Edit tour

Windows Analysis Report
N5kEzgUBn6.exe

Overview

General Information

Sample name:	N5kEzgUBn6.exe renamed because original name is a hash value
Original sample name:	b786010ab288fd61617745597967a99d.exe
Analysis ID:	1584331
MD5:	b786010ab288fd61617745597967a99d
SHA1:	0130c977c465931769be8b8e7a0c300fefb3244d
SHA256:	28862d7e7fa8ce768d129d13300e56637a4795ccf6bc100bd5e04d5a682fa1ff
Tags:	exeuser-abuse_ch
Infos:

Detection

CobaltStrike, Metasploit

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Metasploit Payload

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

N5kEzgUBn6.exe (PID: 4208 cmdline: "C:\Users\user\Desktop\N5kEzgUBn6.exe" MD5: B786010AB288FD61617745597967A99D)

conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 6976 cmdline: C:\Windows\system32\WerFault.exe -u -p 4208 -s 2032 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://01.201.227.94:6789/api/v1/worldwide", "User Agent": "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36\r\n"}

Threatname: Metasploit

{"Headers": "Accept: */*\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36\r\n", "Type": "Metasploit Download", "URL": "http://101.201.227.94/api/v1/worldwide"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD01F.tmp.dmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x79b1:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD01F.tmp.dmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x7a1d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x7d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0xa181:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0xa1ed:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
Click to see the 3 entries

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T08:37:36.299704+0100	2028765	3	Unknown Traffic	192.168.2.4	49730	101.201.227.94	6789	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: CobaltStrike {"C2Server": "http://01.201.227.94:6789/api/v1/worldwide", "User Agent": "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36\r\n"}
Source: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Metasploit {"Headers": "Accept: /\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36\r\n", "Type": "Metasploit Download", "URL": "http://101.201.227.94/api/v1/worldwide"}

Multi AV Scanner detection for submitted file

Source: N5kEzgUBn6.exe	Virustotal: Detection: 61%			Perma Link
Source: N5kEzgUBn6.exe	ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Source: N5kEzgUBn6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\qqq777\source\repos\QitaZhuru\x64\Release\QitaZhuru.pdb source: N5kEzgUBn6.exe
Source:	Binary string: C:\Users\qqq777\source\repos\QitaZhuru\x64\Release\QitaZhuru.pdb'' source: N5kEzgUBn6.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://01.201.227.94:6789/api/v1/worldwide
Source: Malware configuration extractor	URLs: http://101.201.227.94/api/v1/worldwide

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 101.201.227.94:6789

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd

Source: Network traffic

Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49730 -> 101.201.227.94:6789

Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94
Source: unknown	TCP traffic detected without corresponding DNS query: 101.201.227.94

Source: C:\Users\user\Desktop\N5kEzgUBn6.exe

Code function: 0_2_000001E8EF6F010C InternetConnectA,VirtualAlloc,InternetReadFile,

0_2_000001E8EF6F010C

Source: N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDD19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDD3B000.00000004.00000020.00020000.00000000.sdmp, N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDD55000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: N5kEzgUBn6.exe, 00000000.00000003.1780197013.000001E8EF80E000.00000004.00000020.00020000.00000000.sdmp, N5kEzgUBn6.exe, 00000000.00000003.1780377090.000001E8EF836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?444de55e10f56
Source: N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDD3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabH
Source: N5kEzgUBn6.exe, 00000000.00000003.1779868251.000001E8EF84A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?444de55e10
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDD19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101.201.227.94/
Source: N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDD19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101.201.227.94/:
Source: N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDCA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101.201.227.94:6789/api/v1/worldwide
Source: N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDCA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101.201.227.94:6789/api/v1/worldwide1ad4

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD01F.tmp.dmp, type: DROPPED	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD01F.tmp.dmp, type: DROPPED	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Source: C:\Users\user\Desktop\N5kEzgUBn6.exe

Code function: 0_2_000001E8EF6F010C

0_2_000001E8EF6F010C

Source: C:\Users\user\Desktop\N5kEzgUBn6.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4208 -s 2032

Source: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD01F.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD01F.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: classification engine

Classification label: mal88.troj.winEXE@3/8@0/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4208

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\9ad87e43-739f-409f-85b5-d3ad487d459c

Jump to behavior

Source: N5kEzgUBn6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\N5kEzgUBn6.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: N5kEzgUBn6.exe	Virustotal: Detection: 61%
Source: N5kEzgUBn6.exe	ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\N5kEzgUBn6.exe "C:\Users\user\Desktop\N5kEzgUBn6.exe"
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4208 -s 2032

Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\N5kEzgUBn6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: N5kEzgUBn6.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: N5kEzgUBn6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: N5kEzgUBn6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: N5kEzgUBn6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: N5kEzgUBn6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: N5kEzgUBn6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: N5kEzgUBn6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: N5kEzgUBn6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: N5kEzgUBn6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\qqq777\source\repos\QitaZhuru\x64\Release\QitaZhuru.pdb source: N5kEzgUBn6.exe
Source:	Binary string: C:\Users\qqq777\source\repos\QitaZhuru\x64\Release\QitaZhuru.pdb'' source: N5kEzgUBn6.exe

Source: N5kEzgUBn6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: N5kEzgUBn6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: N5kEzgUBn6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: N5kEzgUBn6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: N5kEzgUBn6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\N5kEzgUBn6.exe

