Windows
Analysis Report
xpmg.exe
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- • AV Detection
- • Cryptography
- • Compliance
- • Spreading
- • Networking
- • System Summary
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Binary or memory string: | memstr_5d7ce34c-b |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | DNS query: | ||
Source: | DNS query: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 0_2_00007FF7139AD4A8 |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 Scheduled Task/Job | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Scheduled Task/Job | 1 DLL Side-Loading | 1 Scheduled Task/Job | 1 DLL Side-Loading | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | Obfuscated Files or Information | Security Account Manager | 3 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 1 System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 2 Application Layer Protocol | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
15% | Virustotal | Browse | ||
19% | ReversingLabs | Win64.Trojan.SpywareX |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
api.ipify.org | 104.26.12.205 | true | false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.26.12.205 | api.ipify.org | United States | 13335 | CLOUDFLARENETUS | false | |
155.138.150.12 | unknown | United States | 20473 | AS-CHOOPAUS | false |
IP |
---|
127.0.0.1 |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1644979 |
Start date and time: | 2025-03-21 09:04:17 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 7s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | xpmg.exe |
Detection: | MAL |
Classification: | mal48.winEXE@2/0@1/3 |
EGA Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, B ackgroundTransferHost.exe, WMI ADAP.exe, SIHClient.exe, backg roundTaskHost.exe, conhost.exe - Excluded IPs from analysis (wh
itelisted): 172.202.163.200, 2 3.96.180.189, 150.171.28.10, 2 3.44.201.12 - Excluded domains from analysis
(whitelisted): www.bing.com, c2a9c95e369881c67228a6591cac26 86.clo.footprintdns.com, ax-ri ng.msedge.net, slscr.update.mi crosoft.com, ctldl.windowsupda te.com, g.bing.com, arc.msn.co m, fe3cr.delivery.mp.microsoft .com - Execution Graph export aborted
for target xpmg.exe, PID 8776 because there are no executed function - Execution Graph export aborted
for target xpmg.exe, PID 8804 because there are no executed function - Not all processes where analyz
ed, report is missing behavior information
Time | Type | Description |
---|---|---|
09:05:14 | Task Scheduler |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.26.12.205 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
api.ipify.org | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | NetSupport RAT | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
AS-CHOOPAUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Okiru | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
bd0bf25947d4a37404f0424edf4db9ad | Get hash | malicious | Meduza Stealer, RHADAMANTHYS | Browse |
| |
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
File type: | |
Entropy (8bit): | 6.7161526004645 |
TrID: |
|
File name: | xpmg.exe |
File size: | 11'450'880 bytes |
MD5: | 73e43654e9f3df0d07d25051b2d3cfeb |
SHA1: | 6eebcc3ab72ea0eeb5b9d3340145b41bea23423b |
SHA256: | 666944b19c707afaa05453909d395f979a267b28ff43d90d143cd36f6b74b53e |
SHA512: | 871600ae79b26bde4b5601fcf3c9e2e3d2a9f9bc04cd06d10cf69036a714a5b89b811da07070e021e7d844fc8c57a406e17361e8f738b1068b24d989e40e659c |
SSDEEP: | 196608:KoykUxv987qMNR4Ok/RDpgPnqSuR3pfRkAJ:7UxFUqMNR4Ok5DpgPnqSuR3pfRf |
TLSH: | 64B6AE5AA2B800D8D4BBC078CA569617E7B1741D03F057EF26A496F52F23BE07E7A740 |
File Content Preview: | MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......1..=u..nu..nu..n...ob..n...o...nd}.n|..nd}.oa..nd}.o{..nd}.o...n...oW..n>~.o...nu..nK..n...ot..n...of..nu..n...n.}.o...n.}.o... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x14079ce50 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x67CCC528 [Sat Mar 8 22:31:04 2025 UTC] |
TLS Callbacks: | 0x4079c5d0, 0x1, 0x4079d1a0, 0x1 |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | b499fbb2966a868acfd7581339fc5018 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007FA66C85C374h |
dec eax |
add esp, 28h |
jmp 00007FA66C85BB9Fh |
int3 |
int3 |
dec eax |
mov dword ptr [esp+10h], ebx |
dec eax |
mov dword ptr [esp+18h], esi |
push ebp |
push edi |
inc ecx |
push esi |
dec eax |
mov ebp, esp |
dec eax |
sub esp, 10h |
xor eax, eax |
xor ecx, ecx |
cpuid |
inc esp |
mov eax, ecx |
inc esp |
mov edx, edx |
inc ecx |
xor edx, 49656E69h |
inc ecx |
xor eax, 6C65746Eh |
inc esp |
mov ecx, ebx |
inc esp |
mov esi, eax |
xor ecx, ecx |
mov eax, 00000001h |
cpuid |
inc ebp |
or edx, eax |
mov dword ptr [ebp-10h], eax |
inc ecx |
xor ecx, 756E6547h |
mov dword ptr [ebp-0Ch], ebx |
inc ebp |
or edx, ecx |
mov dword ptr [ebp-08h], ecx |
mov edi, ecx |
mov dword ptr [ebp-04h], edx |
jne 00007FA66C85BD7Dh |
dec eax |
or dword ptr [002DFE61h], FFFFFFFFh |
and eax, 0FFF3FF0h |
dec eax |
mov dword ptr [002DFE49h], 00008000h |
cmp eax, 000106C0h |
je 00007FA66C85BD4Ah |
cmp eax, 00020660h |
je 00007FA66C85BD43h |
cmp eax, 00020670h |
je 00007FA66C85BD3Ch |
add eax, FFFCF9B0h |
cmp eax, 20h |
jnbe 00007FA66C85BD46h |
dec eax |
mov ecx, 00010001h |
add dword ptr [eax], eax |
add byte ptr [eax], al |
dec eax |
bt ecx, eax |
jnc 00007FA66C85BD36h |
inc esp |
mov eax, dword ptr [0031CDE7h] |
inc ecx |
or eax, 01h |
inc esp |
mov dword ptr [0031CDDCh], eax |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa7050c | 0xc8 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xb0b000 | 0x1e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xabc000 | 0x4e618 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xb0c000 | 0xeee8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x9e9a10 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x9e9c00 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x9e98d0 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x81b000 | 0xaa8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x8197c0 | 0x819800 | d5e704faf062061fd2f7806c0772d859 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x81b000 | 0x2577b2 | 0x257800 | 7404ab2c72bbde461896fb5967002f19 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa73000 | 0x4897c | 0x1cc00 | 8b4ca124fc16babe0804dbf2f53e42ea | False | 0.1606148097826087 | data | 4.8288102616911 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0xabc000 | 0x4e618 | 0x4e800 | 624699aa34c2f48cd612f99f0da8c9c3 | False | 0.48581185310509556 | data | 6.474035881676496 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0xb0b000 | 0x1e0 | 0x200 | 61b1f16028358d050dfad06e2a1e19fc | False | 0.53125 | data | 4.7137725829467545 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xb0c000 | 0xeee8 | 0xf000 | 96181a1406d89d30e5c02ff2df55d70f | False | 0.26925455729166664 | data | 5.459649082470015 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0xb0b060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
