Windows
Analysis Report
qlGJTKUY7O.exe
Overview
General Information
Sample name: | qlGJTKUY7O.exerenamed because original name is a hash value |
Original sample name: | de2caf0c3b99a460e5814236acb8d0015553a694ce41ee1cc67bb3576f356a6c.exe |
Analysis ID: | 1600638 |
MD5: | 11438178690245614874f6b764556d70 |
SHA1: | 07c91998055fc8babee116468d38f269400ced65 |
SHA256: | de2caf0c3b99a460e5814236acb8d0015553a694ce41ee1cc67bb3576f356a6c |
Tags: | 176-113-115-225bookingexeuser-JAMESWT_MHT |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
qlGJTKUY7O.exe (PID: 6200 cmdline:
"C:\Users\ user\Deskt op\qlGJTKU Y7O.exe" MD5: 11438178690245614874F6B764556D70) WerFault.exe (PID: 5424 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 200 -s 152 8 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{
"C2 url": [
"176.113.115.225"
],
"Port": 4444,
"Aes key": "P0WER",
"SPL": "<Xwormmm>",
"Install file": "USB.exe"
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
rat_win_xworm_v3 | Finds XWorm (version XClient, v3) samples based on characteristic strings | Sekoia.io |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
JoeSecurity_XWorm | Yara detected XWorm | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
rat_win_xworm_v3 | Finds XWorm (version XClient, v3) samples based on characteristic strings | Sekoia.io |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-27T19:47:51.417290+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:47:57.037211+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:01.483420+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:11.769294+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:11.782998+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:21.634752+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:27.151730+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:27.159381+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:31.713469+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:40.215397+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:42.884882+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:43.008606+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:43.777041+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:48.088581+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:52.666514+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:56.635555+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:56.946966+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:00.026250+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:05.010393+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:05.132930+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:08.980030+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:09.121936+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:09.243863+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:09.486029+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-27T19:47:51.494628+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:01.485753+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:11.778914+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:21.636877+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:31.715310+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:40.217657+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:42.887449+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:43.010205+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:43.779456+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:48.101526+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:52.670400+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:56.637669+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:00.030174+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:05.014088+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:05.134931+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:08.982209+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.135998+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.249643+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.373699+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.381253+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.494299+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.613514+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.621172+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-27T19:47:57.037211+0100 | 2858801 | 1 | Malware Command and Control Activity Detected | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-27T19:47:51.194552+0100 | 2858800 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00007FFB4AD864C6 | |
Source: | Code function: | 0_2_00007FFB4AD87272 | |
Source: | Code function: | 0_2_00007FFB4AD8A244 |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Disable or Modify Tools | OS Credential Dumping | 131 Security Software Discovery | Remote Services | 11 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 141 Virtualization/Sandbox Evasion | LSASS Memory | 141 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 13 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Software Packing | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
71% | Virustotal | Browse | ||
84% | ReversingLabs | ByteCode-MSIL.Spyware.AsyncRAT | ||
100% | Avira | TR/Dropper.Gen | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
176.113.115.225 | unknown | Russian Federation | 49505 | SELECTELRU | true |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1600638 |
Start date and time: | 2025-01-27 19:46:12 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 53s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | qlGJTKUY7O.exerenamed because original name is a hash value |
Original Sample Name: | de2caf0c3b99a460e5814236acb8d0015553a694ce41ee1cc67bb3576f356a6c.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@2/5@0/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, WerFault.exe, WMIA DAP.exe, SIHClient.exe, conhos t.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 20.42.65.92, 4.175 .87.197, 13.107.246.45, 20.190 .159.64 - Excluded domains from analysis
(whitelisted): onedsblobprdeu s17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.upda te.microsoft.com, otelrules.az ureedge.net, login.live.com, b lobcollector.events.data.traff icmanager.net, ctldl.windowsup date.com, umwatson.events.data .microsoft.com, fe3cr.delivery .mp.microsoft.com - Execution Graph export aborted
for target qlGJTKUY7O.exe, PI D 6200 because it is empty - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtSetInformationFile c alls found.
