Windows
Analysis Report
eoIIBcxUj3.exe
Overview
General Information
Sample name: | eoIIBcxUj3.exe (renamed file extension from none to exe, renamed because original name is a hash value) |
Original sample name: | c2c8b9851e807452f57cd7a1fabec3ba |
Analysis ID: | 1653437 |
MD5: | c2c8b9851e807452f57cd7a1fabec3ba |
SHA1: | d38ad61023caa4d2c2b10e3474ed5658d797cc58 |
SHA256: | 64826dad12787e9f9989046e0b0d1f58704e52968dbb12de2fcc948dbf2bf2d0 |
Infos: | |
Detection
FormBook
Score: | 100 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Classification
- System is w10x64
eoIIBcxUj3.exe (PID: 7804 cmdline:
"C:\Users\ user\Deskt op\eoIIBcx Uj3.exe" MD5: C2C8B9851E807452F57CD7A1FABEC3BA) svchost.exe (PID: 7856 cmdline:
"C:\Users\ user\Deskt op\eoIIBcx Uj3.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B) UJarIfYl5U.exe (PID: 6356 cmdline:
"C:\Progra m Files (x 86)\zMIFOi ZAXONWnNJg ulhCfwBsts QuREJGUYKV fWAqEMRols EXcSOggVgK aDvzZPlj\Q ue6zKtSrCf 5.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A) sfc.exe (PID: 3888 cmdline:
"C:\Window s\SysWOW64 \sfc.exe" MD5: 4D2662964EF299131D049EC1278BE08B) UJarIfYl5U.exe (PID: 6292 cmdline:
"C:\Progra m Files (x 86)\zMIFOi ZAXONWnNJg ulhCfwBsts QuREJGUYKV fWAqEMRols EXcSOggVgK aDvzZPlj\U HcFP3RaOlK m.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A) firefox.exe (PID: 7616 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\Firefo x.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Formbook, Formbo | FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware. |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
Click to see the 2 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: vburov: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-04-01T09:04:00.390735+0200 | 2856318 | 1 | A Network Trojan was detected | 192.168.2.4 | 49724 | 13.248.213.45 | 80 | TCP |
- • AV Detection
- • Compliance
- • Networking
- • E-Banking Fraud
- • System Summary
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Suricata IDS: |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | String found in binary or memory: | memstr_c8567a18-f | |
Source: | String found in binary or memory: | memstr_ef4607ed-2 | |
Source: | String found in binary or memory: | memstr_e521e08b-7 | |
Source: | String found in binary or memory: | memstr_aa5e896b-6 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: |
Source: | Binary or memory string: |
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | NtCreateFile: | Jump to behavior | ||
Source: | NtOpenFile: | Jump to behavior | ||
Source: | NtSetInformationThread: | Jump to behavior | ||
Source: | NtQueryInformationToken: | Jump to behavior | ||
Source: | NtTerminateThread: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtSetInformationProcess: | Jump to behavior | ||
Source: | NtNotifyChangeKey: | Jump to behavior | ||
Source: | NtOpenKeyEx: | Jump to behavior | ||
Source: | NtOpenSection: | Jump to behavior | ||
Source: | NtAllocateVirtualMemory: | Jump to behavior | ||
Source: | NtQueryVolumeInformationFile: | Jump to behavior | ||
Source: | NtQuerySystemInformation: | Jump to behavior | ||
Source: | NtAllocateVirtualMemory: | Jump to behavior | ||
Source: | NtDeviceIoControlFile: | Jump to behavior | ||
Source: | NtCreateUserProcess: | Jump to behavior | ||
Source: | NtWriteVirtualMemory: | Jump to behavior | ||
Source: | NtQueryInformationProcess: | Jump to behavior | ||
Source: | NtResumeThread: | Jump to behavior | ||
Source: | NtReadVirtualMemory: | Jump to behavior | ||
Source: | NtCreateKey: | Jump to behavior | ||
Source: | NtSetInformationThread: | Jump to behavior | ||
Source: | NtQueryAttributesFile: | Jump to behavior | ||
Source: | NtAllocateVirtualMemory: | Jump to behavior | ||
Source: | NtClose: | |||
Source: | NtCreateMutant: | Jump to behavior | ||
Source: | NtWriteVirtualMemory: | Jump to behavior | ||
Source: | NtMapViewOfSection: | Jump to behavior | ||
Source: | NtResumeThread: | Jump to behavior | ||
Source: | NtReadFile: | Jump to behavior | ||
Source: | NtQuerySystemInformation: | Jump to behavior | ||
Source: | NtDelayExecution: | Jump to behavior | ||
Source: | NtAllocateVirtualMemory: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Thread register set: | Jump to behavior |
Source: | Thread APC queued: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 412 Process Injection | 2 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 211 Security Software Discovery | Remote Services | 1 Email Collection | 3 Ingress Tool Transfer | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Abuse Elevation Control Mechanism | 412 Process Injection | LSASS Memory | 2 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Data from Local System | 4 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Abuse Elevation Control Mechanism | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 4 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 12 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
75% | Virustotal | Browse | ||
79% | ReversingLabs | Win32.Trojan.AgentTesla | ||
100% | Avira | TR/AD.Swotter.hefoh |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
www.l33900.xyz | 162.218.30.235 | true | false | high | |
www.qzsazi.info | 47.83.1.90 | true | false | high | |
woodsplace.net | 13.248.213.45 | true | false | high | |
031233226.xyz | 144.76.229.203 | true | false | high | |
www.sigaque.today | 104.21.32.1 | true | false | high | |
www.milp.store | 194.9.94.85 | true | false | unknown | |
www.cruycq.info | 47.83.1.90 | true | false | unknown | |
www.woodsplace.net | unknown | unknown | false | high | |
www.f66el619d.shop | unknown | unknown | false | unknown | |
www.elevatetextiles.net | unknown | unknown | false | high | |
www.vipstargold.buzz | unknown | unknown | false | high | |
www.kitculture.shop | unknown | unknown | false | high | |
www.031233226.xyz | unknown | unknown | false | high | |
www.alplace.site | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false |