DLL | Import |
---|---|
ole32.dll | CoInitialize, StgCreateDocfile, CoTaskMemFree, CoCreateInstance, CoUninitialize |
USER32.dll | GetUserObjectInformationW, MessageBoxW, GetProcessWindowStation |
WS2_32.dll | gethostname, __WSAFDIsSet, inet_ntop, WSAWaitForMultipleEvents, WSAResetEvent, WSAEventSelect, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent, WSAIoctl, inet_pton, sendto, recvfrom, getpeername, socket, listen, bind, accept, send, recv, getservbyname, getservbyport, gethostbyaddr, inet_ntoa, inet_addr, gethostbyname, getsockname, freeaddrinfo, getaddrinfo, shutdown, ntohs, WSASocketW, WSARecv, select, getsockopt, connect, WSAStringToAddressW, WSASend, WSAGetLastError, WSASetLastError, WSACleanup, WSAStartup, setsockopt, ntohl, htons, htonl, ioctlsocket, closesocket |
bcrypt.dll | BCryptGenRandom |
ADVAPI32.dll | CryptDestroyKey, RegOpenKeyExW, RegGetValueW, RegEnumKeyExW, RegQueryInfoKeyW, RegSetValueExW, RegEnumValueW, SystemFunction036, CryptAcquireContextA, CryptReleaseContext, CryptGenRandom, CryptEnumProvidersA, CryptAcquireContextW, DeregisterEventSource, RegisterEventSourceW, ReportEventW, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptEncrypt, CryptImportKey, RegCloseKey, CryptDestroyHash |
KERNEL32.dll | QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, DuplicateHandle, LoadLibraryExW, FreeLibraryAndExitThread, GetThreadTimes, GetCurrentThread, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, LCMapStringEx, GetCPInfo, CompareStringEx, DecodePointer, EncodePointer, SignalObjectAndWait, CreateThread, GetThreadPriority, GetCurrentProcessorNumberEx, GetLogicalProcessorInformationEx, GetNumaHighestNodeNumber, GetThreadGroupAffinity, SetThreadGroupAffinity, GetProcessAffinityMask, ExitThread, ResumeThread, SetConsoleCtrlHandler, ExitProcess, GetDriveTypeW, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, SetStdHandle, GetLastError, FormatMessageA, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, LocalFree, CloseHandle, SetLastError, CreateIoCompletionPort, GetQueuedCompletionStatus, PostQueuedCompletionStatus, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, WaitForSingleObject, SleepEx, CreateEventW, SetWaitableTimer, WaitForMultipleObjects, QueueUserAPC, TerminateThread, InitializeCriticalSectionEx, CreateWaitableTimerW, LoadLibraryA, InitializeCriticalSection, Sleep, GetSystemInfo, VirtualFree, GetEnvironmentVariableW, GetCurrentDirectoryW, CreateDirectoryW, CreateFileW, DeleteFileW, FlushFileBuffers, GetFileAttributesW, GetFileInformationByHandle, GetFileTime, GetFullPathNameW, RemoveDirectoryW, SetEndOfFile, SetFileAttributesW, SetFilePointerEx, DeviceIoControl, GetWindowsDirectoryW, GetModuleHandleW, GetProcAddress, CreateDirectoryExW, CopyFileExW, GetConsoleOutputCP, AreFileApisANSI, DeleteFileA, GetTempPathA, GetTempFileNameA, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetCurrentProcess, GetExitCodeProcess, GetNativeSystemInfo, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleExA, CreateFileA, GetFileAttributesExA, LockFileEx, UnlockFileEx, FreeLibrary, LoadLibraryW, FindClose, ResetEvent, CreateEventA, GetTickCount, QueryPerformanceCounter, MapViewOfFile, CreateFileMappingW, GetSystemTime, GetSystemTimeAsFileTime, SystemTimeToFileTime, GetProcessHeap, GetCurrentProcessId, GetFileSize, UnlockFile, HeapDestroy, HeapCompact, HeapAlloc, HeapReAlloc, WaitForSingleObjectEx, FlushViewOfFile, OutputDebugStringW, GetFileAttributesExW, GetFileAttributesA, GetDiskFreeSpaceA, HeapSize, HeapValidate, CloseThreadpoolWait, CreateMutexW, GetTempPathW, GetFullPathNameA, SetFilePointer, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, WriteFile, HeapFree, HeapCreate, ReadFile, RaiseException, TryEnterCriticalSection, GetCurrentThreadId, RtlVirtualUnwind, GetStdHandle, GetFileType, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleExW, GetACP, ReleaseSemaphore, GetExitCodeThread, CreateSemaphoreA, GetSystemDirectoryA, TerminateProcess, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, FindFirstFileW, FindNextFileW, InitializeConditionVariable, WakeConditionVariable, SleepConditionVariableCS, SetThreadPriority, GetFileSizeEx, CreateFileMappingA, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, QueryPerformanceFrequency, GetSystemDirectoryW, GetEnvironmentVariableA, VerSetConditionMask, GetModuleHandleA, VerifyVersionInfoW, PeekNamedPipe, SetThreadpoolWait, CreateThreadpoolWait, CloseThreadpoolTimer, WaitForThreadpoolTimerCallbacks, SetThreadpoolTimer, CreateThreadpoolTimer, FreeLibraryWhenCallbackReturns, FlushProcessWriteBuffers, CreateSemaphoreExW, CreateEventExW, SetEnvironmentVariableW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, IsValidCodePage, WriteConsoleW, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, MoveFileExW, UnmapViewOfFile, SwitchToThread, ReleaseSRWLockShared, AcquireSRWLockShared, TryAcquireSRWLockExclusive, SleepConditionVariableSRW, GetTickCount64, GetStringTypeW, WakeAllConditionVariable, GetLocaleInfoEx, FindFirstFileExW, FreeEnvironmentStringsW |
OLEAUT32.dll | OleCreatePropertyFrame, SysAllocStringByteLen, SysStringByteLen, VariantClear, VariantInit, SysFreeString, SysAllocString |
ntdll.dll | RtlPcToFileHeader, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlUnwind |
CRYPT32.dll | CertGetCertificateChain, CertCloseStore, CertFindCertificateInStore, CertFreeCertificateContext, CertOpenSystemStoreW, CertOpenStore, CertEnumCertificatesInStore, CryptStringToBinaryW, PFXImportCertStore, CryptDecodeObjectEx, CertAddCertificateContextToStore, CertFindExtension, CertGetNameStringW, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertFreeCertificateChain |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
- Total Packets: 19
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 21, 2025 09:05:15.094430923 CET | 49720 | 7712 | 192.168.2.5 | 155.138.150.12 |
Mar 21, 2025 09:05:15.195662975 CET | 7712 | 49720 | 155.138.150.12 | 192.168.2.5 |
Mar 21, 2025 09:05:15.195816040 CET | 49720 | 7712 | 192.168.2.5 | 155.138.150.12 |
Mar 21, 2025 09:05:15.313082933 CET | 49723 | 443 | 192.168.2.5 | 104.26.12.205 |
Mar 21, 2025 09:05:15.313165903 CET | 443 | 49723 | 104.26.12.205 | 192.168.2.5 |
Mar 21, 2025 09:05:15.313260078 CET | 49723 | 443 | 192.168.2.5 | 104.26.12.205 |
Mar 21, 2025 09:05:15.328042030 CET | 49723 | 443 | 192.168.2.5 | 104.26.12.205 |
Mar 21, 2025 09:05:15.328079939 CET | 443 | 49723 | 104.26.12.205 | 192.168.2.5 |
Mar 21, 2025 09:05:15.545646906 CET | 443 | 49723 | 104.26.12.205 | 192.168.2.5 |
Mar 21, 2025 09:05:15.545737028 CET | 49723 | 443 | 192.168.2.5 | 104.26.12.205 |
Mar 21, 2025 09:05:15.555084944 CET | 49723 | 443 | 192.168.2.5 | 104.26.12.205 |
Mar 21, 2025 09:05:15.555244923 CET | 443 | 49723 | 104.26.12.205 | 192.168.2.5 |
Mar 21, 2025 09:05:15.555318117 CET | 49723 | 443 | 192.168.2.5 | 104.26.12.205 |
Mar 21, 2025 09:05:15.555521965 CET | 49720 | 7712 | 192.168.2.5 | 155.138.150.12 |
Mar 21, 2025 09:05:15.657694101 CET | 7712 | 49720 | 155.138.150.12 | 192.168.2.5 |
Mar 21, 2025 09:05:15.699187040 CET | 49720 | 7712 | 192.168.2.5 | 155.138.150.12 |
Mar 21, 2025 09:05:30.814527988 CET | 7712 | 49720 | 155.138.150.12 | 192.168.2.5 |
Mar 21, 2025 09:05:30.814814091 CET | 49720 | 7712 | 192.168.2.5 | 155.138.150.12 |
Mar 21, 2025 09:05:45.923623085 CET | 7712 | 49720 | 155.138.150.12 | 192.168.2.5 |
Mar 21, 2025 09:05:45.923759937 CET | 49720 | 7712 | 192.168.2.5 | 155.138.150.12 |
Mar 21, 2025 09:06:01.033638000 CET | 7712 | 49720 | 155.138.150.12 | 192.168.2.5 |
Mar 21, 2025 09:06:01.033759117 CET | 49720 | 7712 | 192.168.2.5 | 155.138.150.12 |
Mar 21, 2025 09:06:16.143450975 CET | 7712 | 49720 | 155.138.150.12 | 192.168.2.5 |
Mar 21, 2025 09:06:16.143543005 CET | 49720 | 7712 | 192.168.2.5 | 155.138.150.12 |
Mar 21, 2025 09:06:31.255086899 CET | 7712 | 49720 | 155.138.150.12 | 192.168.2.5 |
Mar 21, 2025 09:06:31.255238056 CET | 49720 | 7712 | 192.168.2.5 | 155.138.150.12 |
Mar 21, 2025 09:06:46.363018036 CET | 7712 | 49720 | 155.138.150.12 | 192.168.2.5 |
Mar 21, 2025 09:06:46.363409996 CET | 49720 | 7712 | 192.168.2.5 | 155.138.150.12 |
Mar 21, 2025 09:07:01.476632118 CET | 7712 | 49720 | 155.138.150.12 | 192.168.2.5 |
Mar 21, 2025 09:07:01.476891994 CET | 49720 | 7712 | 192.168.2.5 | 155.138.150.12 |
Mar 21, 2025 09:07:16.597322941 CET | 7712 | 49720 | 155.138.150.12 | 192.168.2.5 |
Mar 21, 2025 09:07:16.597414017 CET | 49720 | 7712 | 192.168.2.5 | 155.138.150.12 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 21, 2025 09:05:15.206145048 CET | 56272 | 53 | 192.168.2.5 | 1.1.1.1 |
Mar 21, 2025 09:05:15.307146072 CET | 53 | 56272 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 21, 2025 09:05:15.206145048 CET | 192.168.2.5 | 1.1.1.1 | 0xed68 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 21, 2025 09:05:15.307146072 CET | 1.1.1.1 | 192.168.2.5 | 0xed68 | No error (0) | 104.26.12.205 | A (IP address) | IN (0x0001) | false | ||
Mar 21, 2025 09:05:15.307146072 CET | 1.1.1.1 | 192.168.2.5 | 0xed68 | No error (0) | 172.67.74.152 | A (IP address) | IN (0x0001) | false | ||
Mar 21, 2025 09:05:15.307146072 CET | 1.1.1.1 | 192.168.2.5 | 0xed68 | No error (0) | 104.26.13.205 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 04:05:13 |
Start date: | 21/03/2025 |
Path: | C:\Users\user\Desktop\xpmg.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff713210000 |
File size: | 11'450'880 bytes |
MD5 hash: | 73E43654E9F3DF0D07D25051B2D3CFEB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 04:05:14 |
Start date: | 21/03/2025 |
Path: | C:\Users\user\Desktop\xpmg.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff713210000 |
File size: | 11'450'880 bytes |
MD5 hash: | 73E43654E9F3DF0D07D25051B2D3CFEB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|