Edit tour

Windows Analysis Report
loader.exe

Overview

General Information

Sample name:	loader.exe
Analysis ID:	1585383
MD5:	0fd9836e2142bc85ced43d8316650b6c
SHA1:	17ad9773af8f56332d728f94890d9f5a37ec5d03
SHA256:	b870c9ee4b011fdb66b100275c583a3dc2e5884af31a4819f4b484ef839253fb
Tags:	exeuser-aachum
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

.NET source code contains potential unpacker

AI detected suspicious sample

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loader.exe (PID: 7484 cmdline: "C:\Users\user\Desktop\loader.exe" MD5: 0FD9836E2142BC85CED43D8316650B6C)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET MALWARE Sheet RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:42:59.910159+0100	2058998	1	A Network Trojan was detected	192.168.2.4	49731	147.185.221.24	48428	TCP
2025-01-07T15:42:59.910159+0100	2058998	1	A Network Trojan was detected	192.168.2.4	50507	147.185.221.24	48428	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: loader.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: loader.exe

Joe Sandbox ML: detected

Source: loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058998 - Severity 1 - ET MALWARE Sheet RAT CnC Checkin : 192.168.2.4:49731 -> 147.185.221.24:48428
Source: Network traffic	Suricata IDS: 2058998 - Severity 1 - ET MALWARE Sheet RAT CnC Checkin : 192.168.2.4:50507 -> 147.185.221.24:48428

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 147.185.221.24:48428

Source: global traffic

TCP traffic: 192.168.2.4:50236 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 147.185.221.24 147.185.221.24

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: co-updated.gl.at.ply.gg

Source: loader.exe, 00000000.00000002.4138027546.00000000028E1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\loader.exe

Code function: 0_2_00007FFD9B7CE9AD NtProtectVirtualMemory,

0_2_00007FFD9B7CE9AD

Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7C7FE2	0_2_00007FFD9B7C7FE2
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7C1448	0_2_00007FFD9B7C1448
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7C3440	0_2_00007FFD9B7C3440
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7CBAE8	0_2_00007FFD9B7CBAE8
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7CC681	0_2_00007FFD9B7CC681
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7C1600	0_2_00007FFD9B7C1600
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7C7236	0_2_00007FFD9B7C7236
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7C98E7	0_2_00007FFD9B7C98E7
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7D10D8	0_2_00007FFD9B7D10D8
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7C02FD	0_2_00007FFD9B7C02FD
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7CBD4B	0_2_00007FFD9B7CBD4B
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7C9CB1	0_2_00007FFD9B7C9CB1

Source: loader.exe, 00000000.00000000.1674231829.0000000000572000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs loader.exe
Source: loader.exe	Binary or memory string: OriginalFilenameClient.exe. vs loader.exe

Source: loader.exe, FDdCFtRGHOCQM.cs	Security API names: File.GetAccessControl
Source: loader.exe, FDdCFtRGHOCQM.cs	Security API names: File.SetAccessControl
Source: loader.exe, FDdCFtRGHOCQM.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: loader.exe, qlllUayZ.cs	Security API names: Directory.GetAccessControl
Source: loader.exe, qlllUayZ.cs	Security API names: Directory.SetAccessControl
Source: loader.exe, rUGHQDGuDhlrp.cs	Security API names: Directory.GetAccessControl
Source: loader.exe, rUGHQDGuDhlrp.cs	Security API names: Directory.SetAccessControl
Source: loader.exe, rUGHQDGuDhlrp.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: loader.exe, dzYeBNghHSwLaeT.cs	Security API names: File.GetAccessControl
Source: loader.exe, dzYeBNghHSwLaeT.cs	Security API names: File.SetAccessControl
Source: loader.exe, wUnKJwFwMLX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal76.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\loader.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\loader.exe	Mutant created: \Sessions\1\BaseNamedObjects\Windows company

Source: loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: loader.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\loader.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\loader.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: loader.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\loader.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: netfxperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: esentprf.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: perfts.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: utildll.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: msdtcuiu.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: msdtcprx.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: msscntrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: perfdisk.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: perfnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: perfproc.dll	Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: loader.exe, RHxDmhGvQNRS.cs

.Net Code: NXUCOPGm

Source: loader.exe

Static PE information: 0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]

Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7CBAE8 push ecx; ret	0_2_00007FFD9B7CC25E
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7D067D push E95B6C3Bh; ret	0_2_00007FFD9B7D0699
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7CA905 push eax; iretd	0_2_00007FFD9B7CA91D
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FFD9B7C00AD pushad ; iretd	0_2_00007FFD9B7C00C1

