Windows
Analysis Report
fg}.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
fg}.exe (PID: 7540 cmdline:
"C:\Users\ user\Deskt op\fg}.exe " MD5: E9A886374BECFB0A5B1DC0FFCEE1A04A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["people-climbing.gl.at.ply.gg"], "Port": "54251", "Aes key": "90734242", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
System Summary |
---|
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | URLs: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Operating System Destruction |
---|
Source: | Process information set: | Jump to behavior |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00007FF886E273A6 | |
Source: | Code function: | 0_2_00007FF886E21168 | |
Source: | Code function: | 0_2_00007FF886E28152 | |
Source: | Code function: | 0_2_00007FF886E20E2D |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | LNK file: |
Source: | Static PE information: |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 2 Registry Run Keys / Startup Folder | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 221 Security Software Discovery | Remote Services | 11 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 2 Registry Run Keys / Startup Folder | 1 Disable or Modify Tools | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 131 Virtualization/Sandbox Evasion | Security Account Manager | 131 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Process Injection | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Software Packing | Cached Domain Credentials | 13 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
71% | ReversingLabs | ByteCode-MSIL.Backdoor.XWormRAT | ||
100% | Avira | HEUR/AGEN.1305769 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | HEUR/AGEN.1305769 | ||
100% | Joe Sandbox ML | |||
71% | ReversingLabs | ByteCode-MSIL.Backdoor.XWormRAT |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
100% | Avira URL Cloud | malware |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
people-climbing.gl.at.ply.gg | 147.185.221.20 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
147.185.221.20 | people-climbing.gl.at.ply.gg | United States | 12087 | SALSGIVERUS | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1465717 |
Start date and time: | 2024-07-02 00:31:10 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 32s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | fg}.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@1/2@1/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target fg}.exe, PID 7540 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: fg}.exe
Time | Type | Description |
---|---|---|
18:32:16 | API Interceptor | |
23:32:04 | Autostart |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
147.185.221.20 | Get hash | malicious | RedLine | Browse | ||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | PureLog Stealer, XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | AsyncRAT, XWorm | Browse | |||
Get hash | malicious | AsyncRAT, DcRat, Quasar, XWorm | Browse | |||
Get hash | malicious | AsyncRAT, DcRat, Quasar, XWorm | Browse | |||
Get hash | malicious | AsyncRAT, DcRat | Browse | |||
Get hash | malicious | AsyncRAT, DcRat, Quasar, XWorm | Browse | |||
Get hash | malicious | Quasar | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
people-climbing.gl.at.ply.gg | Get hash | malicious | RedLine | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
SALSGIVERUS | Get hash | malicious | RedLine | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | PureLog Stealer, XWorm | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Blank Grabber, DCRat, XWorm | Browse |
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
Download File
Process: | C:\Users\user\Desktop\fg}.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 763 |
Entropy (8bit): | 5.044858479027047 |
Encrypted: | false |
SSDEEP: | 12:8S24o6idtChToyedY//pFTr4X7SLcFXXjAXVwNHkMp5mV:8EO8oyZfEX4cFXzAXVwCMp5m |
MD5: | 97A12910391572B661EB114ECEC6F126 |
SHA1: | FDCED288806CF8BF247983F75FCC583D85F00BDF |
SHA-256: | 3848F0A8FF68EA6605992B9726398902BB393148346AD2C245D37BA2A129F4D2 |
SHA-512: | 11B34F8B7AABC0603D42D76B55C60038DC5441EAF42BAEFDD101107D66E637BA5F854662444BEF463133418F586F838D8F5E4FFDF4B4F516E799C43A3733DFC8 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\fg}.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 59392 |
Entropy (8bit): | 5.897811546999433 |
Encrypted: | false |
SSDEEP: | 1536:R3iKaQ7P66xgWbXPIT+VvVkby0A4OiUheAImOF+V3:fPFN0Tg9kby0siA/ROF+V3 |
MD5: | E9A886374BECFB0A5B1DC0FFCEE1A04A |
SHA1: | C692A6E9437299878B43EA5FA8EE1BE0E1F5C782 |
SHA-256: | 7E694DFC8060BBBAF8C4139F974696D5FC3BE48BD9D9D46EB166F55F7C024FB2 |
SHA-512: | BC9E0AFFC52EA052EEBF1D4B2AFF0E89BEC9B4780F14914EF14E27BB44A83E266791555FD79B5C1117953B37FE4623B2F6AFEFFB4F281A0D94E9A4261B882284 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.897811546999433 |
TrID: |
|
File name: | fg}.exe |
File size: | 59'392 bytes |
MD5: | e9a886374becfb0a5b1dc0ffcee1a04a |
SHA1: | c692a6e9437299878b43ea5fa8ee1be0e1f5c782 |
SHA256: | 7e694dfc8060bbbaf8c4139f974696d5fc3be48bd9d9d46eb166f55f7c024fb2 |
SHA512: | bc9e0affc52ea052eebf1d4b2aff0e89bec9b4780f14914ef14e27bb44a83e266791555fd79b5c1117953b37fe4623b2f6afeffb4f281a0d94e9a4261b882284 |
SSDEEP: | 1536:R3iKaQ7P66xgWbXPIT+VvVkby0A4OiUheAImOF+V3:fPFN0Tg9kby0siA/ROF+V3 |
TLSH: | 83436A1837F60225F2FF5FF529E16162C639F7236903965F24C902DA0713A8ACD51AF6 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..f............................>.... ........@.. .......................@............@................................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x40fc3e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66831D48 [Mon Jul 1 21:19:04 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xfbf0 | 0x4b | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x10000 | 0x4be | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x12000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xdc44 | 0xde00 | baa958dc94d5b167404e977146ec8d4f | False | 0.6002956081081081 | data | 5.991674708313243 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x10000 | 0x4be | 0x600 | 635a1219cb3c0e23809638fc919ab03d | False | 0.3697916666666667 | data | 3.686881748510271 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x12000 | 0xc | 0x200 | 58ee1032f6af482ce652886dbcd7809c | False | 0.044921875 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x100a0 | 0x234 | data | 0.4716312056737589 | ||