Time | Type | Description |
---|---|---|
13:47:40 | API Interceptor | |
13:49:17 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
176.113.115.225 | Get hash | malicious | XWorm | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
SELECTELRU | Get hash | malicious | XWorm | Browse |
| |
Get hash | malicious | Amadey, AsyncRAT, KeyLogger, LummaC Stealer, PureLog Stealer, ReverseShell, Stealc | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Vidar | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | Amadey, Socks5Systemz | Browse |
| ||
Get hash | malicious | Socks5Systemz | Browse |
| ||
Get hash | malicious | Amadey, AsyncRAT, PureLog Stealer, Vidar | Browse |
|
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.2168378994787208 |
Encrypted: | false |
SSDEEP: | 192:OOQBk/081iHxaWz8iyolHmF3WzuiF9Z24lO8i:XQBP81iRa48irGUzuiF9Y4lO8i |
MD5: | 9350AAF68392DCF48F8332F98614BC70 |
SHA1: | FB7C5105C52438B747253E5E83F22D78AA8C5E8C |
SHA-256: | 44068A51064157C3167941A64E4CC876187840C640007FADDD6A10416B6EFF5A |
SHA-512: | FC2C8646F0E5E2AD2C2740318CF6F54B09FFA46EA31B611BC662A07F97DA8245E7FE8C49A887AB570995D50B02185358E1C1E6011BA25ECD00E7F7BBE9E7D695 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 511453 |
Entropy (8bit): | 3.114171460971814 |
Encrypted: | false |
SSDEEP: | 3072:K0kdbG5s3+vv0UFWzRl4tMPYb9Y/cSpPw1C4gYAk9iYj1CCqoB5Dpx:K0kdqC3QSlMMPYb98pk5fgY7qG5Vx |
MD5: | B5513FE0A404DAC29E0D02434CA84B58 |
SHA1: | A804C0DFAD25795C184CC7652677CA74B0072055 |
SHA-256: | 2C29D8FE35EE0505D6CBA144963E4D25C257CA9C57C570B5EDF08B36F7AF96E7 |
SHA-512: | B17C4FA21AAB748CF4BDE50B991957D06C0EEF77941B071E4B98D1397AC54AA7F7F5BFD9471D54C4CA61AC7185FB8E49BDCAE0B39AC3399C74C04AFA19A38506 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8904 |
Entropy (8bit): | 3.7093251908469163 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJ2jlqY6YSCnmgmfZy8zprW89bnv1PfmDf5tm:R6lXJYlr6YXmgmfIQn9PfmDfK |
MD5: | A5D03A138098C076BB4934932900DC8D |
SHA1: | 5D5AE3ABA03F41BAC54EA83B0BD81DF7007ED65D |
SHA-256: | 247138A0DB85E42DCFD2B3873775D72B38DD251385AC3F3B168C6EC76916234F |
SHA-512: | 14ADFF7F0FAAA456BBB68EC902C019D8A8D126D98A64EDBB596E63F7409D20B475EAABEF8E0D6AA67EFCD7D78D05093B7620E2A3BDCF9FDDDE2641B0F9C7B1D2 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4780 |
Entropy (8bit): | 4.475809465960582 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsZJg771I9i9WpW8VYqKYm8M4JqnFfymyq8vvlGG7Td:uIjfrI7VM7VnjJNmWNF7Td |
MD5: | DDE86D3D05CE408B21710D79D9175837 |
SHA1: | 6D095AD41EB144266DB744BF5AE3C7FE4727E9B0 |
SHA-256: | E833B22B863F7BD9ECE44EA9B4FF9EA8CA00BFF63480868FD4E0566B348A2115 |
SHA-512: | 7DD998DEC8413AB8F6F9D1EF2B8EE34986B0DEDA03A345E5947A6B72F90BAD7B99485946E54CE6145FAE91EBFF14B79D9B34A605B047A862D7A75D024FAE29E5 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.372267423097939 |
Encrypted: | false |
SSDEEP: | 6144:JFVfpi6ceLP/9skLmb0hyWWSPtaJG8nAge35OlMMhA2AX4WABlguN2iL/:fV1byWWI/glMM6kF7Qq/ |
MD5: | 164844D4BC20A3910ACFF46155C24B6E |
SHA1: | 0C876422D1E854500E2502C7934EF7BC63FC884D |
SHA-256: | 2EF0773316151E0676F07038C79C7E47A87E782614D10F055D8B546DC0020EE2 |
SHA-512: | 2B59FD356E4A0E4448EF75859A06A86273F97E37FFAAA51876BC25EF4F75EFC767BC8F71D3ADB06D85A953F9E86B1F4CA44977AA167C21F52BE3EB4D84F34375 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.6429573436509255 |
TrID: |
|
File name: | qlGJTKUY7O.exe |
File size: | 242'769 bytes |
MD5: | 11438178690245614874f6b764556d70 |
SHA1: | 07c91998055fc8babee116468d38f269400ced65 |
SHA256: | de2caf0c3b99a460e5814236acb8d0015553a694ce41ee1cc67bb3576f356a6c |
SHA512: | 0cbfb9f8a239812966e76c8205f781c722188b6ffe4d95736563a387b5843783f85a2549028366b1af0499f7decb2069043096de355270ca60ca93cb2b1da52a |
SSDEEP: | 3072:dKQ838htC1xXkbE7sO9HqtlrxNeLR1VfBKQ838htC1xXkbE7sO9HqtlrxNeLR1VT:dSs8UbptxnqR1TSs8UbptxnqR1h |
TLSH: | E934E79C736072DFC8ABD5719EA82C64EB70757B830B4617A457029EAE0D98BCF141F2 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.g............................n.... ........@.. .......................@............@................................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x40f26e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x679270D9 [Thu Jan 23 16:39:53 2025 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xf220 | 0x4b | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x10000 | 0x4ce | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x12000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xd274 | 0xd400 | b7405d31711236f0e57e5ae179990193 | False | 0.6131522700471698 | data | 6.053995047071589 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x10000 | 0x4ce | 0x600 | b6854ead75e0aea5a0ec3175723e462f | False | 0.3736979166666667 | data | 3.7184457289766475 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x12000 | 0xc | 0x200 | 6337b9e9d5046d21cbc9e9adf359daaa | False | 0.044921875 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x100a0 | 0x244 | data | 0.4724137931034483 | ||
RT_MANIFEST | 0x102e4 | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5469387755102041 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Download Network PCAP: filtered – full
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-27T19:47:51.194552+0100 | 2858800 | ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:47:51.417290+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:47:51.494628+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:47:57.037211+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:47:57.037211+0100 | 2858801 | ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:01.483420+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:01.485753+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:11.769294+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:11.778914+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:11.782998+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:21.634752+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:21.636877+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:27.151730+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:27.159381+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:31.713469+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:31.715310+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:40.215397+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:40.217657+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:42.884882+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:42.887449+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:43.008606+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:43.010205+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:43.777041+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:43.779456+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:48.088581+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:48.101526+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:52.666514+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:52.670400+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:56.635555+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:48:56.637669+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:48:56.946966+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:00.026250+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:00.030174+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:05.010393+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:05.014088+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:05.132930+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:05.134931+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:08.980030+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:08.982209+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.121936+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:09.135998+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.243863+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:09.249643+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.373699+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.381253+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.486029+0100 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 176.113.115.225 | 4444 | 192.168.2.8 | 49706 | TCP |
2025-01-27T19:49:09.494299+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.613514+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