| unknown | |
true |
| unknown | |
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
144.76.229.203 | 031233226.xyz | Germany | 24940 | HETZNER-ASDE | false | |
13.248.213.45 | woodsplace.net | United States | 16509 | AMAZON-02US | false | |
194.9.94.85 | www.milp.store | Sweden | 39570 | LOOPIASE | false | |
47.83.1.90 | www.qzsazi.info | United States | 3209 | VODANETInternationalIP-BackboneofVodafoneDE | false | |
104.21.32.1 | www.sigaque.today | United States | 13335 | CLOUDFLARENETUS | false | |
162.218.30.235 | www.l33900.xyz | United States | 62587 | ANT-CLOUDUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1653437 |
Start date and time: | 2025-04-01 09:01:30 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 22s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 2 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | eoIIBcxUj3.exe (renamed file extension from none to exe, renamed because original name is a hash value) |
Original Sample Name: | c2c8b9851e807452f57cd7a1fabec3ba |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@7/5@24/6 |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, W MIADAP.exe, SIHClient.exe, Sgr mBroker.exe, conhost.exe, svch ost.exe - Excluded IPs from analysis (wh
itelisted): 23.204.23.20, 204. 79.197.222, 20.109.210.53 - Excluded domains from analysis
(whitelisted): fp.msedge.net, fs.microsoft.com, slscr.updat e.microsoft.com, ctldl.windows update.com, c.pki.goog, fe3cr. delivery.mp.microsoft.com - Not all processes where analyz
ed, report is missing behavior information
Time | Type | Description |
---|---|---|
03:03:40 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
144.76.229.203 | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
13.248.213.45 | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook, GuLoader, LummaC Stealer | Browse |
| ||
194.9.94.85 | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook, PureLog Stealer | Browse |
| ||
Get hash | malicious | FormBook, PureLog Stealer | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
www.l33900.xyz | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
www.qzsazi.info | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
HETZNER-ASDE | Get hash | malicious | Prometei | Browse |
| |
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
VODANETInternationalIP-BackboneofVodafoneDE | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
AMAZON-02US | Get hash | malicious | Prometei | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
LOOPIASE | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
CLOUDFLARENETUS | Get hash | malicious | Snake Keylogger | Browse |
| |
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
Process: | C:\Users\user\Desktop\eoIIBcxUj3.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11288 |
Entropy (8bit): | 7.6306513042729005 |
Encrypted: | false |
SSDEEP: | 192:b2wF5KLtwCKc+jymytziZ1P8kr51VI+YMw8tR6qJBNgJarEVcj1nIstq:b3F4LtwCSymyteZ2Q1Vji70OJhVs1IsM |
MD5: | 2981AF49DD93CAE9AE1C6D5B92AB6482 |
SHA1: | E110373408683F01C72E25D617B091D56F445EAB |
SHA-256: | 9B24987BC767FADAEDABC41B611FB094C39B9AFDBC29B01FC05A16D387225699 |
SHA-512: | FCAD78CB35793F3DC0D0EDA38F68A64A07F7356D4B520408979F79B10EF4BC5A58108C4A0817243DFF1D44E3ACE0610A3522BD9E1EC36830DE0BC979DC3BFB38 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\eoIIBcxUj3.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 288768 |
Entropy (8bit): | 7.994432681723551 |
Encrypted: | true |
SSDEEP: | 6144:1HeSZ29Lx5jAT2Xgpm9qZCLxIYlzkl/VIzRklFtIqiOVml:yx5saQkcCLxPlzkQzRa/liOVml |
MD5: | 8FA33E8E84C5354A288B702B87DD63D2 |
SHA1: | 72E73999DA878FB966E661A7928EE0B5FACBB356 |
SHA-256: | 27FACC5789B7A0B5555184BDE0EDED585D8AA77D6937FC4584449167ED5F8EAF |
SHA-512: | 9D51E71DB9A3A542EE416550716C0AA9EF95407DBF8479A57D1219757ACBC2FF5C7E21DA399E7B723D2CDE752EAA434792E0B8281A495E7D72E916B02B5F9696 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\sfc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 139264 |
Entropy (8bit): | 0.951889861146889 |
Encrypted: | false |
SSDEEP: | 192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaWtPqfPk:CfJ6a9xpnQLqtzKWJntPqfM |
MD5: | 2791D27717CAB5981A0EA5AD07EE6B64 |
SHA1: | 1ACFA3E6B2D3A682CA918D6C1AA4AEBFBA2D9B75 |
SHA-256: | A2D12FE1A445318E2A559FA65998843F50469BEDB41B0F8EBEF008DB6EEE1A7F |
SHA-512: | 74FE33DD01CD441635EA88876E743B755C1092EAE29C8CA71E108995550C7994B1911295FC68F8B6688F0AC1CDB9313FC9A6714FB65BEA3F4956865978006E6F |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\eoIIBcxUj3.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 288768 |
Entropy (8bit): | 7.994432681723551 |
Encrypted: | true |
SSDEEP: | 6144:1HeSZ29Lx5jAT2Xgpm9qZCLxIYlzkl/VIzRklFtIqiOVml:yx5saQkcCLxPlzkQzRa/liOVml |
MD5: | 8FA33E8E84C5354A288B702B87DD63D2 |
SHA1: | 72E73999DA878FB966E661A7928EE0B5FACBB356 |
SHA-256: | 27FACC5789B7A0B5555184BDE0EDED585D8AA77D6937FC4584449167ED5F8EAF |
SHA-512: | 9D51E71DB9A3A542EE416550716C0AA9EF95407DBF8479A57D1219757ACBC2FF5C7E21DA399E7B723D2CDE752EAA434792E0B8281A495E7D72E916B02B5F9696 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\eoIIBcxUj3.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 57350 |
Entropy (8bit): | 2.7900409119053484 |
Encrypted: | false |
SSDEEP: | 384:kBV9WjQwYKEVecaiJpqGF2zGVfedBHyI8leWl05L1AyP5y+h8fauFR9I487:6y4gL1AyP8KXp |
MD5: | 581C7189F2C3334467B680F1E70FD26A |
SHA1: | 60A19ED64B6F8CB9C567311882DE1102868DD1A9 |
SHA-256: | F60BA40590A4305D4C12CA3D32BE2FC5C976A9C1B001BC92C432532C593AB684 |
SHA-512: | 5A17EA07B76456B3525481FEC20F080577488492462D694D03DAF053E54C25ED999B6D9DD4E59C7BD560F0A7CF19C7CFAF723C083DC63F64F7B346EAE938C8EC |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.133057707895621 |
TrID: |
|
File name: | eoIIBcxUj3.exe |
File size: | 1'182'208 bytes |
MD5: | c2c8b9851e807452f57cd7a1fabec3ba |
SHA1: | d38ad61023caa4d2c2b10e3474ed5658d797cc58 |
SHA256: | 64826dad12787e9f9989046e0b0d1f58704e52968dbb12de2fcc948dbf2bf2d0 |
