Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 7100 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 5AEFAB6D98B943DF267E28B42B5871E0) - conhost.exe (PID: 5480 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - file.exe (PID: 6416 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 5AEFAB6D98B943DF267E28B42B5871E0) - whoami.exe (PID: 1732 cmdline:
whoami MD5: 801D9A1C1108360B84E60A457D5A773A) - conhost.exe (PID: 1860 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_ReverseSSH | Yara detected Outlook Reverse SSH | Joe Security | ||
JoeSecurity_ReverseSSH | Yara detected Outlook Reverse SSH | Joe Security | ||
JoeSecurity_ReverseSSH | Yara detected Outlook Reverse SSH | Joe Security | ||
JoeSecurity_ReverseSSH | Yara detected Outlook Reverse SSH | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_ReverseSSH | Yara detected Outlook Reverse SSH | Joe Security | ||
JoeSecurity_ReverseSSH | Yara detected Outlook Reverse SSH | Joe Security |
Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Boot Survival |
---|
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | System information queried: | Jump to behavior | ||
Source: | System information queried: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 11 Process Injection | 1 Software Packing | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 11 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
53% | ReversingLabs | Win32.Trojan.RevhellMarte | ||
100% | Avira | TR/AVI.Agent.cskbp | ||
100% | Joe Sandbox ML |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.152.67.101 | unknown | Italy | 138576 | CODECCLOUD-AS-APCodecCloudHKLimitedHK | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1516783 |
Start date and time: | 2024-09-24 15:38:51 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 32s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | file.exe |
Detection: | MAL |
Classification: | mal76.troj.winEXE@7/2@0/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: file.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CODECCLOUD-AS-APCodecCloudHKLimitedHK | Get hash | malicious | Clipboard Hijacker, Stealc, Vidar | Browse |
| |
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Stealc, Vidar | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Stealc, Vidar | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | LummaC, Amadey, LummaC Stealer, Neoreklami, PureLog Stealer, RedLine, Stealc | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Stealc, Vidar | Browse |
|
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 116 |
Entropy (8bit): | 4.053374040827532 |
Encrypted: | false |
SSDEEP: | 3:rmHD/tH//lllLGlA1yqGlgZty:rmH2oty |
MD5: | 080E701E8B8E2E9C68203C150AC7C6B7 |
SHA1: | 4EF041621388B805758AE1D3B122F9D364705223 |
SHA-256: | FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D |
SHA-512: | C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 964 |
Entropy (8bit): | 5.138318928211823 |
Encrypted: | false |
SSDEEP: | 24:RQwN2wA2XvrY3zGVuC2XvFDuC2XvFDrDAZrhNreFNjt:zvMVvFgvFFt |
MD5: | 3EAE304D13E34F582E95BD7085173895 |
SHA1: | CB425773005C6CF6FD3D1D0731A7C089DD1BA1AF |
SHA-256: | E03ABB5A617C5B02628F788C0B3E91135FA0D90A7CE480DA6B5CD909687FD6C7 |
SHA-512: | 438D9260D5306B481AF6315D4A093BB48346B37780CBA7F922CEAE4F03E33859E8E76F6C063452F445A4523ABB0D7CA96C2F76FC832E5981AE1264DDEF19802D |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.8955675416201965 |
TrID: |
|
File name: | file.exe |
File size: | 3'891'712 bytes |
MD5: | 5aefab6d98b943df267e28b42b5871e0 |
SHA1: | de1c5175217692ecec57e495324b0c614aa720bc |
SHA256: | 3896dedb4a4ca12282a10e96c17a220ee4a223ff3f786284e12a42fe3c59a114 |
SHA512: | 7482e019ca7e25145e97465c5f8f58a9785317d40c37a85058a6ef1c93dad2fcd39ec3864a9bd894fec2313ae2243f3b43b2cbfba2ec8f447d29d56c01ca086a |
SSDEEP: | 98304:7aui/tKaSe0HQxy0G/GcDW2fx2ZHbXXjCR9u:7aMaT0CC/GcDWSSbXXje9 |
TLSH: | 000633C42A424DDBAF3D243D5C93AF1E46CAA43831E585940E58B346A97F27532376CF |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B...............`;.......j.@{... j.......@.......................................@................................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0xe57b40 |
Entrypoint Section: | UPX1 |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 1 |
File Version Major: | 6 |
File Version Minor: | 1 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 1 |
Import Hash: | 6ed4f5f04d62b18d96b26d6db7c18840 |
Instruction |
---|
pushad |
mov esi, 00AA2015h |
lea edi, dword ptr [esi-006A1015h] |
push edi |
or ebp, FFFFFFFFh |
jmp 00007F452C887142h |
nop |
nop |
nop |
nop |
nop |
nop |
mov al, byte ptr [esi] |
inc esi |
mov byte ptr [edi], al |
inc edi |
add ebx, ebx |
jne 00007F452C887139h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F452C88711Fh |
mov eax, 00000001h |
add ebx, ebx |
jne 00007F452C887139h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc eax, eax |
add ebx, ebx |
jnc 00007F452C88713Dh |
jne 00007F452C88715Ah |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F452C887151h |
dec eax |
add ebx, ebx |
jne 00007F452C887139h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc eax, eax |
jmp 00007F452C887106h |
add ebx, ebx |
jne 00007F452C887139h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
jmp 00007F452C887184h |
xor ecx, ecx |
sub eax, 03h |
jc 00007F452C887143h |
shl eax, 08h |
mov al, byte ptr [esi] |
inc esi |
xor eax, FFFFFFFFh |
je 00007F452C8871A7h |
sar eax, 1 |
mov ebp, eax |
jmp 00007F452C88713Dh |
add ebx, ebx |
jne 00007F452C887139h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F452C8870FEh |
inc ecx |
add ebx, ebx |
jne 00007F452C887139h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F452C8870F0h |
add ebx, ebx |
jne 00007F452C887139h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
add ebx, ebx |
jnc 00007F452C887121h |
jne 00007F452C88713Bh |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jnc 00007F452C887116h |
add ecx, 02h |
cmp ebp, FFFFFB00h |
adc ecx, 02h |
lea edx, dword ptr [eax+eax] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa58000 | 0x88 | UPX2 |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xa58088 | 0xc | UPX2 |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
UPX0 | 0x1000 | 0x6a1000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
UPX1 | 0x6a2000 | 0x3b6000 | 0x3b5e00 | 179aedc367adb5f3ea918da332956022 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
UPX2 | 0xa58000 | 0x1000 | 0x200 | 7fab496d44771e0b72e556c0c1129a89 | False | 0.212890625 | data | 1.5487272665399665 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
DLL | Import |
---|---|
KERNEL32.DLL | LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 24, 2024 15:39:44.653018951 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:44.659012079 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:44.659090042 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:44.660423040 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:44.665278912 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:45.555212975 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:45.555891037 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:45.560655117 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:45.647674084 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:45.649219990 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:45.654069901 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:46.133909941 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:46.180697918 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:46.273488045 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:46.273550034 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:46.278577089 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:46.278722048 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:46.286936045 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:46.334625959 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:46.662431955 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:46.662689924 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:46.709184885 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:46.979137897 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:46.979553938 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:46.984571934 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:47.295954943 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:47.296528101 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:47.301440954 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:47.611988068 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:47.659832001 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:47.743983984 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:47.744240999 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:47.749141932 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:47.925354004 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:47.925734043 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:47.925815105 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:47.930641890 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:47.930680990 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:48.323652983 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:48.371324062 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:48.451971054 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:48.451988935 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:48.452102900 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:48.452985048 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:48.453169107 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:48.457792997 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:48.457930088 