Code function: 0_2_00007FF6C4921130 GetModuleHandleA,GetProcAddress,MessageBoxW,VirtualProtect,MessageBoxW,MessageBoxW,MessageBoxW,VirtualProtect,printf,GetModuleHandleW,LoadLibraryW,GetProcAddress,VirtualAlloc,printf,printf,printf,printf,GetDC,printf,

0_2_00007FF6C4921130

Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Code function: 0_2_000001E8EF6F010C push eax; ret		0_2_000001E8EF6F0387
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Code function: 0_2_000001E8EF6F012B push eax; ret		0_2_000001E8EF6F0387

Source: C:\Users\user\Desktop\N5kEzgUBn6.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDD3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDCA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP*
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\N5kEzgUBn6.exe

Code function: 0_2_00007FF6C4921CF4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6C4921CF4

Source: C:\Users\user\Desktop\N5kEzgUBn6.exe

0_2_00007FF6C4921130

Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Code function: 0_2_00007FF6C49217DC MessageBoxW,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6C49217DC
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Code function: 0_2_00007FF6C4921CF4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6C4921CF4
Source: C:\Users\user\Desktop\N5kEzgUBn6.exe	Code function: 0_2_00007FF6C4921E98 SetUnhandledExceptionFilter,	0_2_00007FF6C4921E98

Source: C:\Users\user\Desktop\N5kEzgUBn6.exe

Code function: 0_2_00007FF6C4921BD4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6C4921BD4

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Metasploit Payload

Source: Yara match	File source: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
N5kEzgUBn6.exe	61%	Virustotal		Browse
N5kEzgUBn6.exe	45%	ReversingLabs	Win64.Backdoor.Cobeacon

Source	Detection	Scanner	Label
http://101.201.227.94/api/v1/worldwide	0%	Avira URL Cloud	safe
https://101.201.227.94/	0%	Avira URL Cloud	safe
https://101.201.227.94:6789/api/v1/worldwide	0%	Avira URL Cloud	safe
http://01.201.227.94:6789/api/v1/worldwide	0%	Avira URL Cloud	safe
https://101.201.227.94/:	0%	Avira URL Cloud	safe
https://101.201.227.94:6789/api/v1/worldwide1ad4	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.201.227.94/api/v1/worldwide	true	Avira URL Cloud: safe	unknown
http://01.201.227.94:6789/api/v1/worldwide	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://101.201.227.94:6789/api/v1/worldwide1ad4	N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDCA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://101.201.227.94/	N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDD19000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://101.201.227.94/:	N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDD19000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://101.201.227.94:6789/api/v1/worldwide	N5kEzgUBn6.exe, 00000000.00000002.2255989910.000001E8EDCA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
101.201.227.94	unknown	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584331
Start date and time:	2025-01-05 08:36:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	N5kEzgUBn6.exe renamed because original name is a hash value
Original Sample Name:	b786010ab288fd61617745597967a99d.exe
Detection:	MAL
Classification:	mal88.troj.winEXE@3/8@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 6 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 13.89.179.12, 20.190.159.64, 52.149.20.212, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	199.232.214.172
	setup64v9.3.4.msi	Get hash	malicious	Unknown	Browse	199.232.210.172
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	199.232.210.172
	c2.hta	Get hash	malicious	Remcos	Browse	199.232.214.172
	phishingtest.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	a36r7SLgH7.exe	Get hash	malicious	AsyncRAT	Browse	199.232.214.172
	3lhrJ4X.exe	Get hash	malicious	LiteHTTP Bot	Browse	199.232.214.172
	2Mi3lKoJfj.exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	Reparto Trabajo TP4.xlsm	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	3.elf	Get hash	malicious	Unknown	Browse	8.189.180.251
	3.elf	Get hash	malicious	Unknown	Browse	8.138.48.163
	armv6l.elf	Get hash	malicious	Unknown	Browse	223.4.27.34
	armv5l.elf	Get hash	malicious	Unknown	Browse	8.130.140.184
	fuckunix.sh4.elf	Get hash	malicious	Mirai	Browse	8.158.86.51
	Fantazy.i686.elf	Get hash	malicious	Unknown	Browse	8.132.136.89
	Fantazy.sh4.elf	Get hash	malicious	Unknown	Browse	47.114.163.84
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	8.167.229.71
	31.13.224.14-x86-2025-01-03T22_14_18.elf	Get hash	malicious	Mirai	Browse	47.118.212.14