SHA512: | 3225598094182173ea751e6309c2f004b41b15ee1b0c390cfe991211d60c78b941cad038ffd20c58e0d62438c04b9f7347eceb384a3f8947fa46c65095b3d52c |
SSDEEP: | 24576:PAHnh+eWsN3skA4RV1Hom2KXFmIaleK3JvqW3f2tn5:yh+ZkldoPK1XalD3Vf+ |
TLSH: | 5545AD0273D2C036FFAB92739B6AF60556BD78254133852F13981DB9BD701B2272E663 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR.. |
Icon Hash: | aaf3e3e3938382a0 |
Entrypoint: | 0x42800a |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6799D872 [Wed Jan 29 07:27:46 2025 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | afcdf79be1557326c854b6e20cb900a7 |
Instruction |
---|
call 00007FADB08E469Dh |
jmp 00007FADB08D7454h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push edi |
push esi |
mov esi, dword ptr [esp+10h] |
mov ecx, dword ptr [esp+14h] |
mov edi, dword ptr [esp+0Ch] |
mov eax, ecx |
mov edx, ecx |
add eax, esi |
cmp edi, esi |
jbe 00007FADB08D75DAh |
cmp edi, eax |
jc 00007FADB08D793Eh |
bt dword ptr [004C41FCh], 01h |
jnc 00007FADB08D75D9h |
rep movsb |
jmp 00007FADB08D78ECh |
cmp ecx, 00000080h |
jc 00007FADB08D77A4h |
mov eax, edi |
xor eax, esi |
test eax, 0000000Fh |
jne 00007FADB08D75E0h |
bt dword ptr [004BF324h], 01h |
jc 00007FADB08D7AB0h |
bt dword ptr [004C41FCh], 00000000h |
jnc 00007FADB08D777Dh |
test edi, 00000003h |
jne 00007FADB08D778Eh |
test esi, 00000003h |
jne 00007FADB08D776Dh |
bt edi, 02h |
jnc 00007FADB08D75DFh |
mov eax, dword ptr [esi] |
sub ecx, 04h |
lea esi, dword ptr [esi+04h] |
mov dword ptr [edi], eax |
lea edi, dword ptr [edi+04h] |
bt edi, 03h |
jnc 00007FADB08D75E3h |
movq xmm1, qword ptr [esi] |
sub ecx, 08h |
lea esi, dword ptr [esi+08h] |
movq qword ptr [edi], xmm1 |
lea edi, dword ptr [edi+08h] |
test esi, 00000007h |
je 00007FADB08D7635h |
bt esi, 03h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xbc0cc | 0x17c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc8000 | 0x56320 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x11f000 | 0x7134 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x92bc0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xa4b50 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8f000 | 0x884 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x8dfdd | 0x8e000 | 310e36668512d53489c005622bb1b4a9 | False | 0.5735602580325704 | data | 6.675248351711057 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8f000 | 0x2fd8e | 0x2fe00 | f006ab74d3c653b5c5a6cc0c77a171a2 | False | 0.32829838446475196 | data | 5.7632462979925245 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xbf000 | 0x8f74 | 0x5200 | aae9601d920f07080bdfadf43dfeff12 | False | 0.1017530487804878 | data | 1.1963819235530628 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xc8000 | 0x56320 | 0x56400 | 43f3df0e76be63dc496f493c466bbfeb | False | 0.9238734148550725 | data | 7.884669776507797 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x11f000 | 0x7134 | 0x7200 | f04128ad0f87f42830e4a6cdbc38c719 | False | 0.7617530153508771 | data | 6.783955557128661 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xc85a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
RT_ICON | 0xc86d0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
RT_ICON | 0xc87f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
RT_ICON | 0xc8920 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | Great Britain | 0.3333333333333333 |
RT_ICON | 0xc8c08 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | Great Britain | 0.5 |
RT_ICON | 0xc8d30 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | Great Britain | 0.2835820895522388 |
RT_ICON | 0xc9bd8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | Great Britain | 0.37906137184115524 |
RT_ICON | 0xca480 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | Great Britain | 0.23699421965317918 |
RT_ICON | 0xca9e8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | Great Britain | 0.13858921161825727 |
RT_ICON | 0xccf90 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | Great Britain | 0.25070356472795496 |
RT_ICON | 0xce038 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | Great Britain | 0.3173758865248227 |
RT_MENU | 0xce4a0 | 0x50 | data | English | Great Britain | 0.9 |
RT_STRING | 0xce4f0 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
RT_STRING | 0xcea84 | 0x68a | data | English | Great Britain | 0.2747909199522103 |
RT_STRING | 0xcf110 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
RT_STRING | 0xcf5a0 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
RT_STRING | 0xcfb9c | 0x65c | data | English | Great Britain | 0.34336609336609336 |
RT_STRING | 0xd01f8 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
RT_STRING | 0xd0660 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
RT_RCDATA | 0xd07b8 | 0x4d5e8 | data | 1.0003344861535355 | ||
RT_GROUP_ICON | 0x11dda0 | 0x76 | data | English | Great Britain | 0.6610169491525424 |
RT_GROUP_ICON | 0x11de18 | 0x14 | data | English | Great Britain | 1.25 |
RT_GROUP_ICON | 0x11de2c | 0x14 | data | English | Great Britain | 1.15 |
RT_GROUP_ICON | 0x11de40 | 0x14 | data | English | Great Britain | 1.25 |
RT_VERSION | 0x11de54 | 0xdc | data | English | Great Britain | 0.6181818181818182 |
RT_MANIFEST | 0x11df30 | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
DLL | Import |
---|---|
WSOCK32.dll | WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect |
VERSION.dll | GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW |
WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
MPR.dll | WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W |
WININET.dll | InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW |
PSAPI.DLL | GetProcessMemoryInfo |
IPHLPAPI.DLL | IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho |
USERENV.dll | DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW |
UxTheme.dll | IsThemeActive |
KERNEL32.dll | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA |
USER32.dll | AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW |
GDI32.dll | StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath |
COMDLG32.dll | GetOpenFileNameW, GetSaveFileNameW |
ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW |
SHELL32.dll | DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish |
ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity |
OLEAUT32.dll | LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit |
Description | Data |
---|---|
Translation | 0x0809 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | Great Britain |
Download Network PCAP: filtered – full
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-04-01T09:04:00.390735+0200 | 2856318 | ETPRO MALWARE FormBook CnC Checkin (POST) M4 | 1 | 192.168.2.4 | 49724 | 13.248.213.45 | 80 | TCP |
- Total Packets: 152
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 1, 2025 09:03:18.231762886 CEST | 49723 | 80 | 192.168.2.4 | 144.76.229.203 |
Apr 1, 2025 09:03:18.413503885 CEST | 80 | 49723 | 144.76.229.203 | 192.168.2.4 |
Apr 1, 2025 09:03:18.413647890 CEST | 49723 | 80 | 192.168.2.4 | 144.76.229.203 |
Apr 1, 2025 09:03:18.423346996 CEST | 49723 | 80 | 192.168.2.4 | 144.76.229.203 |
Apr 1, 2025 09:03:18.599528074 CEST | 80 | 49723 | 144.76.229.203 | 192.168.2.4 |
Apr 1, 2025 09:03:18.600884914 CEST | 80 | 49723 | 144.76.229.203 | 192.168.2.4 |
Apr 1, 2025 09:03:18.600924969 CEST | 80 | 49723 | 144.76.229.203 | 192.168.2.4 |
Apr 1, 2025 09:03:18.601089001 CEST | 49723 | 80 | 192.168.2.4 | 144.76.229.203 |
Apr 1, 2025 09:03:18.605992079 CEST | 49723 | 80 | 192.168.2.4 | 144.76.229.203 |
Apr 1, 2025 09:03:18.792289972 CEST | 80 | 49723 | 144.76.229.203 | 192.168.2.4 |
Apr 1, 2025 09:03:59.168407917 CEST | 49724 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:00.182728052 CEST | 49724 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:00.277307034 CEST | 80 | 49724 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:00.278023958 CEST | 49724 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:00.293005943 CEST | 49724 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:00.383843899 CEST | 80 | 49724 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:00.390646935 CEST | 80 | 49724 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:00.390670061 CEST | 80 | 49724 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:00.390734911 CEST | 49724 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:00.394443035 CEST | 80 | 49724 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:00.394512892 CEST | 49724 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:01.807756901 CEST | 49724 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:02.827152014 CEST | 49725 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:02.923476934 CEST | 80 | 49725 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:02.924273968 CEST | 49725 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:02.938894033 CEST | 49725 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:03.026273012 CEST | 80 | 49725 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:03.030935049 CEST | 80 | 49725 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:03.030960083 CEST | 80 | 49725 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:03.031053066 CEST | 49725 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:03.040121078 CEST | 80 | 49725 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:03.040189028 CEST | 49725 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:04.448566914 CEST | 49725 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:05.467688084 CEST | 49726 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:05.563896894 CEST | 80 | 49726 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:05.564058065 CEST | 49726 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:05.578892946 CEST | 49726 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:05.673835993 CEST | 80 | 49726 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:05.673855066 CEST | 80 | 49726 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:05.673917055 CEST | 80 | 49726 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:05.673930883 CEST | 80 | 49726 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:05.673943996 CEST | 80 | 49726 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:05.673957109 CEST | 80 | 49726 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:05.673970938 CEST | 80 | 49726 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:05.678824902 CEST | 80 | 49726 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:05.678839922 CEST | 80 | 49726 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:05.678927898 CEST | 49726 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:05.683953047 CEST | 80 | 49726 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:05.684003115 CEST | 49726 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:07.089164972 CEST | 49726 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:08.108042955 CEST | 49727 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:08.208446980 CEST | 80 | 49727 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:08.208563089 CEST | 49727 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:08.217838049 CEST | 49727 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:08.316675901 CEST | 80 | 49727 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:08.340334892 CEST | 80 | 49727 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:08.340364933 CEST | 80 | 49727 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:08.340573072 CEST | 49727 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:08.343290091 CEST | 49727 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:08.347959042 CEST | 80 | 49727 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:08.348023891 CEST | 49727 | 80 | 192.168.2.4 | 13.248.213.45 |
Apr 1, 2025 09:04:08.443607092 CEST | 80 | 49727 | 13.248.213.45 | 192.168.2.4 |
