192.168.2.6	83.11.190.165
Nov 3, 2024 09:35:04.782413006 CET	49764	443	192.168.2.6	95.211.205.138
Nov 3, 2024 09:35:04.782421112 CET	443	49764	95.211.205.138	192.168.2.6
Nov 3, 2024 09:35:04.782471895 CET	49764	443	192.168.2.6	95.211.205.138
Nov 3, 2024 09:35:04.782494068 CET	49765	9001	192.168.2.6	188.165.194.209
Nov 3, 2024 09:35:04.782613993 CET	49766	443	192.168.2.6	198.24.164.98
Nov 3, 2024 09:35:04.782620907 CET	443	49766	198.24.164.98	192.168.2.6
Nov 3, 2024 09:35:04.782640934 CET	1003	49737	85.10.205.56	192.168.2.6
Nov 3, 2024 09:35:04.782672882 CET	49766	443	192.168.2.6	198.24.164.98
Nov 3, 2024 09:35:04.782691956 CET	49737	1003	192.168.2.6	85.10.205.56
Nov 3, 2024 09:35:04.782731056 CET	49767	9001	192.168.2.6	185.220.101.21
Nov 3, 2024 09:35:04.782826900 CET	49768	443	192.168.2.6	46.38.233.211
Nov 3, 2024 09:35:04.782834053 CET	443	49768	46.38.233.211	192.168.2.6
Nov 3, 2024 09:35:04.782869101 CET	9100	49739	185.220.100.253	192.168.2.6
Nov 3, 2024 09:35:04.782882929 CET	49768	443	192.168.2.6	46.38.233.211
Nov 3, 2024 09:35:04.782910109 CET	49739	9100	192.168.2.6	185.220.100.253
Nov 3, 2024 09:35:04.782932997 CET	49769	8430	192.168.2.6	45.141.215.61
Nov 3, 2024 09:35:04.783036947 CET	49770	9001	192.168.2.6	23.184.48.13
Nov 3, 2024 09:35:04.783112049 CET	9001	49741	193.239.86.133	192.168.2.6
Nov 3, 2024 09:35:04.783154011 CET	49771	9000	192.168.2.6	23.163.200.46
Nov 3, 2024 09:35:04.783260107 CET	49741	9001	192.168.2.6	193.239.86.133
Nov 3, 2024 09:35:04.783260107 CET	49772	443	192.168.2.6	43.252.37.14
Nov 3, 2024 09:35:04.783266068 CET	443	49772	43.252.37.14	192.168.2.6
Nov 3, 2024 09:35:04.783308029 CET	49772	443	192.168.2.6	43.252.37.14
Nov 3, 2024 09:35:04.783360958 CET	49773	44433	192.168.2.6	68.134.176.234
Nov 3, 2024 09:35:04.783458948 CET	49774	9001	192.168.2.6	45.89.54.11
Nov 3, 2024 09:35:04.783550978 CET	49775	443	192.168.2.6	162.247.74.202
Nov 3, 2024 09:35:04.783557892 CET	443	49775	162.247.74.202	192.168.2.6
Nov 3, 2024 09:35:04.783606052 CET	49775	443	192.168.2.6	162.247.74.202
Nov 3, 2024 09:35:04.783648968 CET	49776	110	192.168.2.6	45.138.16.107
Nov 3, 2024 09:35:04.783750057 CET	49777	444	192.168.2.6	136.35.138.88
Nov 3, 2024 09:35:04.783967018 CET	49778	443	192.168.2.6	5.161.247.161
Nov 3, 2024 09:35:04.783979893 CET	443	49778	5.161.247.161	192.168.2.6
Nov 3, 2024 09:35:04.784030914 CET	49778	443	192.168.2.6	5.161.247.161
Nov 3, 2024 09:35:04.784068108 CET	49779	9201	192.168.2.6	94.26.73.162
Nov 3, 2024 09:35:04.784682989 CET	8443	49743	185.220.101.206	192.168.2.6
Nov 3, 2024 09:35:04.784732103 CET	49743	8443	192.168.2.6	185.220.101.206
Nov 3, 2024 09:35:04.784764051 CET	9001	49744	202.61.196.212	192.168.2.6
Nov 3, 2024 09:35:04.784806967 CET	49744	9001	192.168.2.6	202.61.196.212
Nov 3, 2024 09:35:04.784971952 CET	9001	49745	80.92.204.251	192.168.2.6
Nov 3, 2024 09:35:04.784990072 CET	9088	49746	152.53.111.174	192.168.2.6
Nov 3, 2024 09:35:04.785018921 CET	49745	9001	192.168.2.6	80.92.204.251
Nov 3, 2024 09:35:04.785041094 CET	49746	9088	192.168.2.6	152.53.111.174
Nov 3, 2024 09:35:04.785362005 CET	49780	443	192.168.2.6	162.247.74.200
Nov 3, 2024 09:35:04.785367966 CET	443	49780	162.247.74.200	192.168.2.6
Nov 3, 2024 09:35:04.785418987 CET	49780	443	192.168.2.6	162.247.74.200
Nov 3, 2024 09:35:04.785501957 CET	49781	8443	192.168.2.6	15.204.143.192
Nov 3, 2024 09:35:04.785605907 CET	49782	20901	192.168.2.6	82.65.150.138
Nov 3, 2024 09:35:04.785748005 CET	49783	443	192.168.2.6	168.181.185.147
Nov 3, 2024 09:35:04.785756111 CET	443	49783	168.181.185.147	192.168.2.6
Nov 3, 2024 09:35:04.785799026 CET	49783	443	192.168.2.6	168.181.185.147
Nov 3, 2024 09:35:04.785845041 CET	49784	1001	192.168.2.6	23.88.72.105
Nov 3, 2024 09:35:04.785958052 CET	49785	443	192.168.2.6	95.216.33.58
Nov 3, 2024 09:35:04.785965919 CET	443	49785	95.216.33.58	192.168.2.6
Nov 3, 2024 09:35:04.786005974 CET	49785	443	192.168.2.6	95.216.33.58
Nov 3, 2024 09:35:04.786057949 CET	49786	10048	192.168.2.6	185.220.101.48
Nov 3, 2024 09:35:04.786148071 CET	9001	49749	88.80.26.2	192.168.2.6
Nov 3, 2024 09:35:04.786170006 CET	49787	11118	192.168.2.6	65.21.98.72
Nov 3, 2024 09:35:04.786179066 CET	9001	49750	37.114.57.182	192.168.2.6
Nov 3, 2024 09:35:04.786195993 CET	49749	9001	192.168.2.6	88.80.26.2
Nov 3, 2024 09:35:04.786225080 CET	49750	9001	192.168.2.6	37.114.57.182
Nov 3, 2024 09:35:04.786287069 CET	49788	10050	192.168.2.6	185.220.101.50
Nov 3, 2024 09:35:04.786374092 CET	9300	49751	57.129.44.38	192.168.2.6
Nov 3, 2024 09:35:04.786379099 CET	49789	9001	192.168.2.6	194.88.105.30
Nov 3, 2024 09:35:04.786385059 CET	32616	49752	94.131.171.105	192.168.2.6
Nov 3, 2024 09:35:04.786418915 CET	49751	9300	192.168.2.6	57.129.44.38
Nov 3, 2024 09:35:04.786439896 CET	49752	32616	192.168.2.6	94.131.171.105
Nov 3, 2024 09:35:04.786459923 CET	445	49753	137.74.5.135	192.168.2.6