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_N5kEzgUBn6.exe_309d83d53bcf496a78176fedab9a2758889b_58e8ce5c_5a917976-d008-451c-8665-7ba8cc86e08e\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1022808772324637
Encrypted:	false
SSDEEP:	96:/eFTpNpRZmsjGheoh7JfvQXIDcQWc6zcEZcw37sbA+HbHg/8BRTf3FOycuPz5A4w:m9Bm40I3DEjcjZR3zuiFc6Z24lO8P
MD5:	AC51B096ECFB4D68100273275ECDC8A0
SHA1:	6E3ED4CECACBD77EA126BD59460A6D62F0AB5BF3
SHA-256:	6C5EB9A412428A700D49D12CDECCBAD07B7C2A096C66F11CE8C541A64DEDCA33
SHA-512:	C290AD87BEDEA349B8D916F568A91B4769475C38756C290D495BE46D1554D083C1B62B54A19680D4748E0E2381764E81CA837C935C2BDA15B232CFBBD53716F4
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.5.3.6.2.6.1.6.7.2.1.1.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.5.3.6.2.6.2.1.0.9.6.0.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.9.1.7.9.7.6.-.d.0.0.8.-.4.5.1.c.-.8.6.6.5.-.7.b.a.8.c.c.8.6.e.0.8.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.d.9.4.3.b.b.-.9.b.9.9.-.4.2.4.2.-.8.1.9.6.-.5.c.1.e.e.d.b.d.7.9.b.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.N.5.k.E.z.g.U.B.n.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.7.0.-.0.0.0.1.-.0.0.1.4.-.a.e.a.e.-.9.3.a.b.4.4.5.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.4.f.f.0.9.1.f.9.d.0.7.c.1.2.9.f.e.8.4.2.f.1.a.9.b.1.2.5.6.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.0.1.3.0.c.9.7.7.c.4.6.5.9.3.1.7.6.9.b.e.8.b.8.e.7.a.0.c.3.0.0.f.e.f.b.3.2.4.4.d.!.N.5.k.E.z.g.U.B.n.6...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.3.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD01F.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Jan 5 07:37:41 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	179354
Entropy (8bit):	1.511291524204809
Encrypted:	false
SSDEEP:	384:fkU3AyiX9LXLZGT6fe7/PDbe39ytkKeq:fk5yiZlTfejL63Ekq
MD5:	26AB1726A25C1A86DECAAB89DC82991A
SHA1:	7A724EDAC48D70AAC31A8203816B3C365999943C
SHA-256:	4AC56A2400E8050D353938BD5297F9E0A468BA1C30D9D7EDA5587C52DCF5F47E
SHA-512:	33300CE0813C5C51807DE55FDF4EDA239B4634E1D3031B9AAD953E030E30F111C0589731E65D0D8086B846A5611FDC639AFB481425CD442E3025A8A79205E5EC
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD01F.tmp.dmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD01F.tmp.dmp, Author: unknown
Reputation:	low
Preview:	MDMP..a..... ........6zg.........................................k..........T.......8...........T...........HT..Rh...........'...........)..............................................................................eJ.......)......Lw......................T.......p....6zg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD139.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10204
Entropy (8bit):	3.7157675113049344
Encrypted:	false
SSDEEP:	192:R6l7wVeJAsla6Y9eEIPemgmfA+pDy89bVYsmf2nm:R6lXJ7la6YEEI2mgmfAIVSfH
MD5:	0861C6B57C4538FBC1B89DEE8B7F38D8
SHA1:	99B275B9C51058C5AFBA7B30E631E8EC480552F2
SHA-256:	69D3C918DC567A2088580587D5988C80650D51E3B0ACA0CD98A0D4A3E5DF7ADE
SHA-512:	5E269B219AE5A571C1408C1A5C38818E85942C3C5D0EC7F10F35170C15412DA57DC87F7C4F09528D392F1A6A3DC678BA9E5D8AA288594DB6B1168B26DD5D9EAD
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD169.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4689
Entropy (8bit):	4.496373340545445
Encrypted:	false
SSDEEP:	48:cvIwWl8zsnJg771I9ZeWpW8VYrYm8M4JfROKFwkjyq8558OHJpk1had:uIjfJI7+f7VTJpbjXUXk1had
MD5:	E3BCE857EB5ED9FC4969BE831F320CC2
SHA1:	ACA69A3C3BB0EE14F804785502A6D1DA4D4126D4
SHA-256:	C753571FF65301CB4CF02FE135C7A1F46603ACB6E6D600F88218EED6CC564677
SHA-512:	97E33C3EB05B8F6CF43A1EEC57B9474932EBFD9BA2FE3D0428663C5DB264F83AE2770EFA6A2EBD8B56F981B7F2E5B947084ACFD885F5F2B6BFA82663BE634A4D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="662320" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\N5kEzgUBn6.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\N5kEzgUBn6.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.2539954282295116
Encrypted:	false
SSDEEP:	6:kK5wVi9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:2VdDImsLNkPlE99SNxAhUe/3
MD5:	8E4B3B01EC0EE4E3AD06CD693A26D401
SHA1:	654241F1534C1A4E39432A04EFA9402B0DA30895
SHA-256:	6852989C4044EAAC7FE404C60A5FB6509472C391AB24445514FD2650C844D963
SHA-512:	EE824C15AA70849C6C7F2513CF032B001B3A32A81E940F05A29FD120222084F52461DB4B1E654136BC6F9D5439B0F6899E326F8E5DB5C2F8A96975250B09D37E
Malicious:	false
Reputation:	low
Preview:	p...... ........Lk..D_..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46559875016147
Encrypted:	false
SSDEEP:	6144:qIXfpi67eLPU9skLmb0b4xWSPKaJG8nAgejZMMhA2gX4WABl0uNmdwBCswSbtH:fXD94xWlLZMM6YFHU+t
MD5:	A86F03CF4B6EAA37F8FBA20660F6A625
SHA1:	97D27DFAA3937BE38DA5C3A88873C9E01CA9CD7D
SHA-256:	C6C12FCFD68EA1B64FD3AF8FD334D6BF013660C517AB69C8A4C8F02320DF2748
SHA-512:	48A8C3BBA92E8F50870552860360A283FE7555120180DE3C761E589CFBB103D0FCE12B9D4B1CF3AD3D428A9592532C94BC47954F7052FF943B1DA00FDF0D5826
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...D_.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\N5kEzgUBn6.exe
File Type:	ASCII text, with very long lines (31640), with no line terminators
Category:	dropped
Size (bytes):	31640
Entropy (8bit):	2.348214012913038
Encrypted:	false
SSDEEP:	96:WtjUQ7mzvFuQerf6gvIwVVoU/Asns/9wtC:WtjmsQervVVFznslwA
MD5:	ABC950176DB1968172CB6DE873E34FFA
SHA1:	83D58DC06856F4005F9B2434E96C123DBAC64E9E
SHA-256:	202CDBB7B5E5292B8E6A82AA511BD4EBA8A1831A21904EB3712C4EE71C497603
SHA-512:	CBDD81A2941A23A082D17ACEEED41BA4A06EC9C78A026E4517BA633D48305FB79F22D140904ABD8B089BCFDB29E8A7803890E756A9EC8EFAA8F0CEBB6B4CA4C0
Malicious:	false
Preview:	1231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231231

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	5.025958466510093
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	N5kEzgUBn6.exe
File size:	16'384 bytes
MD5:	b786010ab288fd61617745597967a99d
SHA1:	0130c977c465931769be8b8e7a0c300fefb3244d
SHA256:	28862d7e7fa8ce768d129d13300e56637a4795ccf6bc100bd5e04d5a682fa1ff
SHA512:	9c3bf712501828fb47ddb9123ec472fc4beae78be3402fba2bd6c35f97a433cc32dd8bbec46464c45b5b360bba6370ad0c5873bd4428e8887bcb1e79245be174
SSDEEP:	192:ou+0wIIlnoFGyPQPke5k1ExMJunMgve3Q5FCchHGm0qpducRe:ou+9II+GzMok1ExME9W3wmm0dcRe
TLSH:	DE725E8BB3824CEED4264136C877552AD1F1B3191771D69B1790CA2E2F377E0BC26A4D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........eH...&...&...&..\|....&.\.'...&.\.#...&.\."...&.\.%...&..\|'...&...'...&.m./...&.m.....&.m.$...&.Rich..&........................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400017c8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6773E7F3 [Tue Dec 31 12:47:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2e4d0451a0a5618141afbb0028775e18

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FBD907C4328h
dec eax
add esp, 28h
jmp 00007FBD907C3D97h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00001853h]
dec eax
mov ecx, ebx
call dword ptr [00001842h]
call dword ptr [0000184Ch]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00001840h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00001834h]
test eax, eax
je 00007FBD907C3F29h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00003D2Ah]
call 00007FBD907C3FCEh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00003E11h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00003DA1h], eax
dec eax
mov eax, dword ptr [00003DFAh]
dec eax
mov dword ptr [00003C6Bh], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [00003D6Fh], eax
mov dword ptr [00003C45h], C0000409h
mov dword ptr [00003C3Fh], 00000001h
mov dword ptr [00003C49h], 00000001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3e4c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6000	0x204	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0x58	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x35b0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3470	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0x208	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14cc	0x1600	ec5d3d6dcce82c7d7614c6d86db811c9	False	0.5871803977272727	data	5.846706926546752	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x1638	0x1800	a5db46c62fb50ab8bbbc31cc4b1c64b4	False	0.3474934895833333	data	3.7937316567644777	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5000	0xad0	0x600	6f1394d82b2cd107e2fb86a7d5f9b057	False	0.7063802083333334	data	6.145879486341178	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6000	0x204	0x400	7ce68a42beaadf6116e3f0cc8964e317	False	0.2880859375	PEX Binary Archive	2.203453160464168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x7000	0x1e0	0x200	0b35de07beeb30d1d6013cbca2846303	False	0.525390625	data	4.701503258251789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0x58	0x200	5b0a186b4cf00b7a3df98b4a53f9a8a7	False	0.19921875	data	1.187975255208191	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x7060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	VirtualProtect, GetModuleHandleA, LoadLibraryW, GetProcAddress, GetModuleHandleW, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, RtlCaptureContext, IsDebuggerPresent, InitializeSListHead
USER32.dll	GetDC, MessageBoxW
VCRUNTIME140.dll	memset, __C_specific_handler, __current_exception, __std_exception_copy, __current_exception_context, __std_exception_destroy, _CxxThrowException, memcpy
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vfprintf, __acrt_iob_func, __p__commode, _set_fmode
api-ms-win-crt-runtime-l1-1-0.dll	_register_onexit_function, _initialize_onexit_table, _crt_atexit, terminate, _seh_filter_exe, _set_app_type, _cexit, __p___argv, _c_exit, __p___argc, _exit, exit, _initterm_e, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, _register_thread_local_exe_atexit_callback
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	_callnewh, malloc, _set_new_mode, free