Apr 1, 2025 09:04:13.488854885 CEST | 49728 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:13.582381010 CEST | 80 | 49728 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:13.582496881 CEST | 49728 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:13.597109079 CEST | 49728 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:13.690326929 CEST | 80 | 49728 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:13.975892067 CEST | 80 | 49728 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:13.975910902 CEST | 80 | 49728 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:13.975963116 CEST | 49728 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:13.976109028 CEST | 80 | 49728 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:13.976207018 CEST | 49728 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:15.104644060 CEST | 49728 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:16.124277115 CEST | 49729 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:16.222264051 CEST | 80 | 49729 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:16.224154949 CEST | 49729 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:16.238420963 CEST | 49729 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:16.349490881 CEST | 80 | 49729 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:16.604953051 CEST | 80 | 49729 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:16.605211973 CEST | 80 | 49729 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:16.605264902 CEST | 49729 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:16.605612040 CEST | 80 | 49729 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:16.605676889 CEST | 49729 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:17.745548964 CEST | 49729 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:18.765486956 CEST | 49730 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:18.863607883 CEST | 80 | 49730 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:18.863692045 CEST | 49730 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:18.881954908 CEST | 49730 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:18.979811907 CEST | 80 | 49730 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:18.979849100 CEST | 80 | 49730 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:19.255834103 CEST | 80 | 49730 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:19.255867004 CEST | 80 | 49730 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:19.255975008 CEST | 49730 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:19.256028891 CEST | 80 | 49730 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:19.256100893 CEST | 49730 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:20.386324883 CEST | 49730 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:21.450494051 CEST | 49731 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:21.547656059 CEST | 80 | 49731 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:21.547782898 CEST | 49731 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:21.556158066 CEST | 49731 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:21.651160955 CEST | 80 | 49731 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:21.919503927 CEST | 80 | 49731 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:21.919523001 CEST | 80 | 49731 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:21.919533014 CEST | 80 | 49731 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:21.919622898 CEST | 80 | 49731 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:21.919678926 CEST | 49731 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:21.919785976 CEST | 49731 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:21.924940109 CEST | 49731 | 80 | 192.168.2.4 | 104.21.32.1 |
Apr 1, 2025 09:04:22.014940977 CEST | 80 | 49731 | 104.21.32.1 | 192.168.2.4 |
Apr 1, 2025 09:04:53.512461901 CEST | 49732 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:04:53.799537897 CEST | 80 | 49732 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:04:53.806291103 CEST | 49732 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:04:53.818047047 CEST | 49732 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:04:54.121046066 CEST | 80 | 49732 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:04:54.638560057 CEST | 80 | 49732 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:04:54.638592005 CEST | 80 | 49732 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:04:54.638637066 CEST | 49732 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:04:55.323522091 CEST | 49732 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:04:56.342364073 CEST | 49733 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:04:56.629614115 CEST | 80 | 49733 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:04:56.632196903 CEST | 49733 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:04:56.647674084 CEST | 49733 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:04:56.948592901 CEST | 80 | 49733 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:04:57.658437014 CEST | 80 | 49733 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:04:57.658476114 CEST | 80 | 49733 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:04:57.658587933 CEST | 49733 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:04:58.161710978 CEST | 49733 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:04:59.171161890 CEST | 49734 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:04:59.460505009 CEST | 80 | 49734 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:04:59.460602045 CEST | 49734 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:04:59.477433920 CEST | 49734 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:04:59.768932104 CEST | 80 | 49734 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:04:59.768991947 CEST | 80 | 49734 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:04:59.769022942 CEST | 80 | 49734 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:04:59.769052982 CEST | 80 | 49734 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:00.518054962 CEST | 80 | 49734 