Source: loader.exe, bJLBJJiOps.cs	High entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'bivKevTybFCvNV', 'gJXZTMvkOVpH', 'lwrzJpOQYfAJRd', 'MYOxgfdYrQZcfy', 'ooneMeODmYGNI', 'WPCiHYqHsbJI'
Source: loader.exe, RHxDmhGvQNRS.cs	High entropy of concatenated method names: 'iMuWkPBrMs', 'LouCbBjQcSXtT', 'GmKMcbBYXf', 'npYmjlEOOsyn', 'TOdAqyKS', 'EddqfkQhmROZ', 'MKdsgTeFZIzGsN', 'AhZUKMkvJsGUxgF', 'YefCSWyRroVfU', 'kmWSgEruObcP'
Source: loader.exe, vRaSIojti.cs	High entropy of concatenated method names: 'MMyPiBeqb', 'YvlySdePnRnR', 'WYXkjTzkhwSerUS', 'TcAzdmzfc', 'eJUGQWvS', 'qLQuXbvrzSTa', 'MFTpmRQkZ', 'HjopQbfwjZsbyC', 'dXiuANIZVxPmb', 'dBrRUJLjmeQTV'
Source: loader.exe, qlllUayZ.cs	High entropy of concatenated method names: 'nDqpbiTIXcjysbS', 'xLZCmzqGJekfR', 'xWpkbbUiT', 'SeRHNExKSyXOZW', 'nMkgxyoqO', 'MJHArROskjHh', 'sEgaMSlixSanO', 'CWqenDcBvpKah', 'WpmDFdrbQ', 'bYcwOqhMcgM'
Source: loader.exe, jqEtvsjElPJ.cs	High entropy of concatenated method names: 'MBsrdtNdDnnnssD', 'yjJHPGFvwaFtUbd', 'BUnXwZdGUkSv', 'RBConFCG', 'jGvwvCnT', 'cKMmXEfAZ', 'CmfoJteY', 'FgVbUzlh', 'zebSBbqlqedx', 'mgwDQESlD'
Source: loader.exe, stTBaitjo.cs	High entropy of concatenated method names: 'ruArbZIzucGR', 'rrFsytWtuoXzRVh', 'phuVaErvy', 'LVbRSCawcKVpvpS', 'wFcsKDaqEuMvW', 'AJuDiASdVVYUtW', 'AmEDoHlTFkHukN', 'qeapKLvsGRT', 'kHTpJECEHHs', 'fPpoSaFhPxeuu'
Source: loader.exe, iWpfJXRBcsiSe.cs	High entropy of concatenated method names: 'iDxSBFvrvsGMhGy', 'TZSUYCtgTBWivcC', 'cNIOprwB', 'rawYwqLDiYJzJX', 'JQyAjNvTqEkT', 'kEbcRggbxIWKKeM', 'sCSpcFYt', 'RawHFUMWOSdwghd', 'ELIbpZiiPxBReU', 'gihAFkUrnKow'
Source: loader.exe, OSwSXnJrgr.cs	High entropy of concatenated method names: 'MVwseiwerfsLHEK', 'diLKteoarZc', 'MKPnMAGddAJmVu', 'kWGoNNSfJVgCi', 'WAEGERgPEzGy', 'rdZYozsDDlkPe', 'fGSfyXxHAEgRcEV', 'GiOgaCjwrC', 'cSPTrZXBJmUHbj', 'dVsXWoimeCAyT'
Source: loader.exe, rUGHQDGuDhlrp.cs	High entropy of concatenated method names: 'DGbfasnCP', 'wTzQCjOM', 'nBNiJlAchsgSBWb', 'oaUVYuoEFKwDp', 'TSYtBJpYSuZPFK', 'huxXiOJtratNJ', 'yowmpYOuIVRs', 'IavIodUYPz', 'GeKYgSIwgvTF', 'dQmVnmcGqyBT'
Source: loader.exe, leMxQLftuJ.cs	High entropy of concatenated method names: 'HlxmVSABVQitbYc', 'lprSGMWJnLkxf', 'rWSUITiA', 'pVMbzCllZ', 'ctDCqruOnzKiDV', 'YMaHPJAkeC', 'tkWHCaKKCLnTcdN', 'uBAHSqLb', 'KdKebJZAtxKsgw', 'XsTEltyeBEGjd'
Source: loader.exe, FDdCFtRGHOCQM.cs	High entropy of concatenated method names: 'xvgOgzkICCM', 'alQnzCmA', 'IjLxzlUbA', 'gwfECITpA', 'xAbqDSgp', 'OAeLNoMURhO', 'gCufFvhNff', 'lzKIIVtgFe', 'mHCkRPqnC', 'mlRygKyXy'
Source: loader.exe, dzYeBNghHSwLaeT.cs	High entropy of concatenated method names: 'eyApHeFUmp', 'LMJeNuOcJaMS', 'DXizEMHkncCoIv', 'zuDrMmVUxnjQLB', 'nRgNljwGQ', 'hqXkHpFzYdO', 'UFBiDkMVvvi', 'okIuKHComSev', 'kqxeRnYvQwaLDgL', 'vdlHuvWhKpRaakC'
Source: loader.exe, MAaNXHPtUGPA.cs	High entropy of concatenated method names: 'nowExJDNPXzUVOc', 'hnlgCLUP', 'XkwKAhfrk', 'xgBjowRxdat', 'tmnnTeTv', 'UgvaZHDOqTcl', 'fZgDxjlOroPVqJ', 'NNBYovdzFJO', 'OimGQRCHNHQgjK', 'crfEjyfAcS'
Source: loader.exe, WuwjxQjqxxhUmd.cs	High entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'SrujlyRTX', 'xAYrtwqqMzfFBlj', 'nptNDudrkHXbxsF', 'YnzPLzDAqead', 'MpIAmLcaKsDX', 'HlZPtUuFhOmTo', 'ltWZTAOXSOaLhc', 'NuvserSa', 'lGiXfbWhyXqg'
Source: loader.exe, JOBvRAQMqQTcJE.cs	High entropy of concatenated method names: 'zZdmUzNmubXYo', 'oitNwaBDwihoKSu', 'NhOLExpVB', 'wbHTtbbSCiaONd', 'wdvFgousnNpKd', 'qsYMHeavcoFMsQ', 'hzUkaHUuQ', 'ABiTGDRybLp', 'CGzKBAGz', 'wdgGOVZCjWy'
Source: loader.exe, NFoBFrADgPEd.cs	High entropy of concatenated method names: 'ipbFuUOMvyKyLDD', 'TFwlCnlNEsxpD', 'kFIWOmEBKMORRHe', 'tnxRNKIs', 'vDNBCXZIwNFpppR', 'SukWlWejByJsm', 'axQbSiqzIopIU', 'YMExfiuPYVJZZez', 'NhWKnHZN', 'jrSlvhcBkKo'
Source: loader.exe, xFNjOTRQu.cs	High entropy of concatenated method names: 'GWhsVCIFTV', 'DHvhHiry', 'cHCpapiwzNERa', 'VUoCOBeSWGHtyR', 'HkZSJkzU', 'SfUMFGRndQaMSg', 'wGKlvhgrQusc', 'zQFWAvkigRMP', 'UPhrpoEwVCaOZL', 'oESNenoMKDMXw'
Source: loader.exe, sQBzIOKx.cs	High entropy of concatenated method names: 'SqaFaHxmOfGyT', 'GccuePvdV', 'QyZoyyBcIzy', 'tPpPpwPHvCZFuW', 'TfimpUGpbhIo', 'ddpUMPiMFO', 'zNOYNZTtbSh', 'aNJVnaOigHzdRME', 'eoTOQInbGibBOPM', 'vgPGCtvmrgtrOlG'
Source: loader.exe, gnWfyphMe.cs	High entropy of concatenated method names: 'xezAuLbmi', 'BooPEUKzBQ', 'ugAUtRWU', 'FueFmCvKGPAnHqG', 'zHbdfiLNCDxygA', 'ERnJGKicBZzsmQR', 'puctJvrOWjQCj', 'xeFUvVUh', 'hRfZDfpYwkQHDDH', 'JaYnWtfswcVnR'
Source: loader.exe, hpWbfDQQRNsZfQ.cs	High entropy of concatenated method names: 'NcYduEtdsEvPIS', 'tGlOgieSM', 'VTIVMproyoIFKv', 'nLdXjnHxFTmoQ', 'IiJMmZklIgOEa', 'eDnvpesWB', 'cDNWDBZBbEpGztX', 'ACDxJfMyTCf', 'zlrmgOjjLNiGGN', 'WTXEuYSeqTDl'