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:49.035594940 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:49.083930016 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:49.164187908 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:49.164483070 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:49.165802002 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:49.165868044 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:49.165909052 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:49.169351101 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:49.170653105 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:49.170700073 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:49.170727015 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:49.757556915 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:49.805246115 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:49.891997099 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:49.892268896 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:49.892328978 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:49.897285938 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:49.897322893 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:50.207734108 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:50.255413055 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:50.344675064 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:50.344969988 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:50.346390009 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:50.349756002 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:50.351166010 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:50.922470093 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:50.970191002 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:51.051964045 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:51.052197933 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:51.052340031 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:51.056917906 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:51.057301044 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:51.368197918 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:51.417035103 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:51.499942064 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:51.509532928 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:51.509651899 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:51.514426947 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:51.514436960 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:51.825140953 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:51.872860909 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:51.951997995 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:51.952384949 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:51.952518940 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:51.957473040 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:51.957482100 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:52.083244085 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:52.083415031 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:52.088052034 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:52.088280916 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:52.151151896 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:52.156274080 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:52.298233986 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:52.345927000 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:52.521573067 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:52.569354057 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:52.627886057 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:52.628298998 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:52.633229971 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:53.103267908 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:53.103528023 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:53.108397007 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:58.486538887 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:39:58.486928940 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:39:58.491688967 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:03.803443909 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:03.803781033 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:40:03.808645010 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:09.121546030 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:09.121819973 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:40:09.126713037 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:14.439363956 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:14.439652920 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:40:14.444569111 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:19.757858992 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:19.758120060 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:40:19.763870955 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:25.074029922 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:25.074218988 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:40:25.079071999 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:30.390502930 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:30.390882015 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:40:30.395643950 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:35.706497908 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:35.706809044 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:40:35.711750984 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:41.157823086 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:41.158284903 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:40:41.163158894 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:46.474853992 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:46.475100994 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:40:46.479938030 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:51.791795015 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:51.792273045 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:40:51.797132969 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:57.109741926 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:40:57.110078096 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:40:57.115123987 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:02.427306890 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:02.427614927 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:41:02.434155941 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:07.744843960 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:07.746280909 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:41:07.751068115 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:13.062768936 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:13.063080072 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:41:13.069149971 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:18.382155895 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:18.382651091 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:41:18.387526035 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:23.698662996 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:23.699167013 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:41:23.704143047 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:29.015697956 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:29.015974045 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:41:29.020783901 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:34.342948914 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:34.343274117 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:41:34.348098993 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:39.672075987 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:39.672620058 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:41:39.679590940 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:44.990333080 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:44.990638018 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Sep 24, 2024 15:41:44.995523930 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:50.308073997 CEST | 3232 | 49731 | 45.152.67.101 | 192.168.2.4 |
Sep 24, 2024 15:41:50.350687981 CEST | 49731 | 3232 | 192.168.2.4 | 45.152.67.101 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 24, 2024 15:40:05.827290058 CEST | 53 | 56379 | 1.1.1.1 | 192.168.2.4 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 09:39:43 |
Start date: | 24/09/2024 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x160000 |
File size: | 3'891'712 bytes |
MD5 hash: | 5AEFAB6D98B943DF267E28B42B5871E0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 09:39:43 |
Start date: | 24/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 09:39:43 |
Start date: | 24/09/2024 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x160000 |
File size: | 3'891'712 bytes |
MD5 hash: | 5AEFAB6D98B943DF267E28B42B5871E0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Target ID: | 3 |
Start time: | 09:39:51 |
Start date: | 24/09/2024 |
Path: | C:\Windows\SysWOW64\whoami.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xed0000 |
File size: | 58'880 bytes |
MD5 hash: | 801D9A1C1108360B84E60A457D5A773A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 4 |
Start time: | 09:39:51 |
Start date: | 24/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |