Edit tour

Windows Analysis Report
socks.exe

Overview

General Information

Sample name:socks.exe
Analysis ID:1645398
MD5:9d126f26bc3fe620319944a6f64c6906
SHA1:8ce752408fff84d2a621c4dac61067fb0a750a32
SHA256:073874a38fb63387ab9f9b592dab5e49c6407fb899c11f8b7859334a219aceed
Infos:

Detection

Sliver
Score:76
Range:0 - 100
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Sliver Implants
Joe Sandbox ML detected suspicious sample
Detected TCP or UDP traffic on non-standard ports
Entry point lies outside standard sections
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • socks.exe (PID: 640 cmdline: "C:\Users\user\Desktop\socks.exe" MD5: 9D126F26BC3FE620319944A6F64C6906)
    • conhost.exe (PID: 792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • 1https.exe (PID: 7064 cmdline: "C:\Users\user\Desktop\1https.exe" MD5: 3F6DD6C85F9E9A02FDEA20076F69B66D)
  • 2mtls.exe (PID: 348 cmdline: "C:\Users\user\Desktop\2mtls.exe" MD5: 17AF646CFBB7FCFE4F0F6DBCFC2E31DD)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
SliverAccording to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sliver
No configs have been found
SourceRuleDescriptionAuthorStrings
00000007.00000002.2750661869.000000C0001A4000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
    00000007.00000002.2750661869.000000C00017E000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
      00000005.00000002.2753618543.000000C0002C2000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
        00000007.00000002.2750661869.000000C000160000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
          00000005.00000002.2753618543.000000C00028B000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
            Click to see the 10 entries
            SourceRuleDescriptionAuthorStrings
            7.0.2mtls.exe.de0000.0.unpackMulti_Trojan_Bishopsliver_42298c4aunknownunknown
            • 0xbb5424:$a1: ).RequestResend
            • 0xba979d:$a2: ).GetPrivInfo
            7.0.2mtls.exe.de0000.0.unpackINDICATOR_TOOL_SliverDetects Sliver implant cross-platform adversary emulation/red teamditekSHen
            • 0x928a55:$s3: .WGTCPForwarder
            • 0x929fb6:$s3: .WGTCPForwarder
            • 0x92c595:$s3: .WGTCPForwarder
            • 0x92d0bf:$s3: .WGTCPForwarder
            • 0x92fc2b:$s3: .WGTCPForwarder
            • 0x930b29:$s3: .WGTCPForwarder
            • 0x9247e4:$s6: .BackdoorReq
            • 0x9289bf:$s7: .ProcessDumpReq
            • 0x92c186:$s8: .InvokeSpawnDllReq
            • 0x920ac7:$s9: .SpawnDll
            • 0x924902:$s9: .SpawnDll
            No Sigma rule has matched
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: socks.exeVirustotal: Detection: 39%Perma Link
            Source: socks.exeReversingLabs: Detection: 34%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.6% probability
            Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_8b4d0962-4
            Source: socks.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: global trafficTCP traffic: 192.168.2.18:49980 -> 45.61.169.127:8443
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
            Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: 246.229.1.0.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: marnyonline.com
            Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://bugreports.qt.io/
            Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca
            Source: 1https.exe, 00000005.00000002.2758181883.000000C000476000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fh=5n0730528&j=HTTP/1.1
            Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com
            Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/
            Source: 1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html
            Source: 1https.exe, 00000005.00000002.2750144160.000000C0000B0000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html?
            Source: 1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html?Mozilla/5.0
            Source: 1https.exe, 00000005.00000002.2750144160.000000C00009E000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C0002EE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872
            Source: 1https.exe, 00000005.00000002.2753618543.000000C0002EE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872Mozilla/5.0
            Source: 1https.exe, 00000005.00000002.2750144160.000000C00009E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872untrusted
            Source: 1https.exe, 00000005.00000002.2750144160.000000C0000B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html?insufficient
            Source: 1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.php
            Source: 1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.phphttp://marnyonline.com/db/oauth2/namespac
            Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/http://marnyonline.com
            Source: 1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/w
            Source: 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.comEnumDisplaySettingsWEnumDisplaySettingsWGetExtendedUdpTableCreateToolhelp32Sna
            Source: 1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.comrej
            Source: socks.exe, 00000000.00000002.2749118235.00007FF65BC21000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
            Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.phreedom.org/md5)
            Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.phreedom.org/md5)08:27
            Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ew=425262h91&n=HTTP/1.1
            Source: 1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com
            Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/https://marnyonline.com
            Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.comhttps://marnyonl
            Source: 1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/api.html
            Source: 1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/api.html?
            Source: 1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEProxyC
            Source: 1https.exe, 00000005.00000002.2753618543.000000C000224000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/api.html?ew=425262h91&n=94e15875
            Source: 1https.exe, 00000005.00000002.2753618543.000000C000224000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/api.html?ew=425262h91&n=94e15875http://marnyonline.comage-encrypt
            Source: 1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/api.php
            Source: 1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/api.phphttps://marnyonline.com/namespaces/api.htmlhttps://marnyon
            Source: 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeouts
            Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comWinHttpGetProxyForUrlWinHttpGetProxyForUrlWinHttpCloseHandleWinHttpCloseHandl
            Source: 1https.exe, 00000005.00000002.2753618543.000000C000224000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comcommonpb/common.protosliverpb.Envelope.IDIDage-encryption.org/v1
            Source: 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:
            Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
            Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
            Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
            Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49968 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
            Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49971 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49967 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49969
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49968
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49967
            Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49966
            Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49966 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49969 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
            Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_131aa77a-1

            System Summary

            barindex
            Source: 7.0.2mtls.exe.de0000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 7.0.2mtls.exe.de0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
            Source: 00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: Process Memory Space: 1https.exe PID: 7064, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: Process Memory Space: 2mtls.exe PID: 348, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 7.0.2mtls.exe.de0000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 7.0.2mtls.exe.de0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
            Source: 00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: Process Memory Space: 1https.exe PID: 7064, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: Process Memory Space: 2mtls.exe PID: 348, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: .telemark.nomalatvuopmi.nohamburgreservd.dev.thingdust.iogo.jpotsuchi.iwate.jpnet.slnet.soal.usbounceme.netgo.keporsgrunn.nonet.ss!city.yokohama.jptarnobrzeg.plnet.stdishis-a-chef.coms.bggjerdrum.noshiogama.miyagi.jptara.saga.jpyamada.toyama.jpnet.thnet.synet.tjs
            Source: classification engineClassification label: mal76.troj.evad.winEXE@4/1@2/2
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:792:120:WilError_03
            Source: C:\Users\user\Desktop\1https.exeFile opened: C:\Windows\system32\9246315bee1544471d4aad7baaeb0f39e4badc8b3762c339f59c3b34c7cb0b03AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeFile opened: C:\Windows\system32\13dd9674580bb3e38d0bc58c6fb3aeb55ea398d1bb73bd7cb1fd72d74f87ea26AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
            Source: C:\Users\user\Desktop\socks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: socks.exeVirustotal: Detection: 39%
            Source: socks.exeReversingLabs: Detection: 34%
            Source: unknownProcess created: C:\Users\user\Desktop\socks.exe "C:\Users\user\Desktop\socks.exe"
            Source: C:\Users\user\Desktop\socks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Desktop\1https.exe "C:\Users\user\Desktop\1https.exe"
            Source: unknownProcess created: C:\Users\user\Desktop\2mtls.exe "C:\Users\user\Desktop\2mtls.exe"
            Source: C:\Users\user\Desktop\socks.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\socks.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: mswsock.dllJump to behavior
            Source: socks.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: socks.exeStatic file information: File size 13725696 > 1048576
            Source: socks.exeStatic PE information: Raw size of lbre is bigger than: 0x100000 < 0x4bb800
            Source: socks.exeStatic PE information: Raw size of .hyy is bigger than: 0x100000 < 0x85aa00
            Source: socks.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Source: C:\Users\user\Desktop\socks.exeUnpacked PE file: 0.2.socks.exe.7ff65bc20000.0.unpack lgdr:EW;lbre:EW;.rsrc:W;.hyy:W; vs lgdr:ER;lbre:ER;.rsrc:W;.hyy:W;
            Source: initial sampleStatic PE information: section where entry point is pointing to: lbre
            Source: socks.exeStatic PE information: section name: lgdr
            Source: socks.exeStatic PE information: section name: lbre
            Source: socks.exeStatic PE information: section name: .hyy
            Source: C:\Users\user\Desktop\socks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\socks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\socks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1https.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1https.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1https.exe TID: 6956Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: 2mtls.exe, 00000007.00000002.2755559814.000002818271C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: socks.exe, 00000000.00000002.2748269165.00000269322AE000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: socks.exe, 00000000.00000002.2749118235.00007FF65C6CF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@
            Source: C:\Users\user\Desktop\1https.exeQueries volume information: C:\Users\user\Desktop\1https.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeQueries volume information: C:\Users\user\Desktop\2mtls.exe VolumeInformationJump to behavior

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 00000007.00000002.2750661869.000000C0001A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2750661869.000000C00017E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2753618543.000000C0002C2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2750661869.000000C000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2753618543.000000C00028B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.2535867511.00000000016ED000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.2459726498.0000000000B37000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 7064, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 2mtls.exe PID: 348, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 00000007.00000002.2750661869.000000C0001A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2750661869.000000C00017E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2753618543.000000C0002C2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2750661869.000000C000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2753618543.000000C00028B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.2535867511.00000000016ED000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.2459726498.0000000000B37000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 7064, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 2mtls.exe PID: 348, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading
            1
            Process Injection
            1
            Virtualization/Sandbox Evasion
            11
            Input Capture
            1
            Security Software Discovery
            Remote Services11
            Input Capture
            2
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading
            1
            Software Packing
            LSASS Memory1
            Virtualization/Sandbox Evasion
            Remote Desktop Protocol1
            Archive Collected Data
            1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Process Injection
            Security Account Manager11
            System Information Discovery
            SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading
            NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
            Application Layer Protocol
            Traffic DuplicationData Destruction
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645398 Sample: socks.exe Startdate: 21/03/2025 Architecture: WINDOWS Score: 76 17 246.229.1.0.in-addr.arpa 2->17 19 marnyonline.com 2->19 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Sliver Implants 2->29 31 Joe Sandbox ML detected suspicious sample 2->31 7 socks.exe 1 2->7         started        11 1https.exe 2->11         started        13 2mtls.exe 2->13         started        signatures3 process4 dnsIp5 21 88.119.167.239, 443, 49699, 49701 IST-ASLT Lithuania 7->21 33 Detected unpacking (changes PE section rights) 7->33 15 conhost.exe 7->15         started        23 marnyonline.com 45.61.169.127, 443, 49977, 49978 ASN-QUADRANET-GLOBALUS United States 11->23 signatures6 process7