Source: C:\Users\user\Desktop\loader.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\loader.exe	Memory allocated: D30000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory allocated: 1A8E0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	Window / User API: threadDelayed 9375			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Window / User API: threadDelayed 419			Jump to behavior

Source: C:\Users\user\Desktop\loader.exe TID: 7788

Thread sleep time: -9223372036854770s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\loader.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\loader.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: loader.exe, 00000000.00000002.4140459511.000000001C68E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor1
Source: loader.exe, 00000000.00000002.4138027546.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Hypervisor Logical Processor
Source: loader.exe, 00000000.00000002.4139896661.000000001B4C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: loader.exe, 00000000.00000002.4139896661.000000001B53B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Servicelb
Source: loader.exe, 00000000.00000002.4138027546.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V Virtual Machine Bus Pipes
Source: loader.exe, 00000000.00000002.4140459511.000000001C68E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: loader.exe, 00000000.00000002.4138027546.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: *Hyper-V Dynamic Memory Integration Service
Source: loader.exe, 00000000.00000002.4140459511.000000001C62E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: loader.exe, 00000000.00000002.4139896661.000000001B4BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: loader.exe, 00000000.00000002.4139896661.000000001B4C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWal, %SystemRoot%\system32\mswsock.dll type="System.ServiceModel.Configuration.ComContractsSection, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
Source: loader.exe, 00000000.00000002.4138027546.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )Hyper-V Hypervisor Root Virtual Processor
Source: loader.exe, 00000000.00000002.4138027546.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: loader.exe, 00000000.00000002.4139896661.000000001B53B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor"b
Source: loader.exe, 00000000.00000002.4140459511.000000001C6FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: loader.exe, 00000000.00000002.4140459511.000000001C660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8Hyper-V ontvrnukjnsmrfw Bus
Source: loader.exe, 00000000.00000002.4140459511.000000001C62E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Servicey
Source: loader.exe, 00000000.00000002.4140459511.000000001C68E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: loader.exe, 00000000.00000002.4138027546.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: cXvMci
Source: loader.exe, 00000000.00000002.4140459511.000000001C660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V ontvrnukjnsmrfw Bus PipesbN
Source: loader.exe, 00000000.00000002.4140459511.000000001C62E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V ontvrnukjnsmrfw Bus Pipes-
Source: loader.exe, 00000000.00000002.4139896661.000000001B4C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V ontvrnukjnsmrfw Bus
Source: loader.exe, 00000000.00000002.4138027546.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: loader.exe, 00000000.00000002.4138027546.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V Hypervisor Root Partition
Source: loader.exe, 00000000.00000002.4140459511.000000001C6FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partitionvw
Source: loader.exe, 00000000.00000002.4140459511.000000001C62E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V ontvrnukjnsmrfw Bus Pipess
Source: loader.exe, 00000000.00000002.4139896661.000000001B4C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V ontvrnukjnsmrfw Bus Pipes