2025-01-27T19:49:09.621172+0100 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.8 | 49706 | 176.113.115.225 | 4444 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 27, 2025 19:47:40.936048031 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:47:40.940860987 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:47:40.940938950 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:47:41.119703054 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:47:41.124778032 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:47:51.194551945 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:47:51.199675083 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:47:51.417289972 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:47:51.467880011 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:47:51.494627953 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:47:51.499484062 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:47:57.037210941 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:47:57.092892885 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:01.265467882 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:01.270340919 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:01.483419895 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:01.485753059 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:01.491880894 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:11.343321085 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:11.348262072 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:11.769294024 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:11.778913975 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:11.782998085 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:11.783047915 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:11.783710003 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:21.421437025 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:21.426238060 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:21.634752035 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:21.636877060 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:21.641694069 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:27.151730061 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:27.159380913 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:27.159673929 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:31.499730110 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:31.504683018 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:31.713469028 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:31.715310097 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:31.720175028 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:39.999769926 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:40.006592035 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:40.215396881 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:40.217657089 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:40.222466946 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:42.671472073 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:42.676371098 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:42.702828884 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:42.707791090 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:42.884881973 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:42.887449026 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:42.892262936 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:43.008605957 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:43.010205030 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:43.015084982 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:43.562838078 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:43.570066929 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:43.777040958 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:43.779455900 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:43.785077095 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:47.874459028 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:47.880044937 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:48.088581085 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:48.101526022 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:48.106398106 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:52.452687025 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:52.457561970 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:52.666513920 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:52.670399904 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:52.675170898 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:56.421487093 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:56.426410913 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:56.635555029 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:56.637669086 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:56.642884970 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:56.946965933 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:48:57.108675003 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:59.812382936 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:48:59.817167044 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:00.026249886 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:00.030174017 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:00.034991980 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:04.796761036 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:04.805911064 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:04.828120947 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:04.834160089 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:05.010392904 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:05.014087915 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:05.020061970 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:05.132930040 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:05.134931087 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:05.139770985 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:08.765894890 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:08.770703077 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:08.890372992 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:08.895147085 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:08.921375990 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:08.926156044 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:08.980030060 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:08.982208967 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:08.988204002 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:08.999572039 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:09.004318953 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.015217066 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:09.019969940 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.093314886 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:09.098140955 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.121936083 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.135998011 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:09.183001041 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.183058977 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:09.187839031 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.218508959 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:09.223275900 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.243863106 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.249643087 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:09.299052954 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.364969015 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.373698950 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:09.378524065 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.381253004 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:09.386086941 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.486028910 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.494298935 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:09.499119043 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.607422113 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.613513947 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:09.618475914 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:09.621171951 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Jan 27, 2025 19:49:09.625983000 CET | 4444 | 49706 | 176.113.115.225 | 192.168.2.8 |
Jan 27, 2025 19:49:19.348105907 CET | 49706 | 4444 | 192.168.2.8 | 176.113.115.225 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 13:47:31 |
Start date: | 27/01/2025 |
Path: | C:\Users\user\Desktop\qlGJTKUY7O.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xab0000 |
File size: | 242'769 bytes |
MD5 hash: | 11438178690245614874F6B764556D70 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 8 |
Start time: | 13:49:10 |
Start date: | 27/01/2025 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7af1a0000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|