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            socks.exe40%VirustotalBrowse
            socks.exe34%ReversingLabsWin64.Trojan.Seheq
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            https://marnyonline.comWinHttpGetProxyForUrlWinHttpGetProxyForUrlWinHttpCloseHandleWinHttpCloseHandl0%Avira URL Cloudsafe
            http://marnyonline.com/http://marnyonline.com0%Avira URL Cloudsafe
            https://marnyonline.com/namespaces/api.php0%Avira URL Cloudsafe
            http://marnyonline.com/db/oauth2/namespaces/php/samples.html?0%Avira URL Cloudsafe
            https://marnyonline.com/namespaces/api.phphttps://marnyonline.com/namespaces/api.htmlhttps://marnyon0%Avira URL Cloudsafe
            https://marnyonline.com/namespaces/api.html?ew=425262h91&n=94e15875http://marnyonline.comage-encrypt0%Avira URL Cloudsafe
            http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872untrusted0%Avira URL Cloudsafe
            http://fh=5n0730528&j=HTTP/1.10%Avira URL Cloudsafe
            https://marnyonline.com0%Avira URL Cloudsafe
            http://marnyonline.com/db/oauth2/namespaces/php/samples.html?Mozilla/5.00%Avira URL Cloudsafe
            http://marnyonline.comrej0%Avira URL Cloudsafe
            http://marnyonline.com/w0%Avira URL Cloudsafe
            https://marnyonline.com/namespaces/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEProxyC0%Avira URL Cloudsafe
            https://marnyonline.com/namespaces/api.html?0%Avira URL Cloudsafe
            https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.comhttps://marnyonl0%Avira URL Cloudsafe
            https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:0%Avira URL Cloudsafe
            http://marnyonline.com/db/oauth2/namespaces/php/samples.php0%Avira URL Cloudsafe
            http://marnyonline.com/db/oauth2/namespaces/php/samples.phphttp://marnyonline.com/db/oauth2/namespac0%Avira URL Cloudsafe
            http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=800668720%Avira URL Cloudsafe
            https://marnyonline.com/namespaces/api.html?ew=425262h91&n=94e158750%Avira URL Cloudsafe
            https://ew=425262h91&n=HTTP/1.10%Avira URL Cloudsafe
            http://marnyonline.com/db/oauth2/namespaces/php/samples.html?insufficient0%Avira URL Cloudsafe
            http://marnyonline.com/0%Avira URL Cloudsafe
            http://marnyonline.com0%Avira URL Cloudsafe
            http://marnyonline.comEnumDisplaySettingsWEnumDisplaySettingsWGetExtendedUdpTableCreateToolhelp32Sna0%Avira URL Cloudsafe
            http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872Mozilla/5.00%Avira URL Cloudsafe
            http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca0%Avira URL Cloudsafe
            http://marnyonline.com/db/oauth2/namespaces/php/samples.html0%Avira URL Cloudsafe
            https://marnyonline.comcommonpb/common.protosliverpb.Envelope.IDIDage-encryption.org/v10%Avira URL Cloudsafe
            https://marnyonline.com/https://marnyonline.com0%Avira URL Cloudsafe
            https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeouts0%Avira URL Cloudsafe
            https://marnyonline.com/namespaces/api.html0%Avira URL Cloudsafe