Source: C:\Users\user\Desktop\loader.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: loader.exe, 00000000.00000002.4140459511.000000001C660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: loader.exe, 00000000.00000002.4140459511.000000001C6CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAyADIDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCa0lnlAK+RGfOUYkXByAR9cevviqt0j7INxjb92Nuw54yevv8A/Wq7BGjbc6c02ZFwVYjcOfl+p4P4VUk2ELsiEeFw2DncfWvsaF20/wCvzPgcRJRTS8/z9EZsiV7boGBoVh6G1h7f7Arxx1zWlD4o1uziSO2vQixqEUGJDgD6iozDB1MVGKg1p3OvKsfTw0pOpfXsclqy/wDEzu/+uz/+hGspxW3dwySyPK/LOSzHHUmsyWEjPFelGm0ki6dVSd0U8UU7bRRynTc9EgKsuZp5o2EoGBkjbz82R+HHvUBHFaaCfcoSa2/1iY57kHHTsO/pWeVriw9le3l2PncQ3ZX8+5WcVA1WnWq7p612RIgywlpFhSzMc1R1yCCG1Ro1AYtgmtANDtQeYuQPX2rL18qLaLaT94/ypxm+a9zuoxvJWObPWim96KrmPUsemJHllH9mFvnQYDnnj7vT+LrVMnip1eHeP9JnVd6c5YEDHJ/DoKqMeK8+g3rfy7/qeBiFHlVu77fp/XYjkNVJWAqxIapTGulMmlEqzzEZxxWXcSM3BYkemauzGs6Y1Vz1aEUV80UlFO53Hufw5JHw90nB/hl/9GNWZ8cOPAlqR/z/AMf/AKBJRRXwq+I+jfwHg3XT5iecQ8f+O1ikn1NFFXAyY0k+tX7PlADyMH+RooqykUmJ3H60UUUFH//Z<@><@>448BF45CC4918C01552E499<@>user<@>128757<@>kva3cgmo<@>false<@>Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz @ 4<@>LTDVCW6WR<@>8GB<@>1GB<@>30 %<@>81 %<@>Microsoft Windows 10 Pro 64-bit<@>2.6<@>04.10.2023<@>Admin<@>Windows Defender<@>Program Manager
Source: loader.exe, 00000000.00000002.4140459511.000000001C660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerVWCX
Source: loader.exe, 00000000.00000002.4140459511.000000001C6CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAyADIDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCa0lnlAK+RGfOUYkXByAR9cevviqt0j7INxjb92Nuw54yevv8A/Wq7BGjbc6c02ZFwVYjcOfl+p4P4VUk2ELsiEeFw2DncfWvsaF20/wCvzPgcRJRTS8/z9EZsiV7boGBoVh6G1h7f7Arxx1zWlD4o1uziSO2vQixqEUGJDgD6iozDB1MVGKg1p3OvKsfTw0pOpfXsclqy/wDEzu/+uz/+hGspxW3dwySyPK/LOSzHHUmsyWEjPFelGm0ki6dVSd0U8UU7bRRynTc9EgKsuZp5o2EoGBkjbz82R+HHvUBHFaaCfcoSa2/1iY57kHHTsO/pWeVriw9le3l2PncQ3ZX8+5WcVA1WnWq7p612RIgywlpFhSzMc1R1yCCG1Ro1AYtgmtANDtQeYuQPX2rL18qLaLaT94/ypxm+a9zuoxvJWObPWim96KrmPUsemJHllH9mFvnQYDnnj7vT+LrVMnip1eHeP9JnVd6c5YEDHJ/DoKqMeK8+g3rfy7/qeBiFHlVu77fp/XYjkNVJWAqxIapTGulMmlEqzzEZxxWXcSM3BYkemauzGs6Y1Vz1aEUV80UlFO53Hufw5JHw90nB/hl/9GNWZ8cOPAlqR/z/AMf/AKBJRRXwq+I+jfwHg3XT5iecQ8f+O1ikn1NFFXAyY0k+tX7PlADyMH+RooqykUmJ3H60UUUFH//Z<@><@>448BF45CC4918C01552E499<@>user<@>128757<@>kva3cgmo<@>false<@>Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz @ 4<@>LTDVCW6WR<@>8GB<@>1GB<@>30 %<@>81 %<@>Microsoft Windows 10 Pro 64-bit<@>2.6<@>04.10.2023<@>Admin<@>Windows Defender<@>Program Manager!
Source: loader.exe, 00000000.00000002.4140459511.000000001C660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerckgr
Source: loader.exe, 00000000.00000002.4140459511.000000001C660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerAzZ.

Source: C:\Users\user\Desktop\loader.exe

Queries volume information: C:\Users\user\Desktop\loader.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	2 Windows Service	2 Windows Service	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Process Injection	251 Virtualization/Sandbox Evasion	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
loader.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
loader.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
co-updated.gl.at.ply.gg	147.185.221.24	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	loader.exe, 00000000.00000002.4138027546.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.24	co-updated.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585383
Start date and time:	2025-01-07 15:42:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	loader.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 11 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiApSrv.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.253.45
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: loader.exe

Simulations

Behavior and APIs

Time	Type	Description
09:42:58	API Interceptor	10265751x Sleep call for process: loader.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.24	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse
	SharkHack.exe	Get hash	malicious	XWorm	Browse
	avaydna.exe	Get hash	malicious	Njrat	Browse
	ddos tool.exe	Get hash	malicious	XWorm	Browse
	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse
	p59UXHJRX3.exe	Get hash	malicious	XenoRAT	Browse
	JdYlp3ChrS.exe	Get hash	malicious	Njrat	Browse
	Extreme Injector v3.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	My33xbeYIX.exe	Get hash	malicious	Njrat	Browse	147.185.221.16
	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	147.185.221.21
	sela.exe	Get hash	malicious	Njrat	Browse	147.185.221.17
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	SharkHack.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	avaydna.exe	Get hash	malicious	Njrat	Browse	147.185.221.24
	ddos tool.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse	147.185.221.24