RT_MANIFEST | 0x102d4 | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5469387755102041 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 2, 2024 00:32:08.283756018 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:32:08.289947033 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:32:08.290194988 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:32:08.474205971 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:32:08.480635881 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:32:20.420104027 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:32:20.427763939 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:32:32.380182028 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:32:32.384958982 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:32:44.320082903 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:32:44.327402115 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:32:56.273180962 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:32:56.279546976 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:08.226607084 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:08.233464956 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:09.476289034 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:09.482713938 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:20.335757971 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:20.342751026 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:20.351176023 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:20.358215094 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:20.366816998 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:20.373672962 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:20.398129940 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:20.402987003 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:20.414129972 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:20.419013023 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:20.429286003 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:20.434169054 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:25.413786888 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:25.420149088 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:34.274250031 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:34.280606031 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:35.601562977 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:35.606400013 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:35.710988998 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:35.715758085 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:35.758014917 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:35.762754917 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:36.882520914 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:36.887677908 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:38.383049011 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:38.389580011 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:38.945117950 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:38.951742887 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:40.913786888 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:40.920202971 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:44.179810047 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:44.186912060 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:53.164052963 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:53.171169043 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:58.024579048 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:58.033519030 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:33:58.992074966 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:33:58.998759031 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:01.414079905 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:01.419080019 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:02.226635933 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:02.231954098 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:02.242299080 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:02.250699997 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:02.289421082 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:02.296400070 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:07.601511002 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:07.607888937 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:07.617067099 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:07.624032021 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:07.648293018 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:07.655318022 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:07.773552895 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:07.780433893 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:07.804647923 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:07.811419964 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:07.820195913 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:07.826709032 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:07.867064953 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:07.875735044 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:07.882869959 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:07.889520884 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:07.914063931 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:07.920452118 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:07.945328951 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:07.951540947 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:07.960812092 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:07.967046976 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:07.976371050 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:07.982722044 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:08.039118052 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:08.046104908 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:09.820207119 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:09.826582909 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:21.785737038 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:22.007431030 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:22.319930077 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:22.746247053 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:22.746259928 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:22.746268034 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:22.976600885 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:22.983740091 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:25.446165085 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:25.452150106 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:25.617252111 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:25.622734070 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:31.148428917 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:31.366837978 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:31.387351990 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:31.387366056 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:33.648632050 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:33.655334949 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:38.900151014 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:38.907917023 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:42.461194992 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:42.467982054 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:43.757795095 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:43.764770985 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:43.898646116 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:43.907260895 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:44.179766893 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:44.187383890 