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:00.518084049 CEST | 80 | 49734 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:00.518170118 CEST | 49734 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:00.979866028 CEST | 49734 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:01.998641014 CEST | 49735 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:02.311549902 CEST | 80 | 49735 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:02.314177036 CEST | 49735 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:02.323060036 CEST | 49735 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:02.617233038 CEST | 80 | 49735 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:03.321115971 CEST | 80 | 49735 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:03.321149111 CEST | 80 | 49735 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:03.321269989 CEST | 49735 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:03.355029106 CEST | 49735 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:03.653471947 CEST | 80 | 49735 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:16.819154978 CEST | 49736 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:17.108165026 CEST | 80 | 49736 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:17.108251095 CEST | 49736 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:17.125931978 CEST | 49736 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:17.408420086 CEST | 80 | 49736 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:18.088798046 CEST | 80 | 49736 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:18.088856936 CEST | 80 | 49736 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:18.089483023 CEST | 49736 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:18.636075974 CEST | 49736 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:19.660274982 CEST | 49737 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:19.944371939 CEST | 80 | 49737 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:19.944483042 CEST | 49737 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:19.959129095 CEST | 49737 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:20.251585007 CEST | 80 | 49737 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:20.805785894 CEST | 80 | 49737 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:20.805807114 CEST | 80 | 49737 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:20.805880070 CEST | 49737 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:21.464229107 CEST | 49737 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:22.483179092 CEST | 49738 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:22.771785975 CEST | 80 | 49738 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:22.771876097 CEST | 49738 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:22.833292961 CEST | 49738 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:23.128701925 CEST | 80 | 49738 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:23.128724098 CEST | 80 | 49738 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:23.797908068 CEST | 80 | 49738 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:23.797920942 CEST | 80 | 49738 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:23.799551010 CEST | 49738 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:24.342112064 CEST | 49738 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:25.358537912 CEST | 49739 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:25.650537968 CEST | 80 | 49739 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:25.650655985 CEST | 49739 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:25.659905910 CEST | 49739 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:25.942357063 CEST | 80 | 49739 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:26.658189058 CEST | 80 | 49739 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:26.658211946 CEST | 80 | 49739 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:26.658375978 CEST | 49739 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:26.662312984 CEST | 49739 | 80 | 192.168.2.4 | 47.83.1.90 |
Apr 1, 2025 09:05:26.961345911 CEST | 80 | 49739 | 47.83.1.90 | 192.168.2.4 |
Apr 1, 2025 09:05:31.926489115 CEST | 49740 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:32.096522093 CEST | 80 | 49740 | 162.218.30.235 | 192.168.2.4 |
Apr 1, 2025 09:05:32.100218058 CEST | 49740 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:32.116102934 CEST | 49740 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:32.283509970 CEST | 80 | 49740 | 162.218.30.235 | 192.168.2.4 |
Apr 1, 2025 09:05:32.284173012 CEST | 49740 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:33.620426893 CEST | 49740 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:34.639805079 CEST | 49741 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:34.803587914 CEST | 80 | 49741 | 162.218.30.235 | 192.168.2.4 |
Apr 1, 2025 09:05:34.803698063 CEST | 49741 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:34.821824074 CEST | 49741 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:34.999754906 CEST | 80 | 49741 | 162.218.30.235 | 192.168.2.4 |
Apr 1, 2025 09:05:34.999847889 CEST | 49741 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:36.323579073 CEST | 49741 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:37.343415976 CEST | 49742 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:37.508555889 CEST | 80 | 49742 | 162.218.30.235 | 192.168.2.4 |
Apr 1, 2025 09:05:37.508634090 CEST | 49742 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:37.527936935 CEST | 49742 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:37.692194939 CEST | 80 | 49742 | 162.218.30.235 | 192.168.2.4 |
Apr 1, 2025 09:05:37.692320108 CEST | 80 | 49742 | 162.218.30.235 | 192.168.2.4 |
Apr 1, 2025 09:05:37.692370892 CEST | 49742 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:39.044867039 CEST | 49742 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:40.061067104 CEST | 49743 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:40.240211010 CEST | 80 | 49743 | 162.218.30.235 | 192.168.2.4 |
