Windows
Analysis Report
socks.exe
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64_ra
socks.exe (PID: 640 cmdline:
"C:\Users\ user\Deskt op\socks.e xe" MD5: 9D126F26BC3FE620319944A6F64C6906) conhost.exe (PID: 792 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
1https.exe (PID: 7064 cmdline:
"C:\Users\ user\Deskt op\1https. exe" MD5: 3F6DD6C85F9E9A02FDEA20076F69B66D)
2mtls.exe (PID: 348 cmdline:
"C:\Users\ user\Deskt op\2mtls.e xe" MD5: 17AF646CFBB7FCFE4F0F6DBCFC2E31DD)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Sliver | According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
Click to see the 10 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
INDICATOR_TOOL_Sliver | Detects Sliver implant cross-platform adversary emulation/red team | ditekSHen |
|
- • AV Detection
- • Cryptography
- • Compliance
- • Networking
- • Key, Mouse, Clipboard, Microphone and Screen Capturing
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Binary or memory string: | memstr_8b4d0962-4 |
Source: | Static PE information: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Binary or memory string: | memstr_131aa77a-1 |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Virtualization/Sandbox Evasion | 11 Input Capture | 1 Security Software Discovery | Remote Services | 11 Input Capture | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Software Packing | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 11 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 2 Application Layer Protocol | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
40% | Virustotal | Browse | ||
34% | ReversingLabs | Win64.Trojan.Seheq |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
marnyonline.com | 45.61.169.127 | true | false | unknown | |
246.229.1.0.in-addr.arpa | unknown | unknown | true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
88.119.167.239 | unknown | Lithuania | 61272 | IST-ASLT | false | |
45.61.169.127 | marnyonline.com | United States | 8100 | ASN-QUADRANET-GLOBALUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1645398 |
Start date and time: | 2025-03-21 17:50:25 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 29s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | socks.exe |
Detection: | MAL |
Classification: | mal76.troj.evad.winEXE@4/1@2/2 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, W MIADAP.exe, SIHClient.exe, con host.exe - Excluded IPs from analysis (wh
itelisted): 184.86.251.28, 20. 109.210.53, 13.107.246.40 - Excluded domains from analysis
(whitelisted): www.bing.com, slscr.update.microsoft.com, ot elrules.azureedge.net, fe3cr.d elivery.mp.microsoft.com - Not all processes where analyz
ed, report is missing behavior information
Time | Type | Description |
---|---|---|
12:51:09 | API Interceptor | |
12:52:45 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
88.119.167.239 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
45.61.169.127 | Get hash | malicious | Sliver | Browse | ||
Get hash | malicious | Sliver | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
marnyonline.com | Get hash | malicious | Sliver | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
IST-ASLT | Get hash | malicious | Meterpreter | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | SystemBC | Browse |
| ||
Get hash | malicious | SystemBC | Browse |
| ||
Get hash | malicious | SystemBC | Browse |
| ||
Get hash | malicious | SystemBC | Browse |
| ||
Get hash | malicious | ScreenConnect Tool, LummaC, Amadey, Babadeda, LummaC Stealer, SystemBC | Browse |
| ||
Get hash | malicious | SystemBC | Browse |
| ||
Get hash | malicious | AsyncRAT | Browse |
| ||
ASN-QUADRANET-GLOBALUS | Get hash | malicious | Sliver | Browse |
| |
Get hash | malicious | Sliver | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | DarkCloud | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | DarkTortilla, XWorm | Browse |
|
Process: | C:\Users\user\Desktop\socks.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 495 |
Entropy (8bit): | 4.858007298055784 |
Encrypted: | false |
SSDEEP: | 6:38vNR/DLQghpmYTIa4Lew1+c/DLQghpmYTIa4Lew1+c/DLQghpmYTIa4Lew11:3kRPKP3PKP3PKPX |
MD5: | 1A839174AF00B901CD9C5401CA973E62 |
SHA1: | 84E81EF9015F2A18F01B5CE36EA9B9DC4F246015 |
SHA-256: | 3C66F62A17005A38F1A266B00353C052B369A8137EFE123E0B8865E84BDA24E0 |
SHA-512: | 06F87E8762F52571F043A8B1196D8A3AEED91AFECDEC2EB8C0BCB772987B9A8BD2252283555A155B04B3E633DB18D72B3E2FDFE2D28B109D2FC2E6480FFB6DCD |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 3.7975971825806716 |
TrID: |
|
File name: | socks.exe |
File size: | 13'725'696 bytes |
MD5: | 9d126f26bc3fe620319944a6f64c6906 |
SHA1: | 8ce752408fff84d2a621c4dac61067fb0a750a32 |
SHA256: | 073874a38fb63387ab9f9b592dab5e49c6407fb899c11f8b7859334a219aceed |
SHA512: | 947279fb4cd0c142ef02871e8bc7b18543fff524d02403ae5675069117b6c6f259f6ff6bedfeddc45496e16fd9e429a80b1dbe1c6a32633ea08693e7854a8616 |
SSDEEP: | 98304:HBU7dMJyxIzC1j8iN0Z61Fe+ZwHQjgNV6wvFQmjoLDmQn4F:hwxB3061FecwHZ7wf4 |
TLSH: | 1ED63396078F41B1DC48E036C1FEB9B85E12E3ABD0872EB4B90DF0CE1474AD1965DDA6 |
File Content Preview: | MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........f.a...2...2...2...3...2...3...2.{s2...2.{.3...2.{.3...2.{.3...2.{.3!..2...3...2...3...2...3...2...2...2.{.3...2.{.3...2.{q2... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x140baf2c0 |
Entrypoint Section: | lbre |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x65BD1B85 [Fri Feb 2 16:42:45 2024 UTC] |
TLS Callbacks: | 0x40baf51c, 0x1 |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | cde2e272252c977356a358cddccd60d8 |
Instruction |
---|
push ebx |
push esi |
push edi |
push ebp |
dec eax |
lea esi, dword ptr [FFB44D35h] |
dec eax |
lea edi, dword ptr [esi-006F3000h] |
dec eax |
lea eax, dword ptr [edi+00AE4698h] |
push dword ptr [eax] |
mov dword ptr [eax], F3EEF9A7h |
push eax |
push edi |
xor ebx, ebx |
xor ecx, ecx |
dec eax |
or ebp, FFFFFFFFh |
call 00007F0A24ABAFF5h |
add ebx, ebx |
je 00007F0A24ABAFA4h |
rep ret |
mov ebx, dword ptr [esi] |
dec eax |
sub esi, FFFFFFFCh |
adc ebx, ebx |
mov dl, byte ptr [esi] |
rep ret |
dec eax |
lea eax, dword ptr [edi+ebp] |
cmp ecx, 05h |
mov dl, byte ptr [eax] |
jbe 00007F0A24ABAFC3h |
dec eax |
cmp ebp, FFFFFFFCh |
jnbe 00007F0A24ABAFBDh |
sub ecx, 04h |
mov edx, dword ptr [eax] |
dec eax |
add eax, 04h |
sub ecx, 04h |
mov dword ptr [edi], edx |
dec eax |
lea edi, dword ptr [edi+04h] |
jnc 00007F0A24ABAF91h |
add ecx, 04h |
mov dl, byte ptr [eax] |
je 00007F0A24ABAFB2h |
dec eax |
inc eax |
mov byte ptr [edi], dl |
sub ecx, 01h |
mov dl, byte ptr [eax] |
dec eax |
lea edi, dword ptr [edi+01h] |
jne 00007F0A24ABAF92h |
rep ret |
cld |
inc ecx |
pop ebx |
jmp 00007F0A24ABAFAAh |
dec eax |
inc esi |
mov byte ptr [edi], dl |
dec eax |
inc edi |
mov dl, byte ptr [esi] |
add ebx, ebx |
jne 00007F0A24ABAFACh |
mov ebx, dword ptr [esi] |
dec eax |
sub esi, FFFFFFFCh |
adc ebx, ebx |
mov dl, byte ptr [esi] |
jc 00007F0A24ABAF88h |
lea eax, dword ptr [ecx+01h] |
jmp 00007F0A24ABAFA9h |
dec eax |
inc ecx |
call ebx |
adc eax, eax |
inc ecx |
call ebx |
adc eax, eax |
add ebx, ebx |
jne 00007F0A24ABAFACh |
mov ebx, dword ptr [esi] |
dec eax |
sub esi, FFFFFFFCh |
adc ebx, ebx |
mov dl, byte ptr [esi] |
jnc 00007F0A24ABAF86h |
sub eax, 03h |
jc 00007F0A24ABAFBBh |
shl eax, 08h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xbb02dc | 0x594 | .rsrc |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xbb0000 | 0x2dc | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xae8000 | 0x5fd3c | lbre |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xbb0870 | 0x24 | .rsrc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xbaf548 | 0x28 | lbre |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xbaf5b8 | 0x140 | lbre |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
lgdr | 0x1000 | 0x6f3000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
lbre | 0x6f4000 | 0x4bc000 | 0x4bb800 | a44f5ddbf908a2fd24b099b81f95b48f | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xbb0000 | 0x1000 | 0xa00 | 52eb68c6b3743947fd28e5dea8b9d1f1 | False | 0.397265625 | data | 4.247106170162627 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.hyy | 0xbb1000 | 0x85a9fb | 0x85aa00 | 0fe60e822598f3b8da74e721c37a20bc | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0xbb005c | 0x27e | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5501567398119123 |
DLL | Import |
---|---|
ADVAPI32.dll | CopySid |
bcrypt.dll | BCryptEncrypt |
CRYPT32.dll | CertOpenStore |
DNSAPI.dll | DnsFree |
dwmapi.dll | DwmSetWindowAttribute |
DWrite.dll | DWriteCreateFactory |
GDI32.dll | BitBlt |
IMM32.dll | ImmNotifyIME |
IPHLPAPI.DLL | GetAdaptersAddresses |
KERNEL32.DLL | LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect |
NETAPI32.dll | NetShareEnum |
ole32.dll | DoDragDrop |
OLEAUT32.dll | SysStringLen |
Secur32.dll | EncryptMessage |
SHELL32.dll | |
USER32.dll | GetDC |
USERENV.dll | GetUserProfileDirectoryW |
VERSION.dll | VerQueryValueW |
WINHTTP.dll | WinHttpOpen |
WINMM.dll | PlaySoundW |
WS2_32.dll | WSAGetLastError |
WTSAPI32.dll | WTSFreeMemory |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
- Total Packets: 96
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 21, 2025 17:51:10.842123985 CET | 49699 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:10.842170954 CET | 443 | 49699 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:10.842247963 CET | 49699 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:10.852704048 CET | 49699 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:10.852721930 CET | 443 | 49699 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:10.852782965 CET | 443 | 49699 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:15.861116886 CET | 49701 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:15.861165047 CET | 443 | 49701 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:15.861272097 CET | 49701 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:15.861618042 CET | 49701 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:15.861629963 CET | 443 | 49701 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:15.861676931 CET | 443 | 49701 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:20.863182068 CET | 49709 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:20.863246918 CET | 443 | 49709 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:20.863363028 CET | 49709 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:20.863584995 CET | 49709 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:20.863600016 CET | 443 | 49709 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:20.863661051 CET | 443 | 49709 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:25.856200933 CET | 49750 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:25.856249094 CET | 443 | 49750 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:25.856370926 CET | 49750 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:25.856692076 CET | 49750 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:25.856709003 CET | 443 | 49750 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:25.856758118 CET | 443 | 49750 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:30.866435051 CET | 49790 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:30.866493940 CET | 443 | 49790 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:30.866578102 CET | 49790 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:30.866794109 CET | 49790 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:30.866815090 CET | 443 | 49790 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:30.866869926 CET | 443 | 49790 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:35.888155937 CET | 49825 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:35.888211966 CET | 443 | 49825 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:35.888290882 CET | 49825 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:35.888508081 CET | 49825 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:35.888529062 CET | 443 | 49825 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:35.888572931 CET | 443 | 49825 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:40.890175104 CET | 49865 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:40.890228033 CET | 443 | 49865 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:40.890310049 CET | 49865 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:40.890573978 CET | 49865 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:40.890592098 CET | 443 | 49865 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:40.890635014 CET | 443 | 49865 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:45.894412994 CET | 49905 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:45.894483089 CET | 443 | 49905 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:45.894623041 CET | 49905 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:45.899436951 CET | 49905 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:45.899511099 CET | 443 | 49905 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:45.899614096 CET | 49905 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:50.923146009 CET | 49945 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:50.923183918 CET | 443 | 49945 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:50.923258066 CET | 49945 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:50.923852921 CET | 49945 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:50.923866987 CET | 443 | 49945 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:50.923924923 CET | 443 | 49945 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:55.925142050 CET | 49966 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:55.925201893 CET | 443 | 49966 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:55.925301075 CET | 49966 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:55.925532103 CET | 49966 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:51:55.925548077 CET | 443 | 49966 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:51:55.925604105 CET | 443 | 49966 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:00.924387932 CET | 49967 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:00.924433947 CET | 443 | 49967 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:00.924520016 CET | 49967 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:00.924987078 CET | 49967 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:00.925039053 CET | 443 | 49967 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:00.925107002 CET | 49967 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:05.925751925 CET | 49968 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:05.925786018 CET | 443 | 49968 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:05.925867081 CET | 49968 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:05.926264048 CET | 49968 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:05.926273108 CET | 443 | 49968 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:05.926335096 CET | 443 | 49968 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:10.933525085 CET | 49969 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:10.933576107 CET | 443 | 49969 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:10.933665037 CET | 49969 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:10.933974028 CET | 49969 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:10.933988094 CET | 443 | 49969 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:10.934042931 CET | 443 | 49969 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:15.934597015 CET | 49970 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:15.934643030 CET | 443 | 49970 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:15.934760094 CET | 49970 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:15.935213089 CET | 49970 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:15.935225010 CET | 443 | 49970 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:15.935276031 CET | 443 | 49970 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:20.937552929 CET | 49971 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:20.937607050 CET | 443 | 49971 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:20.937748909 CET | 49971 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:20.938523054 CET | 49971 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:20.938536882 CET | 443 | 49971 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:20.938586950 CET | 443 | 49971 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:25.933626890 CET | 49972 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:25.933686018 CET | 443 | 49972 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:25.933763027 CET | 49972 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:25.934175014 CET | 49972 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:25.934187889 CET | 443 | 49972 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:25.934284925 CET | 443 | 49972 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:30.942420006 CET | 49973 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:30.942547083 CET | 443 | 49973 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:30.942662001 CET | 49973 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:30.942962885 CET | 49973 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:30.942990065 CET | 443 | 49973 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:30.943048000 CET | 443 | 49973 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:35.942820072 CET | 49974 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:35.942879915 CET | 443 | 49974 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:35.943051100 CET | 49974 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:35.943341017 CET | 49974 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:35.943351984 CET | 443 | 49974 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:35.943414927 CET | 443 | 49974 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:40.951351881 CET | 49975 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:40.951404095 CET | 443 | 49975 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:40.951565981 CET | 49975 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:40.951837063 CET | 49975 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:40.951860905 CET | 443 | 49975 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:40.951905966 CET | 443 | 49975 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:45.965429068 CET | 49976 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:45.965467930 CET | 443 | 49976 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:45.965548992 CET | 49976 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:45.965847969 CET | 49976 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:45.965859890 CET | 443 | 49976 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:45.965909004 CET | 443 | 49976 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:46.850038052 CET | 49977 | 443 | 192.168.2.18 | 45.61.169.127 |
Mar 21, 2025 17:52:46.850104094 CET | 443 | 49977 | 45.61.169.127 | 192.168.2.18 |
Mar 21, 2025 17:52:46.850184917 CET | 49977 | 443 | 192.168.2.18 | 45.61.169.127 |
Mar 21, 2025 17:52:46.850477934 CET | 49977 | 443 | 192.168.2.18 | 45.61.169.127 |
Mar 21, 2025 17:52:46.850495100 CET | 443 | 49977 | 45.61.169.127 | 192.168.2.18 |
Mar 21, 2025 17:52:46.984410048 CET | 443 | 49977 | 45.61.169.127 | 192.168.2.18 |
Mar 21, 2025 17:52:46.996573925 CET | 49978 | 80 | 192.168.2.18 | 45.61.169.127 |
Mar 21, 2025 17:52:47.128324032 CET | 80 | 49978 | 45.61.169.127 | 192.168.2.18 |
Mar 21, 2025 17:52:47.631915092 CET | 49978 | 80 | 192.168.2.18 | 45.61.169.127 |
Mar 21, 2025 17:52:49.635927916 CET | 49978 | 80 | 192.168.2.18 | 45.61.169.127 |
Mar 21, 2025 17:52:49.768887043 CET | 80 | 49978 | 45.61.169.127 | 192.168.2.18 |
Mar 21, 2025 17:52:50.274071932 CET | 49978 | 80 | 192.168.2.18 | 45.61.169.127 |
Mar 21, 2025 17:52:50.406383991 CET | 80 | 49978 | 45.61.169.127 | 192.168.2.18 |
Mar 21, 2025 17:52:50.913963079 CET | 49978 | 80 | 192.168.2.18 | 45.61.169.127 |
Mar 21, 2025 17:52:50.962974072 CET | 49979 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:50.963035107 CET | 443 | 49979 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:50.963180065 CET | 49979 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:50.963448048 CET | 49979 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:50.963459015 CET | 443 | 49979 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:50.965169907 CET | 443 | 49979 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:51.047904015 CET | 80 | 49978 | 45.61.169.127 | 192.168.2.18 |
Mar 21, 2025 17:52:54.256315947 CET | 49980 | 8443 | 192.168.2.18 | 45.61.169.127 |
Mar 21, 2025 17:52:54.388546944 CET | 8443 | 49980 | 45.61.169.127 | 192.168.2.18 |
Mar 21, 2025 17:52:54.894625902 CET | 49980 | 8443 | 192.168.2.18 | 45.61.169.127 |
Mar 21, 2025 17:52:55.027004957 CET | 8443 | 49980 | 45.61.169.127 | 192.168.2.18 |
Mar 21, 2025 17:52:55.528616905 CET | 49980 | 8443 | 192.168.2.18 | 45.61.169.127 |
Mar 21, 2025 17:52:55.661288023 CET | 8443 | 49980 | 45.61.169.127 | 192.168.2.18 |
Mar 21, 2025 17:52:55.977886915 CET | 49981 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:55.977933884 CET | 443 | 49981 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:55.978034973 CET | 49981 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:55.981869936 CET | 49981 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:52:55.981882095 CET | 443 | 49981 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:55.981937885 CET | 443 | 49981 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:52:56.164501905 CET | 49980 | 8443 | 192.168.2.18 | 45.61.169.127 |
Mar 21, 2025 17:52:56.296838045 CET | 8443 | 49980 | 45.61.169.127 | 192.168.2.18 |
Mar 21, 2025 17:52:56.802462101 CET | 49980 | 8443 | 192.168.2.18 | 45.61.169.127 |
Mar 21, 2025 17:52:56.934945107 CET | 8443 | 49980 | 45.61.169.127 | 192.168.2.18 |
Mar 21, 2025 17:53:