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-05T08:37:36.299704+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49730	101.201.227.94	6789	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 08:37:35.340795994 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:35.345714092 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:35.345781088 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:35.355108023 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:35.359930038 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:36.299639940 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:36.299704075 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:36.332580090 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:36.332591057 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:36.332648039 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:38.877444029 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:38.877516985 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:39.849915028 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:39.854856968 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:40.190923929 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:40.190937996 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:40.190999031 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:40.777616978 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:40.780159950 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:40.800491095 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:40.805231094 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.153387070 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.153455019 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.153878927 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.153898954 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.153912067 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.153927088 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.153942108 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.153963089 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.154062033 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.154073000 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.154102087 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.154114962 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.154294968 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.154334068 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.154484987 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.154494047 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.154521942 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.154536963 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.154673100 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.154691935 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.154704094 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.154722929 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.154736042 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.154762030 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.154783964 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.154829025 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.413250923 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.413275003 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.413301945 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.413319111 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.413335085 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.413337946 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.413357019 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.413405895 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.413438082 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.413575888 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.413614988 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.413619995 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.413635969 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.413661957 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.413683891 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.413717031 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.413760900 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.414268970 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.414294958 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.414310932 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.414310932 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.414338112 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.414364100 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.414387941 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.414402008 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.414431095 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.414449930 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.415008068 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.415024996 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.415050030 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.415054083 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.415079117 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.415081024 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.415096998 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.415098906 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.415124893 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.415142059 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.415776014 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.415822983 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.415833950 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.415851116 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.415884972 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.415894985 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.415945053 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.415961027 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.415988922 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.416043997 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.660088062 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.660109997 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.660139084 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.660152912 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.660159111 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.660188913 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.660202980 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.660202980 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.660202980 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.660208941 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.660228014 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.660229921 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.660248995 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.660253048 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.660267115 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.660289049 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.660934925 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.660965919 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.660990000 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.661000967 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.661032915 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.661051035 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.661077023 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.661096096 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.661130905 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.661148071 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.661165953 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.661173105 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.661192894 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.661215067 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.661864996 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.661895037 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.661911011 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.661911964 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.661935091 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.661955118 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.662070036 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.662086964 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.662106037 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.662110090 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.662130117 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.662147045 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.662751913 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.662769079 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.662794113 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.662794113 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.662817955 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.662832022 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.662904978 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.662924051 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.662940025 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.662950993 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.662969112 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.662988901 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.663573980 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.663618088 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.663676023 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.663692951 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.663714886 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.663738012 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.663781881 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.663798094 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.663815022 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.663824081 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.663847923 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.663861990 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.664515018 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.664534092 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.664551020 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.664560080 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.664577007 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.664598942 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.664657116 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.664685011 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.664699078 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.664702892 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.664724112 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.664742947 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.665333986 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.665350914 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.665369034 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.665375948 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.665395021 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.665405035 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.665486097 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.665508986 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.665527105 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.665527105 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.665541887 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.665565968 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.666220903 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.666238070 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.666254044 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.666275978 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.666295052 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.919487953 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919508934 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919514894 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919521093 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919529915 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919534922 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919540882 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919544935 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919642925 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919698000 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919708967 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919811010 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919848919 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919847965 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.919848919 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.919848919 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.919897079 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919903040 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.919909000 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919924021 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.919949055 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.919970989 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.920048952 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920059919 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920106888 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.920114994 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920125008 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920135021 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920161963 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.920177937 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.920289040 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920300961 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920346022 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.920348883 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920361042 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920399904 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.920500994 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920511007 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920521021 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920553923 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.920572042 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.920665026 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920675993 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920686007 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920717955 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.920749903 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.920782089 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920793056 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920799017 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920804024 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920833111 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.920861959 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.920922041 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.920970917 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.921004057 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921015024 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921055079 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.921190023 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921200991 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921214104 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921226025 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921243906 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.921263933 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.921392918 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921402931 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921412945 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921423912 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921435118 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921444893 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921447039 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.921457052 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921468019 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921468019 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.921480894 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921489000 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.921514988 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.921541929 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.921808958 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921821117 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921866894 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.921943903 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921955109 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921964884 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.921993971 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.922009945 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.922097921 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922112942 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922123909 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922137976 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922143936 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.922171116 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.922194004 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.922250032 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922261000 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922270060 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922290087 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922298908 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.922303915 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922313929 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922324896 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922332048 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.922338009 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922353029 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922355890 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.922388077 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.922401905 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.922712088 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922723055 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922763109 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.922817945 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922854900 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922864914 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.922867060 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.922895908 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.922923088 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.923027039 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.923038006 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.923077106 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.924772978 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.924792051 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.924803019 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.924825907 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.924865961 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.924978971 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.924988985 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.925003052 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.925014973 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:41.925028086 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:41.925057888 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.006079912 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006091118 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006105900 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006112099 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006118059 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006128073 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006187916 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.006227016 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.006238937 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006283045 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.006433010 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006444931 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006454945 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006477118 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.006509066 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.006552935 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006565094 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006573915 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006584883 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006603956 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.006632090 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.006722927 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006732941 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.006778955 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.180097103 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180152893 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180164099 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180171967 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.180217028 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.180242062 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180252075 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180262089 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180286884 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.180308104 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.180418015 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180429935 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180439949 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180450916 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180465937 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180470943 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.180497885 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.180509090 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.180677891 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180696011 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180707932 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180718899 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180722952 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.180731058 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180742979 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180742979 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.180769920 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.180782080 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.180963993 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180974960 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180984974 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.180995941 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181006908 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181011915 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.181018114 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181030035 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181037903 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.181056023 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.181081057 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.181247950 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181257963 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181267977 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181293964 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.181324005 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.181327105 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181339979 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181349993 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181360960 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181371927 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181374073 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.181389093 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181397915 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181402922 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.181416035 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.181446075 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.181741953 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181751966 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181761980 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181771994 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181782961 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.181791067 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.181802988 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.181834936 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.182032108 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182043076 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182053089 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182065010 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182075977 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182080030 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.182100058 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.182120085 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.182137966 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182149887 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182158947 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182169914 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182179928 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182185888 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.182198048 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182209015 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182214022 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.182220936 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182231903 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182234049 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.182245970 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182262897 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.182291985 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.182712078 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182723999 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182733059 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182744980 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.182760954 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.182774067 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.182802916 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.182957888 CET	6789	49730	101.201.227.94	192.168.2.4
Jan 5, 2025 08:37:42.183010101 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.186489105 CET	49730	6789	192.168.2.4	101.201.227.94
Jan 5, 2025 08:37:42.191364050 CET	6789	49730	101.201.227.94	192.168.2.4