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.311958825841602
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	loader.exe
File size:	558'592 bytes
MD5:	0fd9836e2142bc85ced43d8316650b6c
SHA1:	17ad9773af8f56332d728f94890d9f5a37ec5d03
SHA256:	b870c9ee4b011fdb66b100275c583a3dc2e5884af31a4819f4b484ef839253fb
SHA512:	e1beadb41cf88827b33b607c05c30db24d8066238a64031c5b8a1ad8310ee582e988b175512deddedcf84885a73ccef736104fb65f757194bda1eabf43648905
SSDEEP:	6144:o8RFsUOLYDm0ZnDVd7skTpd9qLS5VAsslKsbl0XC1Ipn3GcG:o8RFsSDmAnHVdsKKoDKIpn2c
TLSH:	3DC4B20CFE81F804DE1A3DB7CFE911004B7165C1AE1296863169AFFD8B6637259E267C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0..\|............... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x489ade
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x89a8c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x87ae4	0x87c00	bd74df3307839ee12353c8a0c15892bb	False	0.40618885244014735	data	5.317887837129265	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x596	0x600	757bb0ae9db13f8eddbcbc4febdd91d5	False	0.4127604166666667	data	4.028920590135457	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8c000	0xc	0x200	167380b7d8fffc44240583be92b1d0f6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8a0a0	0x30c	data			0.4269230769230769
RT_MANIFEST	0x8a3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T15:42:59.910159+0100	2058998	ET MALWARE Sheet RAT CnC Checkin	1	192.168.2.4	49731	147.185.221.24	48428	TCP
2025-01-07T15:42:59.910159+0100	2058998	ET MALWARE Sheet RAT CnC Checkin	1	192.168.2.4	50507	147.185.221.24	48428	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 15:42:59.951035976 CET	49731	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:42:59.955806017 CET	48428	49731	147.185.221.24	192.168.2.4
Jan 7, 2025 15:42:59.955878973 CET	49731	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:07.875499964 CET	49731	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:07.875500917 CET	49731	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:07.880367041 CET	48428	49731	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:07.880397081 CET	48428	49731	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:07.880496979 CET	48428	49731	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:21.325150013 CET	48428	49731	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:21.325216055 CET	49731	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:21.331805944 CET	49731	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:21.336683035 CET	48428	49731	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:21.606108904 CET	49742	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:21.610901117 CET	48428	49742	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:21.611023903 CET	49742	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:21.675756931 CET	49742	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:21.675952911 CET	49742	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:21.681368113 CET	48428	49742	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:21.681655884 CET	48428	49742	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:21.681668043 CET	48428	49742	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:37.105941057 CET	49742	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:37.110749960 CET	48428	49742	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:37.110821009 CET	49742	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:37.115586996 CET	48428	49742	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:43.011276007 CET	48428	49742	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:43.011372089 CET	49742	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:43.011919022 CET	49742	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:43.016683102 CET	48428	49742	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:43.184137106 CET	49743	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:43.188965082 CET	48428	49743	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:43.189070940 CET	49743	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:43.190532923 CET	50236	53	192.168.2.4	162.159.36.2
Jan 7, 2025 15:43:43.195411921 CET	53	50236	162.159.36.2	192.168.2.4
Jan 7, 2025 15:43:43.195509911 CET	50236	53	192.168.2.4	162.159.36.2
Jan 7, 2025 15:43:43.200370073 CET	53	50236	162.159.36.2	192.168.2.4
Jan 7, 2025 15:43:43.241061926 CET	49743	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:43.241091967 CET	49743	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:43.245816946 CET	48428	49743	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:43.245837927 CET	48428	49743	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:43.245955944 CET	48428	49743	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:43.715095997 CET	50236	53	192.168.2.4	162.159.36.2
Jan 7, 2025 15:43:43.720047951 CET	53	50236	162.159.36.2	192.168.2.4
Jan 7, 2025 15:43:43.720118046 CET	50236	53	192.168.2.4	162.159.36.2
Jan 7, 2025 15:43:57.293545961 CET	49743	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:57.298460960 CET	48428	49743	147.185.221.24	192.168.2.4
Jan 7, 2025 15:43:57.298512936 CET	49743	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:43:57.303275108 CET	48428	49743	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:04.573720932 CET	48428	49743	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:04.573781967 CET	49743	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:04.574376106 CET	49743	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:04.579121113 CET	48428	49743	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:04.637229919 CET	50290	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:04.642052889 CET	48428	50290	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:04.642162085 CET	50290	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:04.693608046 CET	50290	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:04.693655014 CET	50290	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:04.698453903 CET	48428	50290	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:04.698465109 CET	48428	50290	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:04.698596954 CET	48428	50290	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:18.341375113 CET	50290	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:18.346123934 CET	48428	50290	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:18.349858999 CET	50290	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:18.354651928 CET	48428	50290	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:26.012443066 CET	48428	50290	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:26.012540102 CET	50290	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:26.013314009 CET	50290	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:26.014362097 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:26.018058062 CET	48428	50290	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:26.019171953 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:26.019236088 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:26.200573921 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:26.200671911 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:26.205390930 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:26.205432892 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:26.205645084 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:28.371330023 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:28.376177073 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:28.376346111 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:28.381236076 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:29.030920029 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:29.035794973 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:29.035851002 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:29.040667057 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:41.136560917 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:41.142647028 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:41.142707109 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:41.149244070 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:45.418081999 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:45.422957897 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:45.423012018 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:45.427840948 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:45.785828114 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:45.790821075 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:45.790889978 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:45.795730114 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:47.386166096 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:47.386310101 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:47.386956930 CET	50421	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:47.387785912 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:47.391691923 CET	48428	50421	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:47.392601967 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:47.392678022 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:47.537578106 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:47.537684917 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:47.542516947 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:47.542532921 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:47.542546034 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:49.746092081 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:49.751028061 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:49.751179934 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:49.756009102 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:49.953116894 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:49.958041906 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:49.958359957 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:49.963180065 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:51.621057987 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:51.625943899 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:51.626009941 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:51.630822897 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:51.879841089 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:51.884706020 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:51.884851933 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:51.889662027 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:54.044205904 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:54.049113035 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:54.049221039 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:54.054011106 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:54.223869085 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:54.228792906 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:54.228934050 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:54.233688116 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:54.855400085 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:54.860266924 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:54.860318899 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:54.865107059 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:55.055114031 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:55.059981108 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:44:55.060051918 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:44:55.064872026 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:08.378671885 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:08.383583069 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:08.384222984 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:08.389039993 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:08.776398897 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:08.776456118 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:08.777007103 CET	50506	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:08.778004885 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:08.781930923 CET	48428	50506	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:08.782783031 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:08.782927036 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:08.967895985 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:08.967969894 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:08.972846985 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:08.972865105 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:08.972960949 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:11.465087891 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:11.469841957 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:11.469890118 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:11.474678993 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:11.686455965 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:11.691339016 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:11.692148924 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:11.696943998 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:23.964930058 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:23.969784975 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:23.969949007 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:23.975280046 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:29.543282032 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:29.548146963 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:29.548212051 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:29.553006887 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:29.833517075 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:29.838531971 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:29.838618994 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:29.843480110 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:30.152086973 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:30.152285099 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:30.158137083 CET	50507	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:30.158185005 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:30.163021088 CET	48428	50507	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:30.163036108 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:30.163114071 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:30.275777102 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:30.275777102 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:30.280724049 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:30.280738115 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:30.280817032 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:35.653959990 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:35.658840895 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:35.664092064 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:35.668924093 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:35.973912001 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:35.978796005 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:35.979296923 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:35.984133959 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:46.136861086 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:46.141638041 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:46.141757965 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:46.146650076 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:46.334001064 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:46.338799953 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:46.342113972 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:46.347008944 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:51.528987885 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:51.529057026 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:51.529519081 CET	50508	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:51.530680895 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:51.534276962 CET	48428	50508	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:51.535598993 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:51.535682917 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:51.689804077 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:51.689804077 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:45:51.694648027 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:51.694659948 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:45:51.694672108 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:04.902666092 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:04.907623053 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:04.907675982 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:04.912533998 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:05.386888981 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:05.391750097 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:05.391844988 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:05.396648884 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:05.512546062 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:05.517395973 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:05.517565012 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:05.522351027 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:06.230545044 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:06.235755920 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:06.235814095 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:06.240624905 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:06.570039988 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:06.574866056 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:06.578175068 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:06.583009958 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:06.918287992 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:06.923197985 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:06.923243046 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:06.928014994 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:07.118407965 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:07.124587059 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:07.124645948 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:07.130731106 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:12.918356895 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:12.918519020 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:12.921888113 CET	50509	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:12.922740936 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:12.926723957 CET	48428	50509	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:12.927596092 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:12.927858114 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:13.050280094 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:13.050415039 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:13.055293083 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:13.055310011 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:13.055330038 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:16.168507099 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:16.173896074 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:16.173949957 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:16.179236889 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:16.330456972 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:16.335410118 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:16.335464001 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:16.340290070 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:28.168119907 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:28.172995090 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:28.173041105 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:28.177753925 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:28.354734898 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:28.359605074 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:28.359664917 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:28.364442110 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:29.121397018 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:29.126295090 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:29.126377106 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:29.131119967 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:29.317857981 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:29.322763920 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:29.324364901 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:29.329165936 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:30.105706930 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:30.110651016 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:30.110699892 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:30.115478992 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:30.279242039 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:30.284080982 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:30.284141064 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:30.288965940 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:34.324896097 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:34.324980974 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:34.325381994 CET	50510	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:34.326256037 CET	50511	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:34.330147982 CET	48428	50510	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:34.331089973 CET	48428	50511	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:34.331166983 CET	50511	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:34.457176924 CET	50511	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:34.457226038 CET	50511	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:34.462013960 CET	48428	50511	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:34.462027073 CET	48428	50511	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:34.462096930 CET	48428	50511	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:48.855746984 CET	50511	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:48.860675097 CET	48428	50511	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:48.861000061 CET	50511	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:48.865746975 CET	48428	50511	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:55.705144882 CET	48428	50511	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:55.706137896 CET	50511	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:55.712263107 CET	50511	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:55.713083029 CET	50512	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:55.717084885 CET	48428	50511	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:55.717886925 CET	48428	50512	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:55.718075991 CET	50512	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:55.927561045 CET	50512	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:55.927767038 CET	50512	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:46:55.932460070 CET	48428	50512	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:55.932583094 CET	48428	50512	147.185.221.24	192.168.2.4
Jan 7, 2025 15:46:55.932672977 CET	48428	50512	147.185.221.24	192.168.2.4
Jan 7, 2025 15:47:05.355487108 CET	50512	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:47:05.360428095 CET	48428	50512	147.185.221.24	192.168.2.4
Jan 7, 2025 15:47:05.360495090 CET	50512	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:47:05.365299940 CET	48428	50512	147.185.221.24	192.168.2.4
Jan 7, 2025 15:47:05.418127060 CET	50512	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:47:05.422940969 CET	48428	50512	147.185.221.24	192.168.2.4
Jan 7, 2025 15:47:05.422998905 CET	50512	48428	192.168.2.4	147.185.221.24
Jan 7, 2025 15:47:05.427772045 CET	48428	50512	147.185.221.24	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 15:42:59.910159111 CET	51270	53	192.168.2.4	1.1.1.1
Jan 7, 2025 15:42:59.922854900 CET	53	51270	1.1.1.1	192.168.2.4
Jan 7, 2025 15:43:43.190077066 CET	53	52055	162.159.36.2	192.168.2.4
Jan 7, 2025 15:43:43.765737057 CET	53	59560	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 15:42:59.910159111 CET	192.168.2.4	1.1.1.1	0x196	Standard query (0)	co-updated.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 15:42:59.922854900 CET	1.1.1.1	192.168.2.4	0x196	No error (0)	co-updated.gl.at.ply.gg		147.185.221.24	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:42:58
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\loader.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\loader.exe"
Imagebase:	0x570000
File size:	558'592 bytes
MD5 hash:	0FD9836E2142BC85CED43D8316650B6C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B7C1448 Relevance: 4.0, Strings: 2, Instructions: 1454COMMON

Download Yara Rule

Strings

FO_H, xrefs: 00007FFD9B7CF86D
-O_H, xrefs: 00007FFD9B7CF76F

Memory Dump Source

Source File: 00000000.00000002.4141691213.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_loader.jbxd

Similarity

API ID:
String ID: -O_H$FO_H
API String ID: 0-3879763109
Opcode ID: ebbea68da520b787d1a5f881ea5a3419ac468feab0fab9a1b985ed226cc826dd
Instruction ID: 548e87f4829d11a1b6108a148abf218c699ee07786f946ba5d61528c68efbdcc
Opcode Fuzzy Hash: ebbea68da520b787d1a5f881ea5a3419ac468feab0fab9a1b985ed226cc826dd
Instruction Fuzzy Hash: DEA21921F0D64A5BFB68B76888666B832C19F94304F55067DD05DC73FBEE1CB90A8392

Function 00007FFD9B7CBAE8 Relevance: 2.2, Strings: 1, Instructions: 902
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FFD9B7CC27C

Memory Dump Source

Source File: 00000000.00000002.4141691213.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_loader.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9c313108ed593f13489f6df3cbec5cadcc4524fe59b317eb1ce5020abc400918
Instruction ID: ad06d71700a3bf7d7dd4ec648ddc988c8c002278db207509508fadbc736a128e
Opcode Fuzzy Hash: 9c313108ed593f13489f6df3cbec5cadcc4524fe59b317eb1ce5020abc400918
Instruction Fuzzy Hash: 6F62B161E0E78E1FE766B77848651B53BA09F56314F0642FED088C73F7E91C690A8392

Function 00007FFD9B7CE9AD Relevance: 1.6, APIs: 1, Instructions: 127
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FFD9B7CEA84

Memory Dump Source

Source File: 00000000.00000002.4141691213.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_loader.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8105e43e93c11d210d9f05fd6ed123234297ae71ea379db44d0037ce35440068
Instruction ID: 69f2cee512fb26ca13c6d481c0f94acfe2e99640db1d19b8fb267f9230e1c665
Opcode Fuzzy Hash: 8105e43e93c11d210d9f05fd6ed123234297ae71ea379db44d0037ce35440068
Instruction Fuzzy Hash: E131A631A1CB4C8FDB589B5C98166ED7BE1EB99310F0042AFE049D3296DB75A8458BC2

Function 00007FFD9B7C98E7 Relevance: 1.0, Instructions: 1008COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141691213.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17840a273f72e979474e32f421e592cc4e92097a8893bf232a70645921a99f6c
Instruction ID: 90ca863d1978372b0863b1a2b20729b4aaaa0f8b52c4c11ce278921e63443375
Opcode Fuzzy Hash: 17840a273f72e979474e32f421e592cc4e92097a8893bf232a70645921a99f6c
Instruction Fuzzy Hash: CD62EA21E0E78E5FEBB6A6A448751B87BA0DF56301F1603BEC44DC72F3D91C6A498352

Function 00007FFD9B7C1600 Relevance: 1.0, Instructions: 999COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141691213.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d8f26c357a4852a424d0e88278eb19a86ff58342965248ad4f0591c3d8ead7
Instruction ID: d8887b0130c501ced27ed3e4d078b7018f0a5142287e107f4b8ed865d6a7710e
Opcode Fuzzy Hash: e5d8f26c357a4852a424d0e88278eb19a86ff58342965248ad4f0591c3d8ead7
Instruction Fuzzy Hash: D262C951E0E7CA1FE726B6A44C651B53BA0DF12314F5A02FED099CB2F7ED1C690A8352

Function 00007FFD9B7D10D8 Relevance: .5, Instructions: 526
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4141691213.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c96fa22535d1b7b717eec278a6684ff650526171fd66ff601c456fae8cd92b8
Instruction ID: cd73d2463082c74aaded250422194e40da7162bb12be3f229a98d25fecc326fe
Opcode Fuzzy Hash: 9c96fa22535d1b7b717eec278a6684ff650526171fd66ff601c456fae8cd92b8
Instruction Fuzzy Hash: 8BF17361E0F3CA0FE77296A488756643BA09F96391F0A47FAD44CCB4F3D91D690E8352