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            marnyonline.com
            45.61.169.127
            truefalse
              unknown
              246.229.1.0.in-addr.arpa
              unknown
              unknowntrue
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://www.phreedom.org/md5)socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmpfalse
                  high
                  http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872untrusted1https.exe, 00000005.00000002.2750144160.000000C00009E000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://marnyonline.com/namespaces/api.php1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://marnyonline.comWinHttpGetProxyForUrlWinHttpGetProxyForUrlWinHttpCloseHandleWinHttpCloseHandl1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://fh=5n0730528&j=HTTP/1.11https.exe, 00000005.00000002.2758181883.000000C000476000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.phreedom.org/md5)08:27socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmpfalse
                    high
                    http://marnyonline.com/db/oauth2/namespaces/php/samples.html?1https.exe, 00000005.00000002.2750144160.000000C0000B0000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.aiim.org/pdfa/ns/id/socks.exe, 00000000.00000002.2749118235.00007FF65BC21000.00000040.00000001.01000000.00000003.sdmpfalse
                      high
                      https://marnyonline.com1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://marnyonline.com/namespaces/api.phphttps://marnyonline.com/namespaces/api.htmlhttps://marnyon1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://marnyonline.com/http://marnyonline.com1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://marnyonline.com/db/oauth2/namespaces/php/samples.html?Mozilla/5.01https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://bugreports.qt.io/socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmpfalse
                        high
                        https://marnyonline.com/namespaces/api.html?ew=425262h91&n=94e15875http://marnyonline.comage-encrypt1https.exe, 00000005.00000002.2753618543.000000C000224000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://marnyonline.com/db/oauth2/namespaces/php/samples.php1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://marnyonline.com/w1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://marnyonline.com/namespaces/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEProxyC1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://marnyonline.com/db/oauth2/namespaces/php/samples.phphttp://marnyonline.com/db/oauth2/namespac1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://marnyonline.com/namespaces/api.html?1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://marnyonline.comrej1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.comhttps://marnyonl1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=800668721https.exe, 00000005.00000002.2750144160.000000C00009E000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C0002EE000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://marnyonline.com/namespaces/api.html?ew=425262h91&n=94e158751https.exe, 00000005.00000002.2753618543.000000C000224000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://ew=425262h91&n=HTTP/1.11https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://marnyonline.com/db/oauth2/namespaces/php/samples.html?insufficient1https.exe, 00000005.00000002.2750144160.000000C0000B0000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://marnyonline.com1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://marnyonline.com/1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://marnyonline.comEnumDisplaySettingsWEnumDisplaySettingsWGetExtendedUdpTableCreateToolhelp32Sna1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netscasocks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://marnyonline.com/db/oauth2/namespaces/php/samples.html1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872Mozilla/5.01https.exe, 00000005.00000002.2753618543.000000C0002EE000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://marnyonline.comcommonpb/common.protosliverpb.Envelope.IDIDage-encryption.org/v11https.exe, 00000005.00000002.2753618543.000000C000224000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://marnyonline.com/https://marnyonline.com1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://marnyonline.com/namespaces/api.html1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeouts1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        88.119.167.239
                        unknownLithuania
                        61272IST-ASLTfalse
                        45.61.169.127
                        marnyonline.comUnited States
                        8100ASN-QUADRANET-GLOBALUSfalse
                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1645398
                        Start date and time:2025-03-21 17:50:25 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 29s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:defaultwindowsinteractivecookbook.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:8
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:socks.exe
                        Detection:MAL
                        Classification:mal76.troj.evad.winEXE@4/1@2/2
                        EGA Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded IPs from analysis (whitelisted): 184.86.251.28, 20.109.210.53, 13.107.246.40
                        • Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        TimeTypeDescription
                        12:51:09API Interceptor26x Sleep call for process: socks.exe modified
                        12:52:45API Interceptor2x Sleep call for process: 1https.exe modified
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        88.119.167.239dwm.exeGet hashmaliciousUnknownBrowse
                          dwm.exeGet hashmaliciousUnknownBrowse
                            45.61.169.1272mtls.exeGet hashmaliciousSliverBrowse
                              1https.exeGet hashmaliciousSliverBrowse
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                marnyonline.com1https.exeGet hashmaliciousSliverBrowse
                                • 45.61.169.127
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                IST-ASLTmr64.exe.exeGet hashmaliciousMeterpreterBrowse
                                • 88.119.175.124
                                New Agreement Document 2025.comGet hashmaliciousUnknownBrowse
                                • 85.206.168.238
                                New Agreement Document 2025.comGet hashmaliciousUnknownBrowse
                                • 85.206.168.238
                                file.exeGet hashmaliciousSystemBCBrowse
                                • 88.119.165.46
                                file.exeGet hashmaliciousSystemBCBrowse
                                • 88.119.165.46
                                file.exeGet hashmaliciousSystemBCBrowse
                                • 88.119.165.46
                                file.exeGet hashmaliciousSystemBCBrowse
                                • 88.119.165.46
                                random.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Babadeda, LummaC Stealer, SystemBCBrowse
                                • 88.119.165.46
                                Croblxn.exeGet hashmaliciousSystemBCBrowse
                                • 88.119.165.46
                                H#4051-5353.vbsGet hashmaliciousAsyncRATBrowse
                                • 88.119.175.153
                                ASN-QUADRANET-GLOBALUS2mtls.exeGet hashmaliciousSliverBrowse
                                • 45.61.169.127
                                1https.exeGet hashmaliciousSliverBrowse
                                • 45.61.169.127
                                http://t.dripemail2.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzQyNDg1MjAxLCJuYmYiOjE3NDI0ODUyMDEsImFjY291bnRfaWQiOiI5MjExNzMxIiwiZGVsaXZlcnlfaWQiOiI2ZGY2cmIydXVwbjY4cnNhdWo0NCIsInRva2VuIjoiNmRmNnJiMnV1cG42OHJzYXVqNDQiLCJzZW5kX2F0IjoxNzQyNDgzOTQ4LCJlbWFpbF9pZCI6MTA1MDc4ODcsImVtYWlsYWJsZV90eXBlIjoiQnJvYWRjYXN0IiwiZW1haWxhYmxlX2lkIjo0MTkzMDc4LCJ1cmwiOiJodHRwOi8vZ2NyLnVwcGxleC5jby5rZT9fX3M9cWMwZ2JsdTk1emZnYmh3ZHp5OG4mdXRtX3NvdXJjZT1kcmlwJnV0bV9tZWRpdW09ZW1haWwmdXRtX2NhbXBhaWduPVdlK2dvdCthK21ha2VvdmVyLiJ9.nJ9tzd3-jhbWgSNwRLHamHKYwZXuNcZIG2E1QBFM5fgGet hashmaliciousHTMLPhisherBrowse
                                • 45.61.169.110
                                ATT11027.xhtmlGet hashmaliciousHTMLPhisherBrowse
                                • 185.174.100.76
                                http://url5681.planter.eco/ls/click?upn=u001.PX1-2BssefkOe686e7wTSUMqibxN-2FCUadbAKgpTv23cYOIQxMvH9FGLuwPON-2Ft4V08mI3EhMVAoZnU-2Br4hRroTgY6212B0nGnr8aV-2B5ZtDZ10DmDDkH6mdlmAzG8M-2BiNsGPGMX1iPzlrrdaY9R4kk4qHfVergkdfGzm-2BAmGL-2FwYqLpCth-2FU-2ByXRztop6mHKwMCk43gAzvI9DCKmBcEcJQKyQ-3D-3Da5U3_GwWzR5CPD3uhhoxi7nJtY0-2BQC5TKRtJEXtldUtgGNIU9EPMkwXhPBMhFexKYRqOhYUH1k-2FQVOT9D8S6mnbGzOTVeFZqZ2eiXdrD6GdHPzzO106h29UdS-2BIz4v5acd9FnatQanlGtMNJsbvRJRS5dF6-2BMeTnNy39wilhlMfgiqmmr792hlZiyIO30hIfNO7fmE4Qvw7CYEB9aPKMoYkpeVA-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                • 104.245.240.188
                                AVISO DE COBRO DHL - 1606604473.PDF.exeGet hashmaliciousDarkCloudBrowse
                                • 204.44.192.90
                                splx86.elfGet hashmaliciousUnknownBrowse
                                • 64.189.38.253
                                resgod.arm5.elfGet hashmaliciousMiraiBrowse
                                • 104.247.172.118
                                https://office.mx-senora.com/validate-captcha?user_id=4bP8rZrJvBAKS5wfleIWGet hashmaliciousUnknownBrowse
                                • 45.61.166.78
                                Factura - FAT120250320.pdf(94KB).com.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                • 104.245.240.123
                                No context
                                No context
                                Process:C:\Users\user\Desktop\socks.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):495
                                Entropy (8bit):4.858007298055784
                                Encrypted:false
                                SSDEEP:6:38vNR/DLQghpmYTIa4Lew1+c/DLQghpmYTIa4Lew1+c/DLQghpmYTIa4Lew11:3kRPKP3PKP3PKPX
                                MD5:1A839174AF00B901CD9C5401CA973E62
                                SHA1:84E81EF9015F2A18F01B5CE36EA9B9DC4F246015
                                SHA-256:3C66F62A17005A38F1A266B00353C052B369A8137EFE123E0B8865E84BDA24E0
                                SHA-512:06F87E8762F52571F043A8B1196D8A3AEED91AFECDEC2EB8C0BCB772987B9A8BD2252283555A155B04B3E633DB18D72B3E2FDFE2D28B109D2FC2E6480FFB6DCD
                                Malicious:false
                                Reputation:low
                                Preview:Successfully connected..QAbstractSocket::connectToHost() called when already looking up or connecting/connected to "88.119.167.239"..QIODevice::write (QTcpSocket): device not open..QAbstractSocket::connectToHost() called when already looking up or connecting/connected to "88.119.167.239"..QIODevice::write (QTcpSocket): device not open..QAbstractSocket::connectToHost() called when already looking up or connecting/connected to "88.119.167.239"..QIODevice::write (QTcpSocket): device not open..
                                File type:PE32+ executable (console) x86-64, for MS Windows
                                Entropy (8bit):3.7975971825806716
                                TrID:
                                • Win64 Executable Console (202006/5) 92.65%
                                • Win64 Executable (generic) (12005/4) 5.51%
                                • Generic Win/DOS Executable (2004/3) 0.92%
                                • DOS Executable Generic (2002/1) 0.92%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:socks.exe
                                File size:13'725'696 bytes
                                MD5:9d126f26bc3fe620319944a6f64c6906
                                SHA1:8ce752408fff84d2a621c4dac61067fb0a750a32
                                SHA256:073874a38fb63387ab9f9b592dab5e49c6407fb899c11f8b7859334a219aceed
                                SHA512:947279fb4cd0c142ef02871e8bc7b18543fff524d02403ae5675069117b6c6f259f6ff6bedfeddc45496e16fd9e429a80b1dbe1c6a32633ea08693e7854a8616
                                SSDEEP:98304:HBU7dMJyxIzC1j8iN0Z61Fe+ZwHQjgNV6wvFQmjoLDmQn4F:hwxB3061FecwHZ7wf4
                                TLSH:1ED63396078F41B1DC48E036C1FEB9B85E12E3ABD0872EB4B90DF0CE1474AD1965DDA6
                                File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........f.a...2...2...2...3...2...3...2.{s2...2.{.3...2.{.3...2.{.3...2.{.3!..2...3...2...3...2...3...2...2...2.{.3...2.{.3...2.{q2...
                                Icon Hash:90cececece8e8eb0
                                Entrypoint:0x140baf2c0
                                Entrypoint Section:lbre
                                Digitally signed:false
                                Imagebase:0x140000000
                                Subsystem:windows cui
                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x65BD1B85 [Fri Feb 2 16:42:45 2024 UTC]
                                TLS Callbacks:0x40baf51c, 0x1
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:cde2e272252c977356a358cddccd60d8
                                Instruction
                                push ebx
                                push esi
                                push edi
                                push ebp
                                dec eax
                                lea esi, dword ptr [FFB44D35h]
                                dec eax
                                lea edi, dword ptr [esi-006F3000h]
                                dec eax
                                lea eax, dword ptr [edi+00AE4698h]
                                push dword ptr [eax]
                                mov dword ptr [eax], F3EEF9A7h
                                push eax
                                push edi
                                xor ebx, ebx
                                xor ecx, ecx
                                dec eax
                                or ebp, FFFFFFFFh
                                call 00007F0A24ABAFF5h
                                add ebx, ebx
                                je 00007F0A24ABAFA4h
                                rep ret
                                mov ebx, dword ptr [esi]
                                dec eax
                                sub esi, FFFFFFFCh
                                adc ebx, ebx
                                mov dl, byte ptr [esi]
                                rep ret
                                dec eax
                                lea eax, dword ptr [edi+ebp]
                                cmp ecx, 05h
                                mov dl, byte ptr [eax]
                                jbe 00007F0A24ABAFC3h
                                dec eax
                                cmp ebp, FFFFFFFCh
                                jnbe 00007F0A24ABAFBDh
                                sub ecx, 04h
                                mov edx, dword ptr [eax]
                                dec eax
                                add eax, 04h
                                sub ecx, 04h
                                mov dword ptr [edi], edx
                                dec eax
                                lea edi, dword ptr [edi+04h]
                                jnc 00007F0A24ABAF91h
                                add ecx, 04h
                                mov dl, byte ptr [eax]
                                je 00007F0A24ABAFB2h
                                dec eax
                                inc eax
                                mov byte ptr [edi], dl
                                sub ecx, 01h
                                mov dl, byte ptr [eax]
                                dec eax
                                lea edi, dword ptr [edi+01h]
                                jne 00007F0A24ABAF92h
                                rep ret
                                cld
                                inc ecx
                                pop ebx
                                jmp 00007F0A24ABAFAAh
                                dec eax
                                inc esi
                                mov byte ptr [edi], dl
                                dec eax
                                inc edi
                                mov dl, byte ptr [esi]
                                add ebx, ebx
                                jne 00007F0A24ABAFACh
                                mov ebx, dword ptr [esi]
                                dec eax
                                sub esi, FFFFFFFCh
                                adc ebx, ebx
                                mov dl, byte ptr [esi]
                                jc 00007F0A24ABAF88h
                                lea eax, dword ptr [ecx+01h]
                                jmp 00007F0A24ABAFA9h
                                dec eax
                                inc ecx
                                call ebx
                                adc eax, eax
                                inc ecx
                                call ebx
                                adc eax, eax
                                add ebx, ebx
                                jne 00007F0A24ABAFACh
                                mov ebx, dword ptr [esi]
                                dec eax
                                sub esi, FFFFFFFCh
                                adc ebx, ebx
                                mov dl, byte ptr [esi]
                                jnc 00007F0A24ABAF86h
                                sub eax, 03h
                                jc 00007F0A24ABAFBBh
                                shl eax, 08h
                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xbb02dc0x594.rsrc
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xbb00000x2dc.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0xae80000x5fd3clbre
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xbb08700x24.rsrc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0xbaf5480x28lbre
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xbaf5b80x140lbre
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                lgdr0x10000x6f30000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                lbre0x6f40000x4bc0000x4bb800a44f5ddbf908a2fd24b099b81f95b48funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0xbb00000x10000xa0052eb68c6b3743947fd28e5dea8b9d1f1False0.397265625data4.247106170162627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .hyy0xbb10000x85a9fb0x85aa000fe60e822598f3b8da74e721c37a20bcunknownunknownunknownunknownIMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_MANIFEST0xbb005c0x27eXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5501567398119123
                                DLLImport
                                ADVAPI32.dllCopySid
                                bcrypt.dllBCryptEncrypt
                                CRYPT32.dllCertOpenStore
                                DNSAPI.dllDnsFree
                                dwmapi.dllDwmSetWindowAttribute
                                DWrite.dllDWriteCreateFactory
                                GDI32.dllBitBlt
                                IMM32.dllImmNotifyIME
                                IPHLPAPI.DLLGetAdaptersAddresses
                                KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                NETAPI32.dllNetShareEnum
                                ole32.dllDoDragDrop
                                OLEAUT32.dllSysStringLen
                                Secur32.dllEncryptMessage
                                SHELL32.dll
                                USER32.dllGetDC
                                USERENV.dllGetUserProfileDirectoryW
                                VERSION.dllVerQueryValueW
                                WINHTTP.dllWinHttpOpen
                                WINMM.dllPlaySoundW
                                WS2_32.dllWSAGetLastError
                                WTSAPI32.dllWTSFreeMemory
                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Download Network PCAP: filteredfull

                                • Total Packets: 96
                                • 8443 undefined
                                • 443 (HTTPS)
                                • 80 (HTTP)
                                • 53 (DNS)
                                TimestampSource PortDest PortSource IPDest IP
                                Mar 21, 2025 17:51:10.842123985 CET49699443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:10.842170954 CET4434969988.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:10.842247963 CET49699443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:10.852704048 CET49699443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:10.852721930 CET4434969988.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:10.852782965 CET4434969988.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:15.861116886 CET49701443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:15.861165047 CET4434970188.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:15.861272097 CET49701443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:15.861618042 CET49701443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:15.861629963 CET4434970188.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:15.861676931 CET4434970188.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:20.863182068 CET49709443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:20.863246918 CET4434970988.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:20.863363028 CET49709443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:20.863584995 CET49709443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:20.863600016 CET4434970988.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:20.863661051 CET4434970988.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:25.856200933 CET49750443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:25.856249094 CET4434975088.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:25.856370926 CET49750443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:25.856692076 CET49750443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:25.856709003 CET4434975088.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:25.856758118 CET4434975088.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:30.866435051 CET49790443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:30.866493940 CET4434979088.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:30.866578102 CET49790443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:30.866794109 CET49790443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:30.866815090 CET4434979088.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:30.866869926 CET4434979088.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:35.888155937 CET49825443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:35.888211966 CET4434982588.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:35.888290882 CET49825443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:35.888508081 CET49825443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:35.888529062 CET4434982588.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:35.888572931 CET4434982588.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:40.890175104 CET49865443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:40.890228033 CET4434986588.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:40.890310049 CET49865443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:40.890573978 CET49865443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:40.890592098 CET4434986588.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:40.890635014 CET4434986588.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:45.894412994 CET49905443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:45.894483089 CET4434990588.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:45.894623041 CET49905443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:45.899436951 CET49905443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:45.899511099 CET4434990588.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:45.899614096 CET49905443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:50.923146009 CET49945443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:50.923183918 CET4434994588.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:50.923258066 CET49945443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:50.923852921 CET49945443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:50.923866987 CET4434994588.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:50.923924923 CET4434994588.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:55.925142050 CET49966443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:55.925201893 CET4434996688.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:55.925301075 CET49966443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:55.925532103 CET49966443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:51:55.925548077 CET4434996688.119.167.239192.168.2.18
                                Mar 21, 2025 17:51:55.925604105 CET4434996688.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:00.924387932 CET49967443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:00.924433947 CET4434996788.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:00.924520016 CET49967443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:00.924987078 CET49967443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:00.925039053 CET4434996788.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:00.925107002 CET49967443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:05.925751925 CET49968443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:05.925786018 CET4434996888.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:05.925867081 CET49968443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:05.926264048 CET49968443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:05.926273108 CET4434996888.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:05.926335096 CET4434996888.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:10.933525085 CET49969443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:10.933576107 CET4434996988.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:10.933665037 CET49969443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:10.933974028 CET49969443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:10.933988094 CET4434996988.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:10.934042931 CET4434996988.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:15.934597015 CET49970443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:15.934643030 CET4434997088.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:15.934760094 CET49970443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:15.935213089 CET49970443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:15.935225010 CET4434997088.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:15.935276031 CET4434997088.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:20.937552929 CET49971443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:20.937607050 CET4434997188.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:20.937748909 CET49971443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:20.938523054 CET49971443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:20.938536882 CET4434997188.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:20.938586950 CET4434997188.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:25.933626890 CET49972443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:25.933686018 CET4434997288.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:25.933763027 CET49972443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:25.934175014 CET49972443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:25.934187889 CET4434997288.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:25.934284925 CET4434997288.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:30.942420006 CET49973443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:30.942547083 CET4434997388.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:30.942662001 CET49973443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:30.942962885 CET49973443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:30.942990065 CET4434997388.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:30.943048000 CET4434997388.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:35.942820072 CET49974443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:35.942879915 CET4434997488.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:35.943051100 CET49974443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:35.943341017 CET49974443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:35.943351984 CET4434997488.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:35.943414927 CET4434997488.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:40.951351881 CET49975443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:40.951404095 CET4434997588.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:40.951565981 CET49975443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:40.951837063 CET49975443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:40.951860905 CET4434997588.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:40.951905966 CET4434997588.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:45.965429068 CET49976443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:45.965467930 CET4434997688.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:45.965548992 CET49976443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:45.965847969 CET49976443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:45.965859890 CET4434997688.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:45.965909004 CET4434997688.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:46.850038052 CET49977443192.168.2.1845.61.169.127
                                Mar 21, 2025 17:52:46.850104094 CET4434997745.61.169.127192.168.2.18
                                Mar 21, 2025 17:52:46.850184917 CET49977443192.168.2.1845.61.169.127
                                Mar 21, 2025 17:52:46.850477934 CET49977443192.168.2.1845.61.169.127
                                Mar 21, 2025 17:52:46.850495100 CET4434997745.61.169.127192.168.2.18
                                Mar 21, 2025 17:52:46.984410048 CET4434997745.61.169.127192.168.2.18
                                Mar 21, 2025 17:52:46.996573925 CET4997880192.168.2.1845.61.169.127
                                Mar 21, 2025 17:52:47.128324032 CET804997845.61.169.127192.168.2.18
                                Mar 21, 2025 17:52:47.631915092 CET4997880192.168.2.1845.61.169.127
                                Mar 21, 2025 17:52:49.635927916 CET4997880192.168.2.1845.61.169.127
                                Mar 21, 2025 17:52:49.768887043 CET804997845.61.169.127192.168.2.18
                                Mar 21, 2025 17:52:50.274071932 CET4997880192.168.2.1845.61.169.127
                                Mar 21, 2025 17:52:50.406383991 CET804997845.61.169.127192.168.2.18
                                Mar 21, 2025 17:52:50.913963079 CET4997880192.168.2.1845.61.169.127
                                Mar 21, 2025 17:52:50.962974072 CET49979443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:50.963035107 CET4434997988.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:50.963180065 CET49979443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:50.963448048 CET49979443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:50.963459015 CET4434997988.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:50.965169907 CET4434997988.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:51.047904015 CET804997845.61.169.127192.168.2.18
                                Mar 21, 2025 17:52:54.256315947 CET499808443192.168.2.1845.61.169.127
                                Mar 21, 2025 17:52:54.388546944 CET84434998045.61.169.127192.168.2.18
                                Mar 21, 2025 17:52:54.894625902 CET499808443192.168.2.1845.61.169.127
                                Mar 21, 2025 17:52:55.027004957 CET84434998045.61.169.127192.168.2.18
                                Mar 21, 2025 17:52:55.528616905 CET499808443192.168.2.1845.61.169.127
                                Mar 21, 2025 17:52:55.661288023 CET84434998045.61.169.127192.168.2.18
                                Mar 21, 2025 17:52:55.977886915 CET49981443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:55.977933884 CET4434998188.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:55.978034973 CET49981443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:55.981869936 CET49981443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:52:55.981882095 CET4434998188.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:55.981937885 CET4434998188.119.167.239192.168.2.18
                                Mar 21, 2025 17:52:56.164501905 CET499808443192.168.2.1845.61.169.127
                                Mar 21, 2025 17:52:56.296838045 CET84434998045.61.169.127192.168.2.18
                                Mar 21, 2025 17:52:56.802462101 CET499808443192.168.2.1845.61.169.127
                                Mar 21, 2025 17:52:56.934945107 CET84434998045.61.169.127192.168.2.18
                                Mar 21, 2025 17:53:00.980653048 CET49982443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:53:00.980712891 CET4434998288.119.167.239192.168.2.18
                                Mar 21, 2025 17:53:00.980803967 CET49982443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:53:00.981318951 CET49982443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:53:00.981374025 CET4434998288.119.167.239192.168.2.18
                                Mar 21, 2025 17:53:00.981441021 CET49982443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:53:05.979597092 CET49983443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:53:05.979651928 CET4434998388.119.167.239192.168.2.18
                                Mar 21, 2025 17:53:05.979773045 CET49983443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:53:05.980056047 CET49983443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:53:05.980063915 CET4434998388.119.167.239192.168.2.18
                                Mar 21, 2025 17:53:05.992470026 CET4434998388.119.167.239192.168.2.18
                                Mar 21, 2025 17:53:10.997555971 CET49984443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:53:10.997613907 CET4434998488.119.167.239192.168.2.18
                                Mar 21, 2025 17:53:10.997697115 CET49984443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:53:10.997950077 CET49984443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:53:10.997965097 CET4434998488.119.167.239192.168.2.18
                                Mar 21, 2025 17:53:10.998018026 CET4434998488.119.167.239192.168.2.18
                                Mar 21, 2025 17:53:16.849551916 CET49985443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:53:16.849612951 CET4434998588.119.167.239192.168.2.18
                                Mar 21, 2025 17:53:16.849701881 CET49985443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:53:16.849844933 CET49985443192.168.2.1888.119.167.239
                                Mar 21, 2025 17:53:16.849858999 CET4434998588.119.167.239192.168.2.18
                                Mar 21, 2025 17:53:16.849919081 CET4434998588.119.167.239192.168.2.18
                                TimestampSource PortDest PortSource IPDest IP
                                Mar 21, 2025 17:51:10.717336893 CET5611853192.168.2.181.1.1.1
                                Mar 21, 2025 17:51:10.822911978 CET53561181.1.1.1192.168.2.18
                                Mar 21, 2025 17:52:46.559330940 CET5540853192.168.2.181.1.1.1
                                Mar 21, 2025 17:52:46.846820116 CET53554081.1.1.1192.168.2.18
                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Mar 21, 2025 17:51:10.717336893 CET192.168.2.181.1.1.10xedbbStandard query (0)246.229.1.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                Mar 21, 2025 17:52:46.559330940 CET192.168.2.181.1.1.10x702dStandard query (0)marnyonline.comA (IP address)IN (0x0001)false
                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Mar 21, 2025 17:51:10.822911978 CET1.1.1.1192.168.2.180xedbbName error (3)246.229.1.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                Mar 21, 2025 17:52:46.846820116 CET1.1.1.1192.168.2.180x702dNo error (0)marnyonline.com45.61.169.127A (IP address)IN (0x0001)false
                                050100s020406080100

                                Click to jump to process

                                050100s0.00102030MB

                                Click to jump to process

                                • File
                                • Registry
                                • Network

                                Click to dive into process behavior distribution

                                Target ID:0
                                Start time:12:51:09
                                Start date:21/03/2025
                                Path:C:\Users\user\Desktop\socks.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\Desktop\socks.exe"
                                Imagebase:0x7ff65bc20000
                                File size:13'725'696 bytes
                                MD5 hash:9D126F26BC3FE620319944A6F64C6906
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:false

                                Target ID:1
                                Start time:12:51:09
                                Start date:21/03/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7b8370000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                Target ID:5
                                Start time:12:52:44
                                Start date:21/03/2025
                                Path:C:\Users\user\Desktop\1https.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\Desktop\1https.exe"
                                Imagebase:0x130000
                                File size:17'320'960 bytes
                                MD5 hash:3F6DD6C85F9E9A02FDEA20076F69B66D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:Go lang
                                Yara matches:
                                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000005.00000002.2753618543.000000C0002C2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000005.00000002.2753618543.000000C00028B000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                • Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, Author: unknown
                                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000005.00000000.2459726498.0000000000B37000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                Target ID:7
                                Start time:12:52:51
                                Start date:21/03/2025
                                Path:C:\Users\user\Desktop\2mtls.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\Desktop\2mtls.exe"
                                Imagebase:0xde0000
                                File size:15'661'568 bytes
                                MD5 hash:17AF646CFBB7FCFE4F0F6DBCFC2E31DD
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:Go lang
                                Yara matches:
                                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000007.00000002.2750661869.000000C0001A4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000007.00000002.2750661869.000000C00017E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000007.00000002.2750661869.000000C000160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000007.00000000.2535867511.00000000016ED000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                • Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                                Reputation:low
                                Has exited:false

                                No disassembly