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 08:37:39.057836056 CET	1.1.1.1	192.168.2.4	0x9506	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:37:39.057836056 CET	1.1.1.1	192.168.2.4	0x9506	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:37:27
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\N5kEzgUBn6.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\N5kEzgUBn6.exe"
Imagebase:	0x7ff6c4920000
File size:	16'384 bytes
MD5 hash:	B786010AB288FD61617745597967A99D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2255989910.000001E8EDC8B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:37:27
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:37:41
Start date:	05/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4208 -s 2032
Imagebase:	0x7ff635e40000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	38%
Dynamic/Decrypted Code Coverage:	9.3%
Signature Coverage:	31.4%
Total number of Nodes:	140
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF6C4921130 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 161
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6C4921560: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6C4921161), ref: 00007FF6C4921972

GetModuleHandleA.KERNEL32 ref: 00007FF6C492116B
GetProcAddress.KERNEL32 ref: 00007FF6C492117B
VirtualProtect.KERNEL32 ref: 00007FF6C4921199
MessageBoxW.USER32 ref: 00007FF6C49211CD

Part of subcall function 00007FF6C4921070: VirtualProtect.KERNEL32 ref: 00007FF6C492109D
Part of subcall function 00007FF6C4921070: VirtualProtect.KERNEL32 ref: 00007FF6C492110F

VirtualProtect.KERNEL32 ref: 00007FF6C49211EE
printf.MSPDB140-MSVCRT ref: 00007FF6C4921237

Part of subcall function 00007FF6C4921010: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6C4921038
Part of subcall function 00007FF6C4921010: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6C4921057

GetModuleHandleW.KERNEL32 ref: 00007FF6C4921251
LoadLibraryW.KERNEL32 ref: 00007FF6C4921263
GetProcAddress.KERNEL32 ref: 00007FF6C4921273
VirtualAlloc.KERNEL32 ref: 00007FF6C4921293
printf.MSPDB140-MSVCRT ref: 00007FF6C49212B7
printf.MSPDB140-MSVCRT ref: 00007FF6C49212D7
printf.MSPDB140-MSVCRT ref: 00007FF6C4921367
printf.MSPDB140-MSVCRT ref: 00007FF6C4921379
GetDC.USER32 ref: 00007FF6C4921386
printf.MSPDB140-MSVCRT ref: 00007FF6C49213A6

Strings

123, xrefs: 00007FF6C49212B0, 00007FF6C49212D0, 00007FF6C4921360, 00007FF6C4921372
GDI32.dll, xrefs: 00007FF6C4921161
EnumFontsW, xrefs: 00007FF6C4921174
Memory allocation failed., xrefs: 00007FF6C492139F
success!, xrefs: 00007FF6C49211C6
0x%02x , xrefs: 00007FF6C4921223
VirtualAlloc, xrefs: 00007FF6C4921269
KERNEL32.dll, xrefs: 00007FF6C492124A, 00007FF6C492125C

Memory Dump Source

Source File: 00000000.00000002.2258874117.00007FF6C4921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C4920000, based on PE: true

Associated: 00000000.00000002.2258809056.00007FF6C4920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258963424.00007FF6C4923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259023795.00007FF6C4925000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259037074.00007FF6C4926000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c4920000_N5kEzgUBn6.jbxd

Similarity

API ID: printf$Virtual$Protect$AddressHandleModuleProc$AllocLibraryLoadMessage__acrt_iob_func__stdio_common_vfprintfmalloc
String ID: 0x%02x $123$EnumFontsW$GDI32.dll$KERNEL32.dll$Memory allocation failed.$VirtualAlloc$success!
API String ID: 2157727273-4213451396
Opcode ID: 47cf96a908184d08b32c592c2116ad97550ee8100d9e5b51ea0938a3be986121
Instruction ID: 1eae5767e9cf6666d33a34d4116c77024e911019d44ffa98e43f98bd0e34db30
Opcode Fuzzy Hash: 47cf96a908184d08b32c592c2116ad97550ee8100d9e5b51ea0938a3be986121
Instruction Fuzzy Hash: 7871C322F19AA296E724DF34D8896B92720FB9979DF444231DE8D93653DF3CE685C300

Function 000001E8EF6F010C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 203
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(00000003,00000003,00000002,00000001), ref: 000001E8EF6F0127

Part of subcall function 000001E8EF6F012B: HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 000001E8EF6F0146

Strings

0.9,, xrefs: 000001E8EF6F0221

Memory Dump Source

Source File: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E8EF6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e8ef6f0000_N5kEzgUBn6.jbxd

Yara matches

Similarity

API ID: ConnectHttpInternetOpenRequest
String ID: 0.9,
API String ID: 1341064763-3756043534
Opcode ID: 4d03da431280f1b9088e9bd0ef49b404d73f94cee98171a195dce8ef4c8b781e
Instruction ID: cbeff4c02c510ac9019f11a6dfe4ea34883aa6c133a7a8a676bd57f31370eaa5
Opcode Fuzzy Hash: 4d03da431280f1b9088e9bd0ef49b404d73f94cee98171a195dce8ef4c8b781e
Instruction Fuzzy Hash: 3E51CC3391D2C56FFB698FA4D6863AA7F90EB86310F24149EDC49C70A3D9A0CC82C355

Function 00007FF6C49213D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 73
libraryloaderwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6C49213E6
printf.MSPDB140-MSVCRT ref: 00007FF6C4921407

Part of subcall function 00007FF6C4921010: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6C4921038
Part of subcall function 00007FF6C4921010: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6C4921057

printf.MSPDB140-MSVCRT ref: 00007FF6C492141B
GetProcAddress.KERNEL32 ref: 00007FF6C4921430
printf.MSPDB140-MSVCRT ref: 00007FF6C4921449
printf.MSPDB140-MSVCRT ref: 00007FF6C49214B7
printf.MSPDB140-MSVCRT ref: 00007FF6C49214D7
MessageBoxW.USER32 ref: 00007FF6C49214F5
printf.MSPDB140-MSVCRT ref: 00007FF6C4921507

Strings

relaysec, xrefs: 00007FF6C49214E5, 00007FF6C49214EC
123, xrefs: 00007FF6C4921414, 00007FF6C4921470, 00007FF6C4921490, 00007FF6C49214B0, 00007FF6C49214D0, 00007FF6C4921500
Failed to get function address., xrefs: 00007FF6C49213F9, 00007FF6C4921442
user32.dll, xrefs: 00007FF6C49213DF
MessageBoxW, xrefs: 00007FF6C4921426

Memory Dump Source

Source File: 00000000.00000002.2258874117.00007FF6C4921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C4920000, based on PE: true

Associated: 00000000.00000002.2258809056.00007FF6C4920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258963424.00007FF6C4923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259023795.00007FF6C4925000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259037074.00007FF6C4926000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c4920000_N5kEzgUBn6.jbxd

Similarity

API ID: printf$AddressHandleMessageModuleProc__acrt_iob_func__stdio_common_vfprintf
String ID: 123$Failed to get function address.$MessageBoxW$relaysec$user32.dll
API String ID: 608621153-2114858615
Opcode ID: fc1046d41bb4753c2830af77cbfabbf4097aed040a276f43e915ec53b965addc
Instruction ID: 05dd6d949cd0661a98bc6fb55b6f8898f5bb4637f52cf5fc5c1cc04c0a93619b
Opcode Fuzzy Hash: fc1046d41bb4753c2830af77cbfabbf4097aed040a276f43e915ec53b965addc
Instruction Fuzzy Hash: AA314C21E199B391EA34DF20E9CE6B52775BF5679EF844031D8CD836A7DE2CE6148300

Function 00007FF6C492164C Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6C4921675
__scrt_release_startup_lock.LIBCMT ref: 00007FF6C49216E3
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6C4921731
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6C4921736
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6C492173E
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6C4921746
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6C4921768
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6C49217C2

Memory Dump Source

Source File: 00000000.00000002.2258874117.00007FF6C4921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C4920000, based on PE: true

Associated: 00000000.00000002.2258809056.00007FF6C4920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258963424.00007FF6C4923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259023795.00007FF6C4925000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259037074.00007FF6C4926000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c4920000_N5kEzgUBn6.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: ef8af790725af1cd56919066dc104625b72fed23ec5458473e64ed65ca9d9ef1
Instruction ID: 272d85a4dac7621510b83c82112fc05be4b4bc4ed79c0df293b0c986be3d8b00
Opcode Fuzzy Hash: ef8af790725af1cd56919066dc104625b72fed23ec5458473e64ed65ca9d9ef1
Instruction Fuzzy Hash: BA311D21E0C16341FA34EF6594DF3BA13A1AF85B8EF444035E9CEC76D7DE2CA9558242

Function 000001E8EF6F012B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 000001E8EF6F0146
VirtualAlloc.KERNEL32(?,656D6F72,303D713B), ref: 000001E8EF6F034B
InternetReadFile.WININET(000001E8EF6F0159,000001E8EF6F0159), ref: 000001E8EF6F0369

Strings

U.;, xrefs: 000001E8EF6F0141

Memory Dump Source

Source File: 00000000.00000002.2256162907.000001E8EF6F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E8EF6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e8ef6f0000_N5kEzgUBn6.jbxd

Yara matches

Similarity

API ID: AllocFileHttpInternetOpenReadRequestVirtual
String ID: U.;
API String ID: 1187293180-4213443877
Opcode ID: adec595657f368ce4ef907db946545fd41c076732220fa221c3da79f5f998a0b
Instruction ID: 93a4ee39890cdbf93dcb280c8b82154255e7e8c807edd50d09a9572f0c79d0be
Opcode Fuzzy Hash: adec595657f368ce4ef907db946545fd41c076732220fa221c3da79f5f998a0b
Instruction Fuzzy Hash: 6811906234894E1BF62C869DBC5677A11CAD3C8755F24812FB90EC33D6DC54CC824159

