Windows
Analysis Report
Confirmaci#U00f3n de pago_shrunk.exe
Overview
General Information
Sample name: | Confirmaci#U00f3n de pago_shrunk.exerenamed because original name is a hash value |
Original sample name: | Confirmacin de pago_shrunk.exe |
Analysis ID: | 1518505 |
MD5: | 5f249a857aa4ec0d7811cbe49b1eac0e |
SHA1: | 9bc2fed4cf1f677c009ba9c0c224e15a07ee8dd4 |
SHA256: | e97a53902ccc623ff61147e3b7cb7e9abf77e8a61a401a317891ffaf73a7338a |
Tags: | exeuser-malrpt |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- Confirmaci#U00f3n de pago_shrunk.exe (PID: 3020 cmdline:
"C:\Users\ user\Deskt op\Confirm aci#U00f3n de pago_s hrunk.exe" MD5: 5F249A857AA4EC0D7811CBE49B1EAC0E) - RegAsm.exe (PID: 3780 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"C2 url": "https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/sendMessage"}
{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/sendMessage?chat_id=-4169421237"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 12 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 23 entries |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-25T18:51:27.695363+0200 | 2851779 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49705 | 149.154.167.220 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-25T18:51:27.695363+0200 | 2852815 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49705 | 149.154.167.220 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-25T18:51:27.696072+0200 | 2854281 | 1 | A Network Trojan was detected | 149.154.167.220 | 443 | 192.168.2.8 | 49705 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_02D68EB8 | |
Source: | Code function: | 0_2_02D61252 | |
Source: | Code function: | 0_2_02D61260 | |
Source: | Code function: | 0_2_02D615B0 | |
Source: | Code function: | 2_2_030D9340 | |
Source: | Code function: | 2_2_030D4A50 | |
Source: | Code function: | 2_2_030D9AF0 | |
Source: | Code function: | 2_2_030D3E38 | |
Source: | Code function: | 2_2_030DCEA0 | |
Source: | Code function: | 2_2_030D4180 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Data Obfuscation |
---|
Source: | .Net Code: |
Source: | Static PE information: |
Source: | Code function: | 0_2_02D64A81 | |
Source: | Code function: | 0_2_02D65677 |
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Icon embedded in binary file: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | 2 OS Credential Dumping | 1 File and Directory Discovery | Remote Services | 11 Archive Collected Data | 1 Web Service | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 311 Process Injection | 1 Deobfuscate/Decode Files or Information | 1 Input Capture | 24 System Information Discovery | Remote Desktop Protocol | 2 Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | 1 Credentials in Registry | 111 Security Software Discovery | SMB/Windows Admin Shares | 1 Email Collection | 11 Encrypted Channel | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Software Packing | NTDS | 1 Process Discovery | Distributed Component Object Model | 1 Input Capture | 3 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Timestomp | LSA Secrets | 141 Virtualization/Sandbox Evasion | SSH | Keylogging | 4 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 11 Masquerading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 141 Virtualization/Sandbox Evasion | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 311 Process Injection | /etc/passwd and /etc/shadow | Network Sniffing | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
39% | ReversingLabs | Win32.Trojan.Generic | ||
100% | Avira | TR/Dropper.Gen | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
transfer.adttemp.com.br | 104.196.109.209 | true | false | unknown | |
api.telegram.org | 149.154.167.220 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
false |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
149.154.167.220 | api.telegram.org | United Kingdom | 62041 | TELEGRAMRU | true | |
104.196.109.209 | transfer.adttemp.com.br | United States | 15169 | GOOGLEUS | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1518505 |
Start date and time: | 2024-09-25 18:50:22 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 2s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Confirmaci#U00f3n de pago_shrunk.exerenamed because original name is a hash value |
Original Sample Name: | Confirmacin de pago_shrunk.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@3/1@2/2 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Confirmaci#U00f3n de pago_shrunk.exe
Time | Type | Description |
---|---|---|
12:51:23 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
149.154.167.220 | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | ||
Get hash | malicious | MicroClip | Browse | |||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
Get hash | malicious | MicroClip | Browse | |||
Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
Get hash | malicious | VIP Keylogger | Browse | |||
Get hash | malicious | Snake Keylogger | Browse | |||
Get hash | malicious | MicroClip | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
api.telegram.org | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
Get hash | malicious | MicroClip | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | MicroClip | Browse |
| ||
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | MicroClip | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
TELEGRAMRU | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
Get hash | malicious | MicroClip | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | MicroClip | Browse |
| ||
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | MicroClip | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
Get hash | malicious | MicroClip | Browse |
| ||
Get hash | malicious | LummaC, Vidar | Browse |
| ||
Get hash | malicious | LummaC, Vidar | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, Vidar | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Confirmaci#U00f3n de pago_shrunk.exe.log
Download File
Process: | C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 847 |
Entropy (8bit): | 5.345615485833535 |
Encrypted: | false |
SSDEEP: | 24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR |
MD5: | EEEC189088CC5F1F69CEE62A3BE59EA2 |
SHA1: | 250F25CE24458FC0C581FDDF59FAA26D557844C5 |
SHA-256: | 5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11 |
SHA-512: | 2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 3.539492620386482 |
TrID: |
|
File name: | Confirmaci#U00f3n de pago_shrunk.exe |
File size: | 208'896 bytes |
MD5: | 5f249a857aa4ec0d7811cbe49b1eac0e |
SHA1: | 9bc2fed4cf1f677c009ba9c0c224e15a07ee8dd4 |
SHA256: | e97a53902ccc623ff61147e3b7cb7e9abf77e8a61a401a317891ffaf73a7338a |
SHA512: | 021890218f651a97b7f2d3a490def666e3a70a55e40355a91ce912eaff80c60728a582128220d8ccc07653d6a131f6bef42892907153b6f25b52ecce22fbfc5c |
SSDEEP: | 1536:SD8LRJrCwGizMmnLU/lmOfsxdPTWQ7ZnbXnD630VD1:SQdJrCwG7Wo/lmOfsxdrWQFXWEVD1 |
TLSH: | FB14E60A36889711C59476F484FB4A6603E76DD22632C2963DF87B8A5E723A3DDC634C |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................................#... ...@....@.. ....................... ............`................................ |
Icon Hash: | 8f82989919951d01 |
Entrypoint: | 0x4123fe |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0xAEC31ED1 [Wed Nov 29 10:49:53 2062 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x123b0 | 0x4b | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x16000 | 0x8408 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x20000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x12360 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x10404 | 0x10600 | 4044837c7c3d7dddda7029a942cfb4a3 | False | 0.5387494036259542 | data | 6.016905640132613 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.sdata | 0x14000 | 0x1e8 | 0x200 | 9d89f11f2f7efe85ec6025eaf9079f32 | False | 0.861328125 | data | 6.600064443351503 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x16000 | 0x8408 | 0x8600 | ac53e23b087661ff82fb9228561598c5 | False | 0.28404850746268656 | data | 5.191248821715595 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x20000 | 0xc | 0x200 | da2b73780e6bc1e8ac38140886608cbc | False | 0.041015625 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x161c0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | 0.5487588652482269 | ||
RT_ICON | 0x16628 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | 0.37922138836772984 | ||
RT_ICON | 0x176d0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | 0.28060165975103735 | ||
RT_ICON | 0x19c78 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | 0.25614076523382145 | ||
RT_GROUP_ICON | 0x1dea0 | 0x3e | data | 0.7903225806451613 | ||
RT_VERSION | 0x1dee0 | 0x33c | data | 0.4251207729468599 | ||
RT_MANIFEST | 0x1e21c | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5489795918367347 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-25T18:51:27.695363+0200 | 2851779 | ETPRO MALWARE Agent Tesla Telegram Exfil | 1 | 192.168.2.8 | 49705 | 149.154.167.220 | 443 | TCP |
2024-09-25T18:51:27.695363+0200 | 2852815 | ETPRO MALWARE Agent Tesla Telegram Exfil M2 | 1 | 192.168.2.8 | 49705 | 149.154.167.220 | 443 | TCP |
2024-09-25T18:51:27.696072+0200 | 2854281 | ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound | 1 | 149.154.167.220 | 443 | 192.168.2.8 | 49705 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 25, 2024 18:51:22.987673998 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:22.987716913 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:22.987884045 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:22.998611927 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:22.998631954 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.656989098 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.657078028 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.664200068 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.664217949 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.664556026 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.715066910 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.775324106 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.815407991 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.889084101 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.889163017 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.889306068 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.889321089 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.889478922 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.889516115 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.889525890 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.889595032 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.889595032 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.907906055 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.908082008 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.908236980 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.908257961 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.949454069 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.979186058 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.979358912 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.979448080 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.979551077 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.979593992 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.979593992 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.979602098 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.979667902 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.980428934 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.980562925 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.980972052 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.981070995 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.997874022 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.997991085 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.998035908 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.998048067 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.998060942 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.999010086 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:23.999088049 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:23.999095917 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.043268919 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.066113949 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.066241026 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.066329956 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.066365004 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.066365004 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.066380978 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.066421986 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.066421986 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.067106962 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.067514896 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.067948103 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.068124056 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.068751097 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.068886995 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.068955898 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.068955898 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.068967104 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.069777012 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.069891930 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.069899082 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.069926023 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.069986105 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.069991112 