Nov 3, 2024 09:35:04.786483049 CET	49790	444	192.168.2.6	51.68.155.147
Nov 3, 2024 09:35:04.786505938 CET	49753	445	192.168.2.6	137.74.5.135
Nov 3, 2024 09:35:04.786578894 CET	49791	443	192.168.2.6	5.100.128.225
Nov 3, 2024 09:35:04.786581039 CET	9002	49754	84.247.178.134	192.168.2.6
Nov 3, 2024 09:35:04.786585093 CET	443	49791	5.100.128.225	192.168.2.6
Nov 3, 2024 09:35:04.786627054 CET	49754	9002	192.168.2.6	84.247.178.134
Nov 3, 2024 09:35:04.786648989 CET	49791	443	192.168.2.6	5.100.128.225
Nov 3, 2024 09:35:04.786673069 CET	49792	9001	192.168.2.6	172.114.8.83
Nov 3, 2024 09:35:04.786767006 CET	49793	9001	192.168.2.6	161.97.132.254
Nov 3, 2024 09:35:04.786798000 CET	61040	49755	31.220.72.103	192.168.2.6
Nov 3, 2024 09:35:04.786823034 CET	9001	49756	178.142.134.20	192.168.2.6
Nov 3, 2024 09:35:04.786842108 CET	49755	61040	192.168.2.6	31.220.72.103
Nov 3, 2024 09:35:04.786861897 CET	49756	9001	192.168.2.6	178.142.134.20
Nov 3, 2024 09:35:04.786864996 CET	49794	9001	192.168.2.6	71.163.253.207
Nov 3, 2024 09:35:04.786890984 CET	9001	49757	82.64.150.101	192.168.2.6
Nov 3, 2024 09:35:04.786936998 CET	49757	9001	192.168.2.6	82.64.150.101
Nov 3, 2024 09:35:04.786972046 CET	9002	49759	185.220.101.30	192.168.2.6
Nov 3, 2024 09:35:04.786974907 CET	49795	9091	192.168.2.6	162.247.74.31
Nov 3, 2024 09:35:04.787015915 CET	49759	9002	192.168.2.6	185.220.101.30
Nov 3, 2024 09:35:04.787127972 CET	9001	49748	107.189.12.88	192.168.2.6
Nov 3, 2024 09:35:04.787137985 CET	9001	49760	75.119.135.230	192.168.2.6
Nov 3, 2024 09:35:04.787182093 CET	49748	9001	192.168.2.6	107.189.12.88
Nov 3, 2024 09:35:04.787182093 CET	49760	9001	192.168.2.6	75.119.135.230
Nov 3, 2024 09:35:04.787208080 CET	49797	9001	192.168.2.6	5.39.185.164
Nov 3, 2024 09:35:04.787213087 CET	9000	49761	209.127.245.250	192.168.2.6
Nov 3, 2024 09:35:04.787257910 CET	49761	9000	192.168.2.6	209.127.245.250
Nov 3, 2024 09:35:04.787353039 CET	9200	49762	103.252.90.217	192.168.2.6
Nov 3, 2024 09:35:04.787384033 CET	9001	49758	68.8.241.30	192.168.2.6
Nov 3, 2024 09:35:04.787400007 CET	49762	9200	192.168.2.6	103.252.90.217
Nov 3, 2024 09:35:04.787430048 CET	49758	9001	192.168.2.6	68.8.241.30
Nov 3, 2024 09:35:04.787451029 CET	49798	10035	192.168.2.6	185.220.101.35
Nov 3, 2024 09:35:04.787578106 CET	49799	9001	192.168.2.6	190.211.254.192
Nov 3, 2024 09:35:04.787614107 CET	9001	49765	188.165.194.209	192.168.2.6
Nov 3, 2024 09:35:04.787659883 CET	49765	9001	192.168.2.6	188.165.194.209
Nov 3, 2024 09:35:04.787684917 CET	49800	443	192.168.2.6	178.79.154.219
Nov 3, 2024 09:35:04.787689924 CET	443	49800	178.79.154.219	192.168.2.6
Nov 3, 2024 09:35:04.787735939 CET	49800	443	192.168.2.6	178.79.154.219
Nov 3, 2024 09:35:04.787878990 CET	9001	49767	185.220.101.21	192.168.2.6
Nov 3, 2024 09:35:04.787903070 CET	8430	49769	45.141.215.61	192.168.2.6
Nov 3, 2024 09:35:04.787913084 CET	9001	49770	23.184.48.13	192.168.2.6
Nov 3, 2024 09:35:04.787920952 CET	49767	9001	192.168.2.6	185.220.101.21
Nov 3, 2024 09:35:04.787952900 CET	9000	49771	23.163.200.46	192.168.2.6
Nov 3, 2024 09:35:04.787952900 CET	49769	8430	192.168.2.6	45.141.215.61
Nov 3, 2024 09:35:04.787971973 CET	49770	9001	192.168.2.6	23.184.48.13
Nov 3, 2024 09:35:04.788009882 CET	49771	9000	192.168.2.6	23.163.200.46
Nov 3, 2024 09:35:04.788216114 CET	49796	1080	192.168.2.6	70.39.91.101
Nov 3, 2024 09:35:04.788252115 CET	44433	49773	68.134.176.234	192.168.2.6
Nov 3, 2024 09:35:04.788261890 CET	9001	49774	45.89.54.11	192.168.2.6
Nov 3, 2024 09:35:04.788311958 CET	49773	44433	192.168.2.6	68.134.176.234
Nov 3, 2024 09:35:04.788471937 CET	110	49776	45.138.16.107	192.168.2.6
Nov 3, 2024 09:35:04.788496971 CET	49774	9001	192.168.2.6	45.89.54.11
Nov 3, 2024 09:35:04.788521051 CET	49776	110	192.168.2.6	45.138.16.107
Nov 3, 2024 09:35:04.788532972 CET	444	49777	136.35.138.88	192.168.2.6
Nov 3, 2024 09:35:04.788577080 CET	49777	444	192.168.2.6	136.35.138.88
Nov 3, 2024 09:35:04.788801908 CET	49801	9002	192.168.2.6	192.42.116.195
Nov 3, 2024 09:35:04.788877964 CET	9201	49779	94.26.73.162	192.168.2.6
Nov 3, 2024 09:35:04.788928032 CET	49779	9201	192.168.2.6	94.26.73.162
Nov 3, 2024 09:35:04.789005995 CET	49802	443	192.168.2.6	204.8.96.112
Nov 3, 2024 09:35:04.789012909 CET	443	49802	204.8.96.112	192.168.2.6
Nov 3, 2024 09:35:04.789057970 CET	49802	443	192.168.2.6	204.8.96.112
Nov 3, 2024 09:35:04.789115906 CET	49803	9001	192.168.2.6	45.148.17.56
Nov 3, 2024 09:35:04.789223909 CET	49804	443	192.168.2.6	185.129.61.3
Nov 3, 2024 09:35:04.789231062 CET	443	49804	185.129.61.3	192.168.2.6
Nov 3, 2024 09:35:04.789294004 CET	49804	443	192.168.2.6	185.129.61.3
Nov 3, 2024 09:35:04.789354086 CET	49805	465	192.168.2.6	50.230.231.85
Nov 3, 2024 09:35:04.789602995 CET	49806	143	192.168.2.6	45.141.215.4
Nov 3, 2024 09:35:04.790257931 CET	8443	49781	15.204.143.192	192.168.2.6