Function 00007FF6C4921070 Relevance: 3.0, APIs: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FF6C492109D
VirtualProtect.KERNEL32 ref: 00007FF6C492110F

Memory Dump Source

Source File: 00000000.00000002.2258874117.00007FF6C4921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C4920000, based on PE: true

Associated: 00000000.00000002.2258809056.00007FF6C4920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258963424.00007FF6C4923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259023795.00007FF6C4925000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259037074.00007FF6C4926000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c4920000_N5kEzgUBn6.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0d252d6bf26d72b5eca4e16ffdbf3449286fa4745bd3b762a0840a18dcd28e9b
Instruction ID: a0d0b23d25d7ae6f915d88dee3a3d4f0c6c462281c69aac46d5781620b536c22
Opcode Fuzzy Hash: 0d252d6bf26d72b5eca4e16ffdbf3449286fa4745bd3b762a0840a18dcd28e9b
Instruction Fuzzy Hash: CF1182127297C8CAEB20CF79A4415997F60FB59B88B889025CB8C0B717CE3CD115C721

Non-executed Functions

Function 00007FF6C4921CF4 Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6C4921D10
memset.VCRUNTIME140 ref: 00007FF6C4921D34
RtlCaptureContext.KERNEL32 ref: 00007FF6C4921D3D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6C4921D57
RtlVirtualUnwind.KERNEL32 ref: 00007FF6C4921D98
memset.VCRUNTIME140 ref: 00007FF6C4921DCB
IsDebuggerPresent.KERNEL32 ref: 00007FF6C4921DEC
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6C4921E09
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6C4921E14

Memory Dump Source

Source File: 00000000.00000002.2258874117.00007FF6C4921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C4920000, based on PE: true

Associated: 00000000.00000002.2258809056.00007FF6C4920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258963424.00007FF6C4923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259023795.00007FF6C4925000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259037074.00007FF6C4926000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c4920000_N5kEzgUBn6.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 8e7c2cf488fdeffeb1694d46fd7392a43ac0c0bfb6156c87c2ec931d69885290
Instruction ID: 582d6888f2572abe6c0a043c09ed56c8f0bfec767a3bbaf6c7e61e1fb7dbc12e
Opcode Fuzzy Hash: 8e7c2cf488fdeffeb1694d46fd7392a43ac0c0bfb6156c87c2ec931d69885290
Instruction Fuzzy Hash: 56315A76609B9186EB74CF60E8847E97370FB84749F44403ADA8E87B9ADF38D148C714

Function 00007FF6C4921BD4 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6C4921C00
GetCurrentThreadId.KERNEL32 ref: 00007FF6C4921C0E
GetCurrentProcessId.KERNEL32 ref: 00007FF6C4921C1A
QueryPerformanceCounter.KERNEL32 ref: 00007FF6C4921C2A

Memory Dump Source

Source File: 00000000.00000002.2258874117.00007FF6C4921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C4920000, based on PE: true

Associated: 00000000.00000002.2258809056.00007FF6C4920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258963424.00007FF6C4923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259023795.00007FF6C4925000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259037074.00007FF6C4926000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c4920000_N5kEzgUBn6.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: b9449a8907b3bd1365dff25f12a55c9f4cffa051edc1500f507c8a873ef7d653
Instruction ID: 2ec4074497f74c4b418fecc57ac5e370db321d29b15c966a540f2e0e0e2913b4
Opcode Fuzzy Hash: b9449a8907b3bd1365dff25f12a55c9f4cffa051edc1500f507c8a873ef7d653
Instruction Fuzzy Hash: 26117022B54F118AEB20CF70E8992B833A4F719769F440E31DAAD867A5DF3CD1588340

Function 00007FF6C4921E98 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258874117.00007FF6C4921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C4920000, based on PE: true

Associated: 00000000.00000002.2258809056.00007FF6C4920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258963424.00007FF6C4923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259023795.00007FF6C4925000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259037074.00007FF6C4926000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c4920000_N5kEzgUBn6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc3a828de6923606b769fef2bb944386b76cf749a83bf5ce9efce6e6d829fd5
Instruction ID: 4c498e68c47e9ae13056f705361630a1a52fc9f2b1cc2636a10a8fabb0532f72
Opcode Fuzzy Hash: 2fc3a828de6923606b769fef2bb944386b76cf749a83bf5ce9efce6e6d829fd5
Instruction Fuzzy Hash: 25A00122948822A4E768CF60A8999306330AB5070BB440031C19E914629E7CA5548250

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report N5kEzgUBn6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Threatname: Metasploit

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_N5kEzgUBn6.exe_309d83d53bcf496a78176fedab9a2758889b_58e8ce5c_5a917976-d008-451c-8665-7ba8cc86e08e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD01F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD139.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD169.tmp.xml

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
N5kEzgUBn6.exe

Function 00007FF6C4921130 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 161
librarymemoryloaderCOMMON

Function 000001E8EF6F010C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 203
networkCOMMON

Function 00007FF6C49213D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 73
libraryloaderwindowCOMMON

Function 00007FF6C492164C Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Function 000001E8EF6F012B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
networkmemoryfileCOMMON

Function 00007FF6C4921070 Relevance: 3.0, APIs: 2, Instructions: 46
memoryCOMMON

Function 00007FF6C4921CF4 Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Function 00007FF6C4921BD4 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMON