Windows
Analysis Report
GhwFStoMJX.exe
Overview
General Information
Sample name: | GhwFStoMJX.exerenamed because original name is a hash value |
Original sample name: | fd19e12aebfd870dcc7fe04359e6e7a53daeeb281c2dfc21f7740f8e65edd264.exe |
Analysis ID: | 1587768 |
MD5: | ed236267c78420804814d86de99b8850 |
SHA1: | 21bd6d19e5664158c3d4d77ca3a2b7889827d0d4 |
SHA256: | fd19e12aebfd870dcc7fe04359e6e7a53daeeb281c2dfc21f7740f8e65edd264 |
Tags: | exeuser-adrian__luca |
Infos: | |
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- GhwFStoMJX.exe (PID: 3876 cmdline:
"C:\Users\ user\Deskt op\GhwFSto MJX.exe" MD5: ED236267C78420804814D86DE99B8850)
- cleanup
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | IP Address: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 31 Virtualization/Sandbox Evasion | LSASS Memory | 31 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 12 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
66% | ReversingLabs | Win32.Trojan.Leonem | ||
100% | Avira | HEUR/AGEN.1362855 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
oshi.at | 5.253.86.15 | true | false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
5.253.86.15 | oshi.at | Cyprus | 208046 | HOSTSLICK-GERMANYNL | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1587768 |
Start date and time: | 2025-01-10 17:58:28 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 53s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | GhwFStoMJX.exerenamed because original name is a hash value |
Original Sample Name: | fd19e12aebfd870dcc7fe04359e6e7a53daeeb281c2dfc21f7740f8e65edd264.exe |
Detection: | MAL |
Classification: | mal64.winEXE@1/0@1/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, WMIADAP.exe, SIHCl ient.exe, conhost.exe - Excluded IPs from analysis (wh
itelisted): 52.149.20.212, 13. 107.246.45 - Excluded domains from analysis
(whitelisted): slscr.update.m icrosoft.com, otelrules.azuree dge.net, ctldl.windowsupdate.c om, fe3cr.delivery.mp.microsof t.com - Execution Graph export aborted
for target GhwFStoMJX.exe, PI D 3876 because it is empty - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtQueryValueKey calls found. - Report size getting too big, t
oo many NtReadVirtualMemory ca lls found. - VT rate limit hit for: GhwFSt
oMJX.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
5.253.86.15 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | Unknown | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
oshi.at | Get hash | malicious | MassLogger RAT | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
HOSTSLICK-GERMANYNL | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
File type: | |
Entropy (8bit): | 4.8419219498993815 |
TrID: |
|
File name: | GhwFStoMJX.exe |
File size: | 31'712 bytes |
MD5: | ed236267c78420804814d86de99b8850 |
SHA1: | 21bd6d19e5664158c3d4d77ca3a2b7889827d0d4 |
SHA256: | fd19e12aebfd870dcc7fe04359e6e7a53daeeb281c2dfc21f7740f8e65edd264 |
SHA512: | 7c28b89d1e7c4c429cc2528cc935839be61a5cb41c621ae48547c7cc64479df6a0254382eaab2fba52af3d4cbf261ccffdfc8d0d40043042bc6cb86f7be7af1a |
SSDEEP: | 384:GSwPLqusAKYP/GKhwlJCXOxFm7bhCm/zH:xwz9HvK6XiFZKj |
TLSH: | 00E22A424B3843A2D94F4A38E8D156F319BDDE845E4C569B2790FF0E5DB4B881BC71AC |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ig.....................J......r0... ...@....@.. ....................................`................................ |
Icon Hash: | 27d8dcd6d4d85007 |
Entrypoint: | 0x403072 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6769F7E0 [Mon Dec 23 23:53:04 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Signature Valid: | false |
Signature Issuer: | CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | FF0E889D2A73C3A679605952D35452DC |
Thumbprint SHA-1: | 2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C |
Thumbprint SHA-256: | A73352D67693AA16BCE2F182B15891F0F23EA0485CC18938686AAFDEE7B743E3 |
Serial: | 6DD2E3173995F51BFAC1D9FB4CB200C1 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3028 | 0x4a | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4000 | 0x4656 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x5e00 | 0x1de0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xa000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x1078 | 0x1200 | 4d7035380253ed363ae6317dc8c576b6 | False | 0.5501302083333334 | data | 5.239235838942246 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x4000 | 0x4656 | 0x4800 | 25fbfd232277978aeab9ab157c4dce6e | False | 0.06179470486111111 | data | 2.4670696213657792 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xa000 | 0xc | 0x200 | 78220c57bae77f0280715bd915a05a2a | False | 0.04296875 | data | 0.07763316234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x406c | 0x4028 | Device independent bitmap graphic, 64 x 128 x 32, image size 0 | 0.02368485143692158 | ||
RT_GROUP_ICON | 0x80d0 | 0x14 | data | 1.05 | ||
RT_VERSION | 0x8120 | 0x310 | data | 0.4477040816326531 | ||
RT_MANIFEST | 0x846c | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5489795918367347 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Download Network PCAP: filtered – full
- Total Packets: 24
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 10, 2025 18:00:12.685635090 CET | 49712 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:00:12.685676098 CET | 443 | 49712 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:00:12.686553955 CET | 49712 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:00:12.699709892 CET | 49712 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:00:12.699727058 CET | 443 | 49712 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:00:55.436235905 CET | 443 | 49712 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:00:55.436305046 CET | 49712 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:00:55.443146944 CET | 49712 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:00:55.443164110 CET | 443 | 49712 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:00:55.452294111 CET | 49722 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:00:55.452338934 CET | 443 | 49722 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:00:55.452544928 CET | 49722 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:00:55.452944040 CET | 49722 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:00:55.452955008 CET | 443 | 49722 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:01:38.187880039 CET | 443 | 49722 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:01:38.187980890 CET | 49722 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:01:38.189039946 CET | 49722 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:01:38.189063072 CET | 443 | 49722 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:01:38.196461916 CET | 49982 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:01:38.196508884 CET | 443 | 49982 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:01:38.196569920 CET | 49982 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:01:38.196940899 CET | 49982 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:01:38.196959019 CET | 443 | 49982 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:02:20.972798109 CET | 443 | 49982 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:02:20.973002911 CET | 49982 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:02:20.974972963 CET | 49982 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:02:20.974998951 CET | 443 | 49982 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:02:20.976881027 CET | 49985 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:02:20.976919889 CET | 443 | 49985 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:02:20.977006912 CET | 49985 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:02:20.977484941 CET | 49985 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:02:20.977497101 CET | 443 | 49985 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:03:03.735485077 CET | 443 | 49985 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:03:03.735589027 CET | 49985 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:03:03.741291046 CET | 49985 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:03:03.741324902 CET | 443 | 49985 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:03:03.755677938 CET | 49986 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:03:03.755729914 CET | 443 | 49986 | 5.253.86.15 | 192.168.2.10 |
Jan 10, 2025 18:03:03.755853891 CET | 49986 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:03:03.789199114 CET | 49986 | 443 | 192.168.2.10 | 5.253.86.15 |
Jan 10, 2025 18:03:03.789217949 CET | 443 | 49986 | 5.253.86.15 | 192.168.2.10 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 10, 2025 18:00:12.664087057 CET | 51876 | 53 | 192.168.2.10 | 1.1.1.1 |
Jan 10, 2025 18:00:12.677225113 CET | 53 | 51876 | 1.1.1.1 | 192.168.2.10 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jan 10, 2025 18:00:12.664087057 CET | 192.168.2.10 | 1.1.1.1 | 0x4432 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jan 10, 2025 18:00:12.677225113 CET | 1.1.1.1 | 192.168.2.10 | 0x4432 | No error (0) | 5.253.86.15 | A (IP address) | IN (0x0001) | false | ||
Jan 10, 2025 18:00:12.677225113 CET | 1.1.1.1 | 192.168.2.10 | 0x4432 | No error (0) | 194.15.112.248 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 12:00:11 |
Start date: | 10/01/2025 |
Path: | C:\Users\user\Desktop\GhwFStoMJX.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xea0000 |
File size: | 31'712 bytes |
MD5 hash: | ED236267C78420804814D86DE99B8850 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|