Function 00007FFD9B7C7236 Relevance: .5, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4141691213.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b570be045acbd60cb3869f0594d4a8c8969bcf7a672611f07fb0bd8a3245c8b
Instruction ID: fd44a24ca139146eef2a34d06b412271574e5aba6113ac192587b1c9700922c9
Opcode Fuzzy Hash: 2b570be045acbd60cb3869f0594d4a8c8969bcf7a672611f07fb0bd8a3245c8b
Instruction Fuzzy Hash: 28F18230A09A8D9FEBA8EF28C8557F937D1FB54310F14426EE85DC72A5DF3499418B82

Function 00007FFD9B7C7FE2 Relevance: .5, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4141691213.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d25d8e4f6b4a72876d8db21c47ee4c5376eb519d92f39b9280cd69ff9e580f2
Instruction ID: c5d287b18241f8b116b7e3557db1bf6e5d58e4035d00033cb7bb7289a6081a8e
Opcode Fuzzy Hash: 0d25d8e4f6b4a72876d8db21c47ee4c5376eb519d92f39b9280cd69ff9e580f2
Instruction Fuzzy Hash: C3E1A330A09A4E8FEBA8EF28C8557F977D1FB54310F05436ED84DC72A5DB74A9418781

Function 00007FFD9B7CC681 Relevance: .4, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4141691213.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62dd440b1e1200b831a84c7637b0899ed334808ef971b42bfe2982aa39d42ff
Instruction ID: c135e0d2f9050b047c44d98d59a822a2dc0f65a4d83c3ea7264e35469cd8da55
Opcode Fuzzy Hash: f62dd440b1e1200b831a84c7637b0899ed334808ef971b42bfe2982aa39d42ff
Instruction Fuzzy Hash: 4EE10962F0E64F5AFB65B6B498716B93BA0DF61300F1602BDC049D72F6EE1C690A43D1

Function 00007FFD9B7CBD4B Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141691213.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0162d6669991b53959d165dad16617a3c496355638644ed40636337a43a703af
Instruction ID: 42976d5dc7d790f7f52bfc4aee231ba7728e846f11aa55cc5b6dc84f818799a2
Opcode Fuzzy Hash: 0162d6669991b53959d165dad16617a3c496355638644ed40636337a43a703af
Instruction Fuzzy Hash: C3D1B861F1E60F26FBB9B6788C6257631909F54309F56537CE40CC23FAED1CAA4642D2

Function 00007FFD9B7C3440 Relevance: .4, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4141691213.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d07cefd4dbd7867c4fefba1f96bc3e0a839588d11cc914187ee06f6909bef56
Instruction ID: f1e2c91fac9cbdcef4540a94f46508ed6580d2380b780447d7c1b250d683be2e
Opcode Fuzzy Hash: 0d07cefd4dbd7867c4fefba1f96bc3e0a839588d11cc914187ee06f6909bef56
Instruction Fuzzy Hash: 57D14211A1E3C61EE77762A498361753F609F52305F1702FFC589CA2F3D92D6A0A8372

Non-executed Functions

Function 00007FFD9B7C02FD Relevance: 3.0, Strings: 2, Instructions: 543COMMON

Download Yara Rule

Strings

P_^:, xrefs: 00007FFD9B7C0772
P_^<, xrefs: 00007FFD9B7C077A

Memory Dump Source

Source File: 00000000.00000002.4141691213.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_loader.jbxd

Similarity

API ID:
String ID: P_^:$P_^<
API String ID: 0-1571676453
Opcode ID: 0588171d1c53ab37bcebddd639396b07b04d8641f643cec7eafed143e08e7c6c
Instruction ID: 4865bb107ec8690e68cb4eaec4585fb8e6931a513ba7dcf5bac2f19fb1113c43
Opcode Fuzzy Hash: 0588171d1c53ab37bcebddd639396b07b04d8641f643cec7eafed143e08e7c6c
Instruction Fuzzy Hash: DFF10717F0E6D22AF325B6F938294FD3B64DFC173972A82BBD09D890E79C08254582D5

Function 00007FFD9B7C9CB1 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141691213.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcf9a015f2526479dcd592b3c410957c6f2ea3399b444e618ea4d6a7da3f8a2
Instruction ID: 4759c06ebb3b0005085022250eb41dbe7b57ee35110a493f05661054fe187f2e
Opcode Fuzzy Hash: 2dcf9a015f2526479dcd592b3c410957c6f2ea3399b444e618ea4d6a7da3f8a2
Instruction Fuzzy Hash: 0B41E522E0F79B2AF7FBB1B484791B576909F53300F0607BDC44C972F2EA0C6A5A5291

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
loader.exe

Function 00007FFD9B7CBAE8 Relevance: 2.2, Strings: 1, Instructions: 902
COMMON

Function 00007FFD9B7CE9AD Relevance: 1.6, APIs: 1, Instructions: 127
nativeCOMMON

Function 00007FFD9B7D10D8 Relevance: .5, Instructions: 526
COMMON

Function 00007FFD9B7C7236 Relevance: .5, Instructions: 472
COMMON

Function 00007FFD9B7C7FE2 Relevance: .5, Instructions: 458
COMMON

Function 00007FFD9B7CC681 Relevance: .4, Instructions: 435
COMMON

Function 00007FFD9B7C3440 Relevance: .4, Instructions: 370
COMMON