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.070040941 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.070615053 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.070697069 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.070739985 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.070799112 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.084872007 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.084904909 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.084939003 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.084947109 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.085014105 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.085027933 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.085108042 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.085524082 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.085671902 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.154567003 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.154818058 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.154889107 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.154895067 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.154895067 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.154917955 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.155065060 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.155320883 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.155412912 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.155457973 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.159040928 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.159245014 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.159317017 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.159317017 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.159348011 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.159406900 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.159413099 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.159454107 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.159545898 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.159550905 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.159727097 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.159801960 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.159832001 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.159861088 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.159914017 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.159919024 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.159934998 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.160007000 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.160060883 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.160075903 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.160075903 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.160080910 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.160103083 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.173372030 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.173527002 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.173536062 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.173796892 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.173835993 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.173855066 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.173867941 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.173885107 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.174010992 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.174041033 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.174067974 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.174086094 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.174101114 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.174413919 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.174472094 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.174494028 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.174500942 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.174690008 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.174792051 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.174870968 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.174876928 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.174930096 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.242969990 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.243027925 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.243057013 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.243130922 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.243154049 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.243223906 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.243223906 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.243539095 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.243604898 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.243648052 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.243648052 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.243663073 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.243707895 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.243774891 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.243807077 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.243814945 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.243834019 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.244065046 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.244136095 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.244164944 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.244174004 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.244190931 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.244463921 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.244550943 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.244556904 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.244568110 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.244636059 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.244637966 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.244688988 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.244695902 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.245039940 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.245091915 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.245098114 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.245217085 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.245287895 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.245301962 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.245363951 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.245450020 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.245455980 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.245508909 