Nov 3, 2024 09:35:04.790316105 CET	49781	8443	192.168.2.6	15.204.143.192
Nov 3, 2024 09:35:04.790375948 CET	20901	49782	82.65.150.138	192.168.2.6
Nov 3, 2024 09:35:04.790375948 CET	49808	443	192.168.2.6	129.151.198.94
Nov 3, 2024 09:35:04.790381908 CET	443	49808	129.151.198.94	192.168.2.6
Nov 3, 2024 09:35:04.790422916 CET	49782	20901	192.168.2.6	82.65.150.138
Nov 3, 2024 09:35:04.790445089 CET	49808	443	192.168.2.6	129.151.198.94
Nov 3, 2024 09:35:04.790486097 CET	49809	9001	192.168.2.6	81.201.202.101
Nov 3, 2024 09:35:04.790621996 CET	1001	49784	23.88.72.105	192.168.2.6
Nov 3, 2024 09:35:04.790671110 CET	49784	1001	192.168.2.6	23.88.72.105
Nov 3, 2024 09:35:04.790788889 CET	49807	9001	192.168.2.6	95.148.2.122
Nov 3, 2024 09:35:04.790924072 CET	10048	49786	185.220.101.48	192.168.2.6
Nov 3, 2024 09:35:04.790935040 CET	11118	49787	65.21.98.72	192.168.2.6
Nov 3, 2024 09:35:04.790981054 CET	49786	10048	192.168.2.6	185.220.101.48
Nov 3, 2024 09:35:04.791316986 CET	10050	49788	185.220.101.50	192.168.2.6
Nov 3, 2024 09:35:04.791327953 CET	9001	49789	194.88.105.30	192.168.2.6
Nov 3, 2024 09:35:04.791337967 CET	444	49790	51.68.155.147	192.168.2.6
Nov 3, 2024 09:35:04.791352034 CET	49787	11118	192.168.2.6	65.21.98.72
Nov 3, 2024 09:35:04.791388035 CET	49788	10050	192.168.2.6	185.220.101.50
Nov 3, 2024 09:35:04.791424990 CET	49789	9001	192.168.2.6	194.88.105.30
Nov 3, 2024 09:35:04.791424990 CET	49790	444	192.168.2.6	51.68.155.147
Nov 3, 2024 09:35:04.791465044 CET	9001	49792	172.114.8.83	192.168.2.6
Nov 3, 2024 09:35:04.791507006 CET	49792	9001	192.168.2.6	172.114.8.83
Nov 3, 2024 09:35:04.791649103 CET	9001	49793	161.97.132.254	192.168.2.6
Nov 3, 2024 09:35:04.791692972 CET	49793	9001	192.168.2.6	161.97.132.254
Nov 3, 2024 09:35:04.791702032 CET	9001	49794	71.163.253.207	192.168.2.6
Nov 3, 2024 09:35:04.791754007 CET	49794	9001	192.168.2.6	71.163.253.207
Nov 3, 2024 09:35:04.791831017 CET	9091	49795	162.247.74.31	192.168.2.6
Nov 3, 2024 09:35:04.791891098 CET	49795	9091	192.168.2.6	162.247.74.31
Nov 3, 2024 09:35:04.792023897 CET	9001	49797	5.39.185.164	192.168.2.6
Nov 3, 2024 09:35:04.792071104 CET	49797	9001	192.168.2.6	5.39.185.164
Nov 3, 2024 09:35:04.792296886 CET	10035	49798	185.220.101.35	192.168.2.6
Nov 3, 2024 09:35:04.792346001 CET	49798	10035	192.168.2.6	185.220.101.35
Nov 3, 2024 09:35:04.792392969 CET	9001	49799	190.211.254.192	192.168.2.6
Nov 3, 2024 09:35:04.792408943 CET	49810	9001	192.168.2.6	209.141.47.207
Nov 3, 2024 09:35:04.792435884 CET	49799	9001	192.168.2.6	190.211.254.192
Nov 3, 2024 09:35:04.793045998 CET	1080	49796	70.39.91.101	192.168.2.6
Nov 3, 2024 09:35:04.793104887 CET	49796	1080	192.168.2.6	70.39.91.101
Nov 3, 2024 09:35:04.793598890 CET	9002	49801	192.42.116.195	192.168.2.6
Nov 3, 2024 09:35:04.793647051 CET	49801	9002	192.168.2.6	192.42.116.195
Nov 3, 2024 09:35:04.793914080 CET	9001	49803	45.148.17.56	192.168.2.6
Nov 3, 2024 09:35:04.793957949 CET	49803	9001	192.168.2.6	45.148.17.56
Nov 3, 2024 09:35:04.794159889 CET	465	49805	50.230.231.85	192.168.2.6
Nov 3, 2024 09:35:04.794259071 CET	49805	465	192.168.2.6	50.230.231.85
Nov 3, 2024 09:35:04.794496059 CET	143	49806	45.141.215.4	192.168.2.6
Nov 3, 2024 09:35:04.794542074 CET	49806	143	192.168.2.6	45.141.215.4
Nov 3, 2024 09:35:04.795362949 CET	9001	49809	81.201.202.101	192.168.2.6
Nov 3, 2024 09:35:04.795418024 CET	49809	9001	192.168.2.6	81.201.202.101
Nov 3, 2024 09:35:04.795440912 CET	49811	9001	192.168.2.6	84.247.160.4
Nov 3, 2024 09:35:04.795630932 CET	9001	49807	95.148.2.122	192.168.2.6
Nov 3, 2024 09:35:04.795686960 CET	49807	9001	192.168.2.6	95.148.2.122
Nov 3, 2024 09:35:04.797288895 CET	9001	49810	209.141.47.207	192.168.2.6
Nov 3, 2024 09:35:04.797350883 CET	49810	9001	192.168.2.6	209.141.47.207
Nov 3, 2024 09:35:04.798532009 CET	49812	443	192.168.2.6	178.254.45.64
Nov 3, 2024 09:35:04.798541069 CET	443	49812	178.254.45.64	192.168.2.6
Nov 3, 2024 09:35:04.798594952 CET	49812	443	192.168.2.6	178.254.45.64
Nov 3, 2024 09:35:04.800353050 CET	9001	49811	84.247.160.4	192.168.2.6
Nov 3, 2024 09:35:04.800406933 CET	49811	9001	192.168.2.6	84.247.160.4
Nov 3, 2024 09:35:04.801888943 CET	49813	8000	192.168.2.6	178.63.41.183
Nov 3, 2024 09:35:04.804964066 CET	49814	443	192.168.2.6	137.220.37.214
Nov 3, 2024 09:35:04.804971933 CET	443	49814	137.220.37.214	192.168.2.6
Nov 3, 2024 09:35:04.805026054 CET	49814	443	192.168.2.6	137.220.37.214
Nov 3, 2024 09:35:04.806782007 CET	8000	49813	178.63.41.183	192.168.2.6
Nov 3, 2024 09:35:04.806835890 CET	49813	8000	192.168.2.6	178.63.41.183
Nov 3, 2024 09:35:05.157830000 CET	49710	10443	192.168.2.6	185.40.4.95
Nov 3, 2024 09:35:05.157866955 CET	49711	443	192.168.2.6	185.107.57.64
Nov 3, 2024 09:35:05.157893896 CET	49712	443	192.168.2.6	185.220.101.201
Nov 3, 2024 09:35:05.157915115 CET	49713	9001	192.168.2.6	2.204.219.86
Nov 3, 2024 09:35:05.157932997 CET	49714	9000	192.168.2.6	185.241.208.71
Nov 3, 2024 09:35:05.157952070 CET	49715	443	192.168.2.6	185.220.101.204
Nov 3, 2024 09:35:05.157972097 CET	49716	9001	192.168.2.6	107.173.148.133
Nov 3, 2024 09:35:05.157990932 CET	49717	9002	192.168.2.6	192.42.116.179
Nov 3, 2024 09:35:05.158011913 CET	49718	9001	192.168.2.6	95.99.30.188
Nov 3, 2024 09:35:05.158035994 CET	49719	30443	192.168.2.6	51.195.119.159
Nov 3, 2024 09:35:05.158056021 CET	49720	443	192.168.2.6	95.111.230.178
Nov 3, 2024 09:35:05.158090115 CET	49721	8430	192.168.2.6	45.141.215.95
Nov 3, 2024 09:35:05.158103943 CET	49722	443	192.168.2.6	67.219.107.200
Nov 3, 2024 09:35:05.158123970 CET	49723	9021	192.168.2.6	207.127.91.1
Nov 3, 2024 09:35:05.158148050 CET	49724	15259	192.168.2.6	185.227.82.15
Nov 3, 2024 09:35:05.158166885 CET	49725	443	192.168.2.6	109.70.100.3
Nov 3, 2024 09:35:05.158190966 CET	49726	9005	192.168.2.6	109.70.100.71
Nov 3, 2024 09:35:05.158209085 CET	49778	443	192.168.2.6	5.161.247.161
Nov 3, 2024 09:35:05.158222914 CET	49750	9001	192.168.2.6	37.114.57.182
Nov 3, 2024 09:35:05.158261061 CET	49727	9001	192.168.2.6	45.11.229.132
Nov 3, 2024 09:35:05.158277035 CET	49728	9001	192.168.2.6	138.68.9.184
Nov 3, 2024 09:35:05.158293009 CET	49729	110	192.168.2.6	153.120.42.137
Nov 3, 2024 09:35:05.158308029 CET	49730	9000	192.168.2.6	87.98.243.204
Nov 3, 2024 09:35:05.158329964 CET	49731	9001	192.168.2.6	194.164.16.95
Nov 3, 2024 09:35:05.158349037 CET	49732	443	192.168.2.6	185.183.194.90
Nov 3, 2024 09:35:05.158371925 CET	49733	9000	192.168.2.6	192.42.116.189
Nov 3, 2024 09:35:05.158387899 CET	49734	1004	192.168.2.6	209.127.117.90
Nov 3, 2024 09:35:05.158409119 CET	49735	443	192.168.2.6	20.224.145.181
Nov 3, 2024 09:35:05.158437014 CET	49736	443	192.168.2.6	57.128.180.74
Nov 3, 2024 09:35:05.158457994 CET	49737	1003	192.168.2.6	85.10.205.56
Nov 3, 2024 09:35:05.158473015 CET	49738	443	192.168.2.6	85.90.207.39
Nov 3, 2024 09:35:05.158494949 CET	49739	9100	192.168.2.6	185.220.100.253
Nov 3, 2024 09:35:05.158521891 CET	49740	443	192.168.2.6	51.81.56.136
Nov 3, 2024 09:35:05.158540010 CET	49741	9001	192.168.2.6	193.239.86.133
Nov 3, 2024 09:35:05.158556938 CET	49742	443	192.168.2.6	23.154.177.2
Nov 3, 2024 09:35:05.158577919 CET	49743	8443	192.168.2.6	185.220.101.206
Nov 3, 2024 09:35:05.158710003 CET	49744	9001	192.168.2.6	202.61.196.212
Nov 3, 2024 09:35:05.158726931 CET	49745	9001	192.168.2.6	80.92.204.251
Nov 3, 2024 09:35:05.158751011 CET	49746	9088	192.168.2.6	152.53.111.174
Nov 3, 2024 09:35:05.158795118 CET	49751	9300	192.168.2.6	57.129.44.38
Nov 3, 2024 09:35:05.158838987 CET	49747	443	192.168.2.6	152.67.112.12
Nov 3, 2024 09:35:05.158864021 CET	49748	9001	192.168.2.6	107.189.12.88
Nov 3, 2024 09:35:05.158910990 CET	49749	9001	192.168.2.6	88.80.26.2
Nov 3, 2024 09:35:05.158940077 CET	49762	9200	192.168.2.6	103.252.90.217
Nov 3, 2024 09:35:05.158962011 CET	49752	32616	192.168.2.6	94.131.171.105
Nov 3, 2024 09:35:05.159358978 CET	49753	445	192.168.2.6	137.74.5.135
Nov 3, 2024 09:35:05.159563065 CET	49754	9002	192.168.2.6	84.247.178.134
Nov 3, 2024 09:35:05.159593105 CET	49755	61040	192.168.2.6	31.220.72.103
Nov 3, 2024 09:35:05.159605980 CET	49756	9001	192.168.2.6	178.142.134.20
Nov 3, 2024 09:35:05.159634113 CET	49757	9001	192.168.2.6	82.64.150.101
Nov 3, 2024 09:35:05.159657955 CET	49758	9001	192.168.2.6	68.8.241.30
Nov 3, 2024 09:35:05.159677982 CET	49759	9002	192.168.2.6	185.220.101.30
Nov 3, 2024 09:35:05.159704924 CET	49760	9001	192.168.2.6	75.119.135.230
Nov 3, 2024 09:35:05.159719944 CET	49761	9000	192.168.2.6	209.127.245.250
Nov 3, 2024 09:35:05.159773111 CET	49763	443	192.168.2.6	83.11.190.165
Nov 3, 2024 09:35:05.159787893 CET	49764	443	192.168.2.6	95.211.205.138
Nov 3, 2024 09:35:05.159813881 CET	49765	9001	192.168.2.6	188.165.194.209
Nov 3, 2024 09:35:05.159838915 CET	49766	443	192.168.2.6	198.24.164.98
Nov 3, 2024 09:35:05.159861088 CET	49767	9001	192.168.2.6	185.220.101.21
Nov 3, 2024 09:35:05.159878969 CET	49768	443	192.168.2.6	46.38.233.211
Nov 3, 2024 09:35:05.159910917 CET	49769	8430	192.168.2.6	45.141.215.61
Nov 3, 2024 09:35:05.159919977 CET	49770	9001	192.168.2.6	23.184.48.13
Nov 3, 2024 09:35:05.159941912 CET	49771	9000	192.168.2.6	23.163.200.46
Nov 3, 2024 09:35:05.159981012 CET	49772	443	192.168.2.6	43.252.37.14
Nov 3, 2024 09:35:05.159996986 CET	49773	44433	192.168.2.6	68.134.176.234
Nov 3, 2024 09:35:05.160021067 CET	49774	9001	192.168.2.6	45.89.54.11
Nov 3, 2024 09:35:05.160043955 CET	49775	443	192.168.2.6	162.247.74.202
Nov 3, 2024 09:35:05.160063028 CET	49776	110	192.168.2.6	45.138.16.107
Nov 3, 2024 09:35:05.160090923 CET	49777	444	192.168.2.6	136.35.138.88
Nov 3, 2024 09:35:05.160103083 CET	49779	9201	192.168.2.6	94.26.73.162
Nov 3, 2024 09:35:05.160130024 CET	49780	443	192.168.2.6	162.247.74.200
Nov 3, 2024 09:35:05.160162926 CET	49781	8443	192.168.2.6	15.204.143.192
Nov 3, 2024 09:35:05.160177946 CET	49782	20901	192.168.2.6	82.65.150.138
Nov 3, 2024 09:35:05.160201073 CET	49783	443	192.168.2.6	168.181.185.147
Nov 3, 2024 09:35:05.160212994 CET	49784	1001	192.168.2.6	23.88.72.105
Nov 3, 2024 09:35:05.160239935 CET	49785	443	192.168.2.6	95.216.33.58
Nov 3, 2024 09:35:05.160257101 CET	49786	10048	192.168.2.6	185.220.101.48
Nov 3, 2024 09:35:05.160274982 CET	49787	11118	192.168.2.6	65.21.98.72
Nov 3, 2024 09:35:05.160300970 CET	49788	10050	192.168.2.6	185.220.101.50
Nov 3, 2024 09:35:05.160331964 CET	49789	9001	192.168.2.6	194.88.105.30
Nov 3, 2024 09:35:05.160345078 CET	49790	444	192.168.2.6	51.68.155.147
Nov 3, 2024 09:35:05.160362959 CET	49791	443	192.168.2.6	5.100.128.225
Nov 3, 2024 09:35:05.160379887 CET	49792	9001	192.168.2.6	172.114.8.83
Nov 3, 2024 09:35:05.160398006 CET	49793	9001	192.168.2.6	161.97.132.254
Nov 3, 2024 09:35:05.160415888 CET	49794	9001	192.168.2.6	71.163.253.207
Nov 3, 2024 09:35:05.160438061 CET	49795	9091	192.168.2.6	162.247.74.31
Nov 3, 2024 09:35:05.160459042 CET	49796	1080	192.168.2.6	70.39.91.101
Nov 3, 2024 09:35:05.160496950 CET	49797	9001	192.168.2.6	5.39.185.164
Nov 3, 2024 09:35:05.160496950 CET	49798	10035	192.168.2.6	185.220.101.35
Nov 3, 2024 09:35:05.160512924 CET	49799	9001	192.168.2.6	190.211.254.192
Nov 3, 2024 09:35:05.160533905 CET	49800	443	192.168.2.6	178.79.154.219
Nov 3, 2024 09:35:05.160552979 CET	49801	9002	192.168.2.6	192.42.116.195
Nov 3, 2024 09:35:05.160567999 CET	49802	443	192.168.2.6	204.8.96.112
Nov 3, 2024 09:35:05.160584927 CET	49803	9001	192.168.2.6	45.148.17.56
Nov 3, 2024 09:35:05.160600901 CET	49804	443	192.168.2.6	185.129.61.3
Nov 3, 2024 09:35:05.160624027 CET	49805	465	192.168.2.6	50.230.231.85
Nov 3, 2024 09:35:05.160650015 CET	49806	143	192.168.2.6	45.141.215.4
Nov 3, 2024 09:35:05.160669088 CET	49807	9001	192.168.2.6	95.148.2.122
Nov 3, 2024 09:35:05.160687923 CET	49808	443	192.168.2.6	129.151.198.94
Nov 3, 2024 09:35:05.160706043 CET	49809	9001	192.168.2.6	81.201.202.101
Nov 3, 2024 09:35:05.160731077 CET	49810	9001	192.168.2.6	209.141.47.207
Nov 3, 2024 09:35:05.160773993 CET	49811	9001	192.168.2.6	84.247.160.4
Nov 3, 2024 09:35:05.160798073 CET	49812	443	192.168.2.6	178.254.45.64
Nov 3, 2024 09:35:05.160882950 CET	49813	8000	192.168.2.6	178.63.41.183
Nov 3, 2024 09:35:05.160927057 CET	49814	443	192.168.2.6	137.220.37.214

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2024 09:35:02.671516895 CET	60644	53	192.168.2.6	1.1.1.1
Nov 3, 2024 09:35:02.710661888 CET	53	60644	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2024 09:35:02.671516895 CET	192.168.2.6	1.1.1.1	0xcaae	Standard query (0)	onionoo.torproject.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 3, 2024 09:35:02.710661888 CET	1.1.1.1	192.168.2.6	0xcaae	No error (0)	onionoo.torproject.org		204.8.99.156	A (IP address)	IN (0x0001)	false
Nov 3, 2024 09:35:12.491928101 CET	1.1.1.1	192.168.2.6	0x4557	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 3, 2024 09:35:12.491928101 CET	1.1.1.1	192.168.2.6	0x4557	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

onionoo.torproject.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49708	204.8.99.156	443	6708	C:\Users\user\Desktop\Payload 94.75.225.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-03 08:35:03 UTC	165	OUT	GET /details?type=relay&running=true&fields=fingerprint,or_addresses HTTP/1.1 Host: onionoo.torproject.org User-Agent: tor-relay-scanner Accept-Encoding: gzip
2024-11-03 08:35:03 UTC	448	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 03 Nov 2024 08:35:03 GMT Content-Type: application/json;charset=utf-8 Transfer-Encoding: chunked Connection: close Last-Modified: Sun, 03 Nov 2024 08:00:50 GMT Access-Control-Allow-Origin: * Cache-Control: public, max-age=2400 Strict-Transport-Security: max-age=15768000; preload Via: HTTP/1.1 onionoo-backend-03.torproject.org X-Cache-Date: Sun, 03 Nov 2024 08:04:25 GMT X-Cache-Status: HIT
2024-11-03 08:35:03 UTC	15936	IN	Data Raw: 38 30 30 30 0d 0a 7b 22 76 65 72 73 69 6f 6e 22 3a 22 38 2e 30 22 2c 0a 22 62 75 69 6c 64 5f 72 65 76 69 73 69 6f 6e 22 3a 22 64 32 63 31 32 36 31 22 2c 0a 22 72 65 6c 61 79 73 5f 70 75 62 6c 69 73 68 65 64 22 3a 22 32 30 32 34 2d 31 31 2d 30 33 20 30 35 3a 30 30 3a 30 30 22 2c 0a 22 72 65 6c 61 79 73 22 3a 5b 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 30 30 30 41 31 30 44 34 33 30 31 31 45 41 34 39 32 38 41 33 35 46 36 31 30 34 30 35 46 39 32 42 34 34 33 33 42 34 44 43 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 31 30 34 2e 35 33 2e 32 32 31 2e 31 35 39 3a 39 30 30 31 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 30 30 30 46 33 45 42 37 35 33 34 32 42 45 33 37 31 46 31 44 38 44 33 46 41 45 39 30 38 39 30 41 45 42 35 Data Ascii: 8000{"version":"8.0","build_revision":"d2c1261","relays_published":"2024-11-03 05:00:00","relays":[{"fingerprint":"000A10D43011EA4928A35F610405F92B4433B4DC","or_addresses":["104.53.221.159:9001"]},{"fingerprint":"000F3EB75342BE371F1D8D3FAE90890AEB5
2024-11-03 08:35:03 UTC	16384	IN	Data Raw: 35 31 39 44 44 38 36 30 45 36 31 42 41 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 31 33 36 2e 32 34 33 2e 33 2e 31 39 34 3a 38 30 30 30 22 2c 22 5b 32 61 30 31 3a 34 66 38 3a 32 31 31 3a 31 64 34 31 3a 3a 32 5d 3a 38 30 30 30 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 30 33 44 32 45 46 46 42 41 32 31 33 32 44 44 34 33 31 30 44 41 31 32 42 37 38 35 35 34 37 32 33 33 32 33 41 43 30 34 34 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 39 31 2e 32 30 36 2e 32 32 38 2e 31 32 30 3a 39 38 39 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 30 33 44 41 32 30 46 44 37 31 43 45 44 31 38 38 43 38 42 37 36 35 32 45 38 31 39 34 31 43 35 30 36 37 32 34 44 42 41 36 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 Data Ascii: 519DD860E61BA","or_addresses":["136.243.3.194:8000","[2a01:4f8:211:1d41::2]:8000"]},{"fingerprint":"03D2EFFBA2132DD4310DA12B78554723323AC044","or_addresses":["91.206.228.120:989"]},{"fingerprint":"03DA20FD71CED188C8B7652E81941C506724DBA6","or_addresses"
2024-11-03 08:35:04 UTC	16384	IN	Data Raw: 34 32 36 32 36 45 42 42 46 36 43 43 30 43 37 32 43 37 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 39 31 2e 31 37 36 2e 38 39 2e 32 35 31 3a 35 34 33 32 31 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 30 37 46 30 45 36 35 32 45 34 43 43 42 30 41 30 46 31 45 38 38 44 30 30 34 36 45 43 42 33 32 32 45 36 33 31 38 43 38 36 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 37 38 2e 31 33 38 2e 39 38 2e 34 32 3a 39 30 30 31 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 30 38 30 30 36 44 45 46 41 33 44 39 33 31 35 44 30 33 46 30 44 45 37 34 37 30 33 43 43 37 43 43 45 42 38 41 46 42 33 42 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 34 35 2e 31 33 38 2e 31 36 2e 34 34 3a 34 34 33 22 5d 7d 2c 0a 7b Data Ascii: 42626EBBF6CC0C72C7","or_addresses":["91.176.89.251:54321"]},{"fingerprint":"07F0E652E4CCB0A0F1E88D0046ECB322E6318C86","or_addresses":["78.138.98.42:9001"]},{"fingerprint":"08006DEFA3D9315D03F0DE74703CC7CCEB8AFB3B","or_addresses":["45.138.16.44:443"]},{
2024-11-03 08:35:04 UTC	16384	IN	Data Raw: 61 64 64 72 65 73 73 65 73 22 3a 5b 22 38 35 2e 31 39 35 2e 32 35 33 2e 31 34 32 3a 39 30 30 35 22 2c 22 5b 32 61 30 32 3a 31 36 38 3a 38 33 64 34 3a 37 37 37 37 3a 34 34 62 64 3a 63 39 66 66 3a 66 65 32 65 3a 33 31 36 35 5d 3a 34 34 33 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 30 43 41 36 44 39 39 33 45 39 38 39 38 45 32 30 37 33 42 42 38 36 39 34 31 43 41 34 36 45 35 32 30 31 37 32 30 31 30 41 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 38 32 2e 31 35 33 2e 31 33 38 2e 31 38 34 3a 39 30 30 31 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 30 43 41 39 32 30 31 45 34 35 32 46 31 43 31 41 45 39 43 42 31 35 36 37 45 41 30 39 44 45 31 43 32 46 36 41 32 41 42 45 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 Data Ascii: addresses":["85.195.253.142:9005","[2a02:168:83d4:7777:44bd:c9ff:fe2e:3165]:443"]},{"fingerprint":"0CA6D993E9898E2073BB86941CA46E520172010A","or_addresses":["82.153.138.184:9001"]},{"fingerprint":"0CA9201E452F1C1AE9CB1567EA09DE1C2F6A2ABE","or_addresses"
2024-11-03 08:35:04 UTC	16384	IN	Data Raw: 46 46 43 33 35 30 38 42 44 38 45 36 41 44 46 42 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 38 34 2e 32 34 37 2e 31 38 30 2e 32 34 38 3a 39 30 30 31 22 2c 22 5b 32 61 30 32 3a 63 32 30 36 3a 33 30 31 32 3a 38 30 38 33 3a 3a 31 5d 3a 39 30 30 31 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 31 31 34 46 36 46 32 41 33 41 36 45 38 41 42 39 41 43 32 42 44 35 34 42 38 43 35 41 32 30 34 43 31 43 41 35 39 34 32 42 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 33 37 2e 32 32 38 2e 31 32 39 2e 35 3a 39 30 30 31 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 31 31 35 32 31 36 33 46 39 31 43 33 41 41 32 44 33 30 42 38 46 42 38 46 46 43 41 38 44 38 34 34 32 31 31 35 45 46 38 35 22 2c 22 6f 72 5f 61 64 64 72 65 Data Ascii: FFC3508BD8E6ADFB","or_addresses":["84.247.180.248:9001","[2a02:c206:3012:8083::1]:9001"]},{"fingerprint":"114F6F2A3A6E8AB9AC2BD54B8C5A204C1CA5942B","or_addresses":["37.228.129.5:9001"]},{"fingerprint":"1152163F91C3AA2D30B8FB8FFCA8D8442115EF85","or_addre
2024-11-03 08:35:04 UTC	16384	IN	Data Raw: 36 32 34 34 43 43 45 33 32 30 34 45 32 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 33 38 2e 31 35 2e 31 33 31 2e 37 31 3a 39 30 30 31 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 31 36 35 41 34 45 38 34 33 31 33 36 39 46 32 34 36 46 37 34 42 46 38 33 45 45 42 35 31 35 42 34 42 31 44 32 33 34 43 37 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 32 34 2e 31 39 31 2e 36 32 2e 31 30 39 3a 39 30 30 31 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 31 36 36 32 36 34 31 36 38 45 38 43 43 43 42 42 32 34 34 34 41 44 45 30 46 30 41 32 32 45 34 45 36 44 44 45 46 36 46 44 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 38 37 2e 31 31 38 2e 31 31 36 2e 39 30 3a 34 34 34 22 2c 22 5b 32 30 30 31 3a 31 62 Data Ascii: 6244CCE3204E2","or_addresses":["38.15.131.71:9001"]},{"fingerprint":"165A4E8431369F246F74BF83EEB515B4B1D234C7","or_addresses":["24.191.62.109:9001"]},{"fingerprint":"166264168E8CCCBB2444ADE0F0A22E4E6DDEF6FD","or_addresses":["87.118.116.90:444","[2001:1b
2024-11-03 08:35:04 UTC	16384	IN	Data Raw: 64 72 65 73 73 65 73 22 3a 5b 22 31 37 32 2e 32 33 34 2e 31 38 2e 32 32 38 3a 39 30 30 32 22 2c 22 5b 32 36 30 30 3a 33 63 30 36 3a 3a 66 30 33 63 3a 39 33 66 66 3a 66 65 66 39 3a 65 35 34 39 5d 3a 39 30 30 32 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 31 41 45 39 34 39 39 36 37 46 38 32 42 42 45 37 35 33 34 41 33 44 36 42 41 37 37 41 37 45 42 45 31 43 45 44 34 33 36 39 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 32 30 34 2e 38 2e 39 36 2e 38 35 3a 34 34 33 22 2c 22 5b 32 36 32 30 3a 37 3a 36 30 30 31 3a 3a 66 66 66 66 3a 63 37 35 39 3a 65 36 35 35 5d 3a 38 30 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 31 41 45 43 38 45 46 36 41 39 37 39 46 38 43 41 44 34 37 35 39 32 42 45 43 30 34 46 37 33 34 44 35 41 Data Ascii: dresses":["172.234.18.228:9002","[2600:3c06::f03c:93ff:fef9:e549]:9002"]},{"fingerprint":"1AE949967F82BBE7534A3D6BA77A7EBE1CED4369","or_addresses":["204.8.96.85:443","[2620:7:6001::ffff:c759:e655]:80"]},{"fingerprint":"1AEC8EF6A979F8CAD47592BEC04F734D5A
2024-11-03 08:35:04 UTC	16384	IN	Data Raw: 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 36 35 2e 32 31 2e 39 34 2e 31 33 3a 39 34 34 33 22 2c 22 5b 32 61 30 31 3a 34 66 39 3a 33 62 3a 34 36 38 65 3a 3a 31 33 5d 3a 39 34 34 33 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 31 46 32 45 42 37 30 32 36 38 43 45 39 45 31 38 43 45 38 36 34 44 34 34 44 37 39 33 45 32 30 39 31 46 33 43 45 37 32 43 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 34 36 2e 34 2e 35 37 2e 37 35 3a 38 34 34 33 22 2c 22 5b 32 61 30 31 3a 34 66 38 3a 31 34 30 3a 31 34 36 35 3a 3a 32 5d 3a 38 34 34 33 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 31 46 32 46 36 33 34 44 36 44 38 37 43 46 36 43 35 33 35 38 43 31 33 36 37 46 39 42 44 35 46 39 32 36 43 45 46 33 46 34 22 2c 22 6f Data Ascii: ","or_addresses":["65.21.94.13:9443","[2a01:4f9:3b:468e::13]:9443"]},{"fingerprint":"1F2EB70268CE9E18CE864D44D793E2091F3CE72C","or_addresses":["46.4.57.75:8443","[2a01:4f8:140:1465::2]:8443"]},{"fingerprint":"1F2F634D6D87CF6C5358C1367F9BD5F926CEF3F4","o
2024-11-03 08:35:04 UTC	16384	IN	Data Raw: 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 32 31 32 2e 32 32 37 2e 32 33 34 2e 31 35 33 3a 39 30 30 31 22 2c 22 5b 32 61 30 32 3a 32 34 37 61 3a 32 33 38 3a 61 66 30 30 3a 3a 31 5d 3a 39 30 30 31 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 32 33 41 32 33 43 46 43 42 43 43 36 37 36 46 33 42 35 31 43 39 44 42 33 36 45 37 41 37 30 45 35 31 38 31 45 32 46 30 34 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 33 37 2e 36 30 2e 32 34 34 2e 32 33 3a 39 30 30 30 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 32 33 41 42 30 35 44 46 43 39 34 33 43 33 44 43 39 30 33 39 45 42 30 34 38 35 32 35 43 45 45 44 31 42 35 39 38 39 38 42 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 37 38 2e 31 35 37 2e 38 32 2e 32 30 32 Data Ascii: _addresses":["212.227.234.153:9001","[2a02:247a:238:af00::1]:9001"]},{"fingerprint":"23A23CFCBCC676F3B51C9DB36E7A70E5181E2F04","or_addresses":["37.60.244.23:9000"]},{"fingerprint":"23AB05DFC943C3DC9039EB048525CEED1B59898B","or_addresses":["78.157.82.202
2024-11-03 08:35:04 UTC	16384	IN	Data Raw: 2e 31 38 2e 34 36 2e 32 33 31 3a 34 34 33 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 32 37 46 36 41 44 30 39 31 30 42 44 39 30 32 32 38 43 35 44 31 38 32 46 31 46 39 42 41 31 39 39 42 41 45 35 34 32 34 39 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 38 30 2e 39 34 2e 39 32 2e 39 32 3a 39 37 30 30 22 5d 7d 2c 0a 7b 22 66 69 6e 67 65 72 70 72 69 6e 74 22 3a 22 32 37 46 41 45 39 39 43 30 44 42 41 38 43 44 39 44 42 46 45 34 32 44 32 44 32 34 36 34 42 34 43 36 38 45 45 42 30 30 44 22 2c 22 6f 72 5f 61 64 64 72 65 73 73 65 73 22 3a 5b 22 31 30 34 2e 32 34 34 2e 37 38 2e 32 33 33 3a 39 30 30 30 22 2c 22 5b 32 36 30 35 3a 36 34 30 30 3a 33 30 3a 66 35 37 64 3a 39 31 36 65 3a 37 33 66 38 3a 64 35 65 37 3a 36 37 35 62 5d 3a 39 30 30 Data Ascii: .18.46.231:443"]},{"fingerprint":"27F6AD0910BD90228C5D182F1F9BA199BAE54249","or_addresses":["80.94.92.92:9700"]},{"fingerprint":"27FAE99C0DBA8CD9DBFE42D2D2464B4C68EEB00D","or_addresses":["104.244.78.233:9000","[2605:6400:30:f57d:916e:73f8:d5e7:675b]:900

Target ID:	0
Start time:	03:35:01
Start date:	03/11/2024
Path:	C:\Users\user\Desktop\Payload 94.75.225.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Payload 94.75.225.exe"
Imagebase:	0x710000
File size:	6'365'184 bytes
MD5 hash:	C1CD02403F4CA49C8547B397DAD11A21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:35:02
Start date:	03/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00778860 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125694065.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2125676396.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125896072.00000000009C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126076444.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126089984.0000000000CA4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126101895.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126114478.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126126389.0000000000CA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126140860.0000000000CA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126153086.0000000000CAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126165071.0000000000CAB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126191570.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126203928.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126215208.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126229181.0000000000CFD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126243160.0000000000D01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126255248.0000000000D02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126267676.0000000000D04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126267676.0000000000D2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126267676.0000000000D5A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126267676.0000000000D5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126325106.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126340694.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126352894.0000000000D75000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_Payload 94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a81b3e8686fd5586489e02b61095a193f9e4492072cbdfd7f91e15e221c8bcc
Instruction ID: 497d653e342e0af15040d0d1f1d4e064cc6788bc54f34d0466da3a8f233bdedb
Opcode Fuzzy Hash: 4a81b3e8686fd5586489e02b61095a193f9e4492072cbdfd7f91e15e221c8bcc
Instruction Fuzzy Hash: 3431972391CFC482D2218B24F5413AAB364F7A9784F15A315EFCC12A1ADF38E2E5CB40

Function 00774D00 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125694065.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2125676396.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125896072.00000000009C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126076444.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126089984.0000000000CA4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126101895.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126114478.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126126389.0000000000CA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126140860.0000000000CA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126153086.0000000000CAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126165071.0000000000CAB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126191570.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126203928.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126215208.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126229181.0000000000CFD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126243160.0000000000D01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126255248.0000000000D02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126267676.0000000000D04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126267676.0000000000D2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126267676.0000000000D5A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126267676.0000000000D5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126325106.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126340694.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126352894.0000000000D75000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_Payload 94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6226d625974f41b655ebad5d25ed4558e083c2262c14460cf3d0e00d19dfb20c
Instruction ID: c02407309b8921e850879da32c798c8e8d81f3346f9cd70fc296784635b22c84
Opcode Fuzzy Hash: 6226d625974f41b655ebad5d25ed4558e083c2262c14460cf3d0e00d19dfb20c
Instruction Fuzzy Hash:

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payload 94.75.225.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
Payload 94.75.225.exe