Apr 1, 2025 09:05:40.240428925 CEST | 49743 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:40.252130985 CEST | 49743 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:40.421483994 CEST | 80 | 49743 | 162.218.30.235 | 192.168.2.4 |
Apr 1, 2025 09:05:40.424222946 CEST | 49743 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:40.427191019 CEST | 49743 | 80 | 192.168.2.4 | 162.218.30.235 |
Apr 1, 2025 09:05:40.590544939 CEST | 80 | 49743 | 162.218.30.235 | 192.168.2.4 |
Apr 1, 2025 09:05:45.627563000 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Apr 1, 2025 09:05:46.755150080 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Apr 1, 2025 09:05:48.807928085 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Apr 1, 2025 09:05:52.892647028 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Apr 1, 2025 09:06:00.901710033 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Apr 1, 2025 09:06:07.983736038 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Apr 1, 2025 09:06:09.078090906 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Apr 1, 2025 09:06:11.095854044 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Apr 1, 2025 09:06:15.198625088 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Apr 1, 2025 09:06:23.198633909 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Apr 1, 2025 09:06:30.233912945 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Apr 1, 2025 09:06:31.266379118 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Apr 1, 2025 09:06:33.275823116 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Apr 1, 2025 09:06:37.293139935 CEST | 49744 | 80 | 192.168.2.4 | 194.9.94.85 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 1, 2025 09:03:11.410608053 CEST | 53 | 53086 | 162.159.36.2 | 192.168.2.4 |
Apr 1, 2025 09:03:17.952788115 CEST | 53117 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:03:18.225131035 CEST | 53 | 53117 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:03:33.655392885 CEST | 51091 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:03:34.691181898 CEST | 51091 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:03:35.685921907 CEST | 51091 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:03:37.698370934 CEST | 51091 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:03:41.698461056 CEST | 51091 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:03:45.714806080 CEST | 60326 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:03:45.803064108 CEST | 53 | 60326 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:03:46.731940985 CEST | 65157 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:03:47.729831934 CEST | 65157 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:03:48.745316029 CEST | 65157 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:03:50.745239973 CEST | 65157 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:03:51.849114895 CEST | 53 | 65157 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:03:51.849191904 CEST | 53 | 65157 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:03:52.856453896 CEST | 52914 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:03:52.957776070 CEST | 53 | 52914 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:03:59.018047094 CEST | 57195 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:03:59.165592909 CEST | 53 | 57195 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:04:13.358824968 CEST | 55058 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:04:13.486046076 CEST | 53 | 55058 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:04:26.945852041 CEST | 52921 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:04:27.948574066 CEST | 52921 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:04:28.039468050 CEST | 53 | 52921 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:04:36.092961073 CEST | 52843 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:04:37.089287043 CEST | 52843 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:04:37.178788900 CEST | 53 | 52843 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:04:45.242784023 CEST | 63778 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:04:45.339003086 CEST | 53 | 63778 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:04:53.407294035 CEST | 61363 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:04:53.507210970 CEST | 53 | 61363 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:05:08.374314070 CEST | 52231 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:05:08.502291918 CEST | 53 | 52231 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:05:16.562122107 CEST | 58186 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:05:16.816375017 CEST | 53 | 58186 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:05:31.671436071 CEST | 59259 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:05:31.922574997 CEST | 53 | 59259 | 1.1.1.1 | 192.168.2.4 |
Apr 1, 2025 09:05:45.436824083 CEST | 62182 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 1, 2025 09:05:45.624501944 CEST | 53 | 62182 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 1, 2025 09:03:17.952788115 CEST | 192.168.2.4 | 1.1.1.1 | 0x89f7 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:33.655392885 CEST | 192.168.2.4 | 1.1.1.1 | 0xc12e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:34.691181898 CEST | 192.168.2.4 | 1.1.1.1 | 0xc12e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:35.685921907 CEST | 192.168.2.4 | 1.1.1.1 | 0xc12e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:37.698370934 CEST | 192.168.2.4 | 1.1.1.1 | 0xc12e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:41.698461056 CEST | 192.168.2.4 | 1.1.1.1 | 0xc12e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:45.714806080 CEST | 192.168.2.4 | 1.1.1.1 | 0xc690 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:46.731940985 CEST | 