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.245515108 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.245686054 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.247817039 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.247878075 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.247910976 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.247920036 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.247946024 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.247993946 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.247993946 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.248002052 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.248047113 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.248076916 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.248111010 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.248148918 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.248156071 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.248164892 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.262011051 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.262146950 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.262300968 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.262300968 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.262321949 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.262517929 CEST | 443 | 49704 | 104.196.109.209 | 192.168.2.8 |
Sep 25, 2024 18:51:24.262617111 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:24.283703089 CEST | 49704 | 443 | 192.168.2.8 | 104.196.109.209 |
Sep 25, 2024 18:51:26.012808084 CEST | 49705 | 443 | 192.168.2.8 | 149.154.167.220 |
Sep 25, 2024 18:51:26.012862921 CEST | 443 | 49705 | 149.154.167.220 | 192.168.2.8 |
Sep 25, 2024 18:51:26.013207912 CEST | 49705 | 443 | 192.168.2.8 | 149.154.167.220 |
Sep 25, 2024 18:51:26.016957998 CEST | 49705 | 443 | 192.168.2.8 | 149.154.167.220 |
Sep 25, 2024 18:51:26.016973972 CEST | 443 | 49705 | 149.154.167.220 | 192.168.2.8 |
Sep 25, 2024 18:51:26.636127949 CEST | 443 | 49705 | 149.154.167.220 | 192.168.2.8 |
Sep 25, 2024 18:51:26.636344910 CEST | 49705 | 443 | 192.168.2.8 | 149.154.167.220 |
Sep 25, 2024 18:51:26.641592979 CEST | 49705 | 443 | 192.168.2.8 | 149.154.167.220 |
Sep 25, 2024 18:51:26.641607046 CEST | 443 | 49705 | 149.154.167.220 | 192.168.2.8 |
Sep 25, 2024 18:51:26.641875982 CEST | 443 | 49705 | 149.154.167.220 | 192.168.2.8 |
Sep 25, 2024 18:51:26.683952093 CEST | 49705 | 443 | 192.168.2.8 | 149.154.167.220 |
Sep 25, 2024 18:51:26.688114882 CEST | 49705 | 443 | 192.168.2.8 | 149.154.167.220 |
Sep 25, 2024 18:51:26.731446028 CEST | 443 | 49705 | 149.154.167.220 | 192.168.2.8 |
Sep 25, 2024 18:51:26.949842930 CEST | 443 | 49705 | 149.154.167.220 | 192.168.2.8 |
Sep 25, 2024 18:51:26.950191975 CEST | 49705 | 443 | 192.168.2.8 | 149.154.167.220 |
Sep 25, 2024 18:51:26.950232029 CEST | 443 | 49705 | 149.154.167.220 | 192.168.2.8 |
Sep 25, 2024 18:51:27.695590973 CEST | 443 | 49705 | 149.154.167.220 | 192.168.2.8 |
Sep 25, 2024 18:51:27.695806980 CEST | 443 | 49705 | 149.154.167.220 | 192.168.2.8 |
Sep 25, 2024 18:51:27.695883989 CEST | 49705 | 443 | 192.168.2.8 | 149.154.167.220 |
Sep 25, 2024 18:51:27.717973948 CEST | 49705 | 443 | 192.168.2.8 | 149.154.167.220 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 25, 2024 18:51:22.810648918 CEST | 60480 | 53 | 192.168.2.8 | 1.1.1.1 |
Sep 25, 2024 18:51:22.977866888 CEST | 53 | 60480 | 1.1.1.1 | 192.168.2.8 |
Sep 25, 2024 18:51:26.000494003 CEST | 58848 | 53 | 192.168.2.8 | 1.1.1.1 |
Sep 25, 2024 18:51:26.007617950 CEST | 53 | 58848 | 1.1.1.1 | 192.168.2.8 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 25, 2024 18:51:22.810648918 CEST | 192.168.2.8 | 1.1.1.1 | 0x48c4 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 25, 2024 18:51:26.000494003 CEST | 192.168.2.8 | 1.1.1.1 | 0xb0c | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 25, 2024 18:51:22.977866888 CEST | 1.1.1.1 | 192.168.2.8 | 0x48c4 | No error (0) | 104.196.109.209 | A (IP address) | IN (0x0001) | false | ||
Sep 25, 2024 18:51:26.007617950 CEST | 1.1.1.1 | 192.168.2.8 | 0xb0c | No error (0) | 149.154.167.220 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.8 | 49704 | 104.196.109.209 | 443 | 3020 | C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-25 16:51:23 UTC | 92 | OUT | |
2024-09-25 16:51:23 UTC | 312 | IN | |
2024-09-25 16:51:23 UTC | 3784 | IN | |
2024-09-25 16:51:23 UTC | 4408 | IN | |
2024-09-25 16:51:23 UTC | 3592 | IN | |
2024-09-25 16:51:23 UTC | 4600 | IN | |
2024-09-25 16:51:23 UTC | 3400 | IN | |
2024-09-25 16:51:23 UTC | 4792 | IN | |
2024-09-25 16:51:23 UTC | 3208 | IN | |
2024-09-25 16:51:23 UTC | 4984 | IN | |
2024-09-25 16:51:23 UTC | 3016 | IN | |
2024-09-25 16:51:23 UTC | 5176 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.8 | 49705 | 149.154.167.220 | 443 | 3780 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-25 16:51:26 UTC | 260 | OUT | |
2024-09-25 16:51:26 UTC | 25 | IN | |
2024-09-25 16:51:26 UTC | 919 | OUT | |
2024-09-25 16:51:27 UTC | 1054 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 12:51:21 |
Start date: | 25/09/2024 |
Path: | C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb00000 |
File size: | 208'896 bytes |
MD5 hash: | 5F249A857AA4EC0D7811CBE49B1EAC0E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 12:51:23 |
Start date: | 25/09/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd80000 |
File size: | 65'440 bytes |
MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | false |
Execution Graph
Execution Coverage: | 14.2% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 86.4% |
Total number of Nodes: | 22 |
Total number of Limit Nodes: | 0 |
Graph
Function 02D68EB8 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02D686C0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02D686F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02D686A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02D686D8 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02D68708 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0120D76D Relevance: .0, Instructions: 45COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0120D76C Relevance: .0, Instructions: 36COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02D615B0 Relevance: 2.6, Strings: 2, Instructions: 110COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02D61252 Relevance: .1, Instructions: 149COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02D61260 Relevance: .1, Instructions: 145COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 12.7% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 4 |
Total number of Limit Nodes: | 0 |
Graph
Function 030DF658 Relevance: 2.1, APIs: 1, Instructions: 646COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0148D030 Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0148D006 Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|