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:44.195552111 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:44.202931881 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:54.367341995 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:54.372127056 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:34:59.773411989 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:34:59.781447887 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:05.335978031 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:05.342515945 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:10.539167881 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:10.545511961 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:10.570318937 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:10.575361967 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:10.585954905 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:10.591981888 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:12.961075068 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:12.968214035 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:15.711249113 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:15.717544079 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:15.726608992 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:15.733087063 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:27.679828882 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:27.684683084 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:28.959491968 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:28.962657928 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:30.883028984 CEST | 49706 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:30.887070894 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:30.890341997 CEST | 54251 | 49706 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:30.893811941 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:30.894295931 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:31.019138098 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:31.023977041 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:31.039150953 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:31.043953896 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:36.148578882 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:36.155071974 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:36.273605108 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:36.279881954 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:36.289243937 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:36.295341015 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:36.320528984 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:36.326968908 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:36.601821899 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:36.608747959 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:36.664205074 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:36.670938015 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:36.679909945 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:36.686486959 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:36.695408106 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:36.702387094 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:36.711093903 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:36.717653036 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:40.368356943 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:40.375300884 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:51.477274895 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:51.483793020 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:55.104372025 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:55.110842943 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:55.914397955 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:55.921281099 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:57.985822916 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:57.990684032 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:58.398704052 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:58.406986952 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:58.414448023 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:58.419533968 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:58.430017948 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:58.435175896 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:58.508311987 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:58.513259888 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:58.523638964 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:58.528517962 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:58.586153030 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:58.592602015 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:58.601670027 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:58.606570005 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:58.617806911 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:58.622623920 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:58.633107901 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:58.638025045 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:35:58.648669004 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:35:58.653539896 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:36:03.898994923 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:36:03.903994083 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:36:03.914510965 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:36:03.919512033 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:36:04.101852894 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:36:04.106971025 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Jul 2, 2024 00:36:06.633133888 CEST | 57057 | 54251 | 192.168.2.9 | 147.185.221.20 |
Jul 2, 2024 00:36:06.640301943 CEST | 54251 | 57057 | 147.185.221.20 | 192.168.2.9 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 2, 2024 00:32:08.254940033 CEST | 57269 | 53 | 192.168.2.9 | 1.1.1.1 |
Jul 2, 2024 00:32:08.266727924 CEST | 53 | 57269 | 1.1.1.1 | 192.168.2.9 |
Jul 2, 2024 00:32:20.282305002 CEST | 53 | 55712 | 1.1.1.1 | 192.168.2.9 |
Jul 2, 2024 00:32:21.813931942 CEST | 53 | 63116 | 1.1.1.1 | 192.168.2.9 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jul 2, 2024 00:32:08.254940033 CEST | 192.168.2.9 | 1.1.1.1 | 0xbcde | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jul 2, 2024 00:32:08.266727924 CEST | 1.1.1.1 | 192.168.2.9 | 0xbcde | No error (0) | 147.185.221.20 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 18:31:58 |
Start date: | 01/07/2024 |
Path: | C:\Users\user\Desktop\fg}.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x4d0000 |
File size: | 59'392 bytes |
MD5 hash: | E9A886374BECFB0A5B1DC0FFCEE1A04A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF886E273A6 Relevance: .5, Instructions: 489COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF886E28152 Relevance: .5, Instructions: 465COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF886E20E2D Relevance: .2, Instructions: 210COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|