192.168.2.4 | 1.1.1.1 | 0xb676 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:47.729831934 CEST | 192.168.2.4 | 1.1.1.1 | 0xb676 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:48.745316029 CEST | 192.168.2.4 | 1.1.1.1 | 0xb676 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:50.745239973 CEST | 192.168.2.4 | 1.1.1.1 | 0xb676 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:52.856453896 CEST | 192.168.2.4 | 1.1.1.1 | 0x2514 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:59.018047094 CEST | 192.168.2.4 | 1.1.1.1 | 0x7155 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:04:13.358824968 CEST | 192.168.2.4 | 1.1.1.1 | 0xcc34 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:04:26.945852041 CEST | 192.168.2.4 | 1.1.1.1 | 0xe6b8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:04:27.948574066 CEST | 192.168.2.4 | 1.1.1.1 | 0xe6b8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:04:36.092961073 CEST | 192.168.2.4 | 1.1.1.1 | 0x8e56 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:04:37.089287043 CEST | 192.168.2.4 | 1.1.1.1 | 0x8e56 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:04:45.242784023 CEST | 192.168.2.4 | 1.1.1.1 | 0x4b0b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:04:53.407294035 CEST | 192.168.2.4 | 1.1.1.1 | 0xe282 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:05:08.374314070 CEST | 192.168.2.4 | 1.1.1.1 | 0xc7a7 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:05:16.562122107 CEST | 192.168.2.4 | 1.1.1.1 | 0xc924 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:05:31.671436071 CEST | 192.168.2.4 | 1.1.1.1 | 0x25ab | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:05:45.436824083 CEST | 192.168.2.4 | 1.1.1.1 | 0xb0b3 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 1, 2025 09:03:18.225131035 CEST | 1.1.1.1 | 192.168.2.4 | 0x89f7 | No error (0) | 031233226.xyz | CNAME (Canonical name) | IN (0x0001) | false | ||
Apr 1, 2025 09:03:18.225131035 CEST | 1.1.1.1 | 192.168.2.4 | 0x89f7 | No error (0) | 144.76.229.203 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:03:45.803064108 CEST | 1.1.1.1 | 192.168.2.4 | 0xc690 | No error (0) | 031233226.xyz | CNAME (Canonical name) | IN (0x0001) | false | ||
Apr 1, 2025 09:03:45.803064108 CEST | 1.1.1.1 | 192.168.2.4 | 0xc690 | No error (0) | 144.76.229.203 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:03:51.849114895 CEST | 1.1.1.1 | 192.168.2.4 | 0xb676 | Server failure (2) | none | none | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:51.849191904 CEST | 1.1.1.1 | 192.168.2.4 | 0xb676 | Server failure (2) | none | none | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:52.957776070 CEST | 1.1.1.1 | 192.168.2.4 | 0x2514 | Server failure (2) | none | none | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:03:59.165592909 CEST | 1.1.1.1 | 192.168.2.4 | 0x7155 | No error (0) | woodsplace.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Apr 1, 2025 09:03:59.165592909 CEST | 1.1.1.1 | 192.168.2.4 | 0x7155 | No error (0) | 13.248.213.45 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:03:59.165592909 CEST | 1.1.1.1 | 192.168.2.4 | 0x7155 | No error (0) | 76.223.67.189 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:04:13.486046076 CEST | 1.1.1.1 | 192.168.2.4 | 0xcc34 | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:04:13.486046076 CEST | 1.1.1.1 | 192.168.2.4 | 0xcc34 | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:04:13.486046076 CEST | 1.1.1.1 | 192.168.2.4 | 0xcc34 | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:04:13.486046076 CEST | 1.1.1.1 | 192.168.2.4 | 0xcc34 | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:04:13.486046076 CEST | 1.1.1.1 | 192.168.2.4 | 0xcc34 | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:04:13.486046076 CEST | 1.1.1.1 | 192.168.2.4 | 0xcc34 | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:04:13.486046076 CEST | 1.1.1.1 | 192.168.2.4 | 0xcc34 | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:04:28.039468050 CEST | 1.1.1.1 | 192.168.2.4 | 0xe6b8 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:04:37.178788900 CEST | 1.1.1.1 | 192.168.2.4 | 0x8e56 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:04:45.339003086 CEST | 1.1.1.1 | 192.168.2.4 | 0x4b0b | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:04:53.507210970 CEST | 1.1.1.1 | 192.168.2.4 | 0xe282 | No error (0) | 47.83.1.90 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:05:08.502291918 CEST | 1.1.1.1 | 192.168.2.4 | 0xc7a7 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Apr 1, 2025 09:05:16.816375017 CEST | 1.1.1.1 | 192.168.2.4 | 0xc924 | No error (0) | 47.83.1.90 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:05:31.922574997 CEST | 1.1.1.1 | 192.168.2.4 | 0x25ab | No error (0) | 162.218.30.235 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:05:45.624501944 CEST | 1.1.1.1 | 192.168.2.4 | 0xb0b3 | No error (0) | 194.9.94.85 | A (IP address) | IN (0x0001) | false | ||
Apr 1, 2025 09:05:45.624501944 CEST | 1.1.1.1 | 192.168.2.4 | 0xb0b3 | No error (0) | 194.9.94.86 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49723 | 144.76.229.203 | 80 | 6292 | C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Apr 1, 2025 09:03:18.423346996 CEST | 460 | OUT | |
Apr 1, 2025 09:03:18.600884914 CEST | 479 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.4 | 49724 | 13.248.213.45 | 80 | 6292 | C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Apr 1, 2025 09:04:00.293005943 CEST | 730 | OUT | |
Apr 1, 2025 09:04:00.390646935 CEST | 73 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.4 | 49725 | 13.248.213.45 | 80 | 6292 | C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Apr 1, 2025 09:04:02.938894033 CEST | 750 | OUT | |
Apr 1, 2025 09:04:03.030935049 CEST | 73 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.4 | 49726 | 13.248.213.45 | 80 | 6292 | C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Apr 1, 2025 09:04:05.578892946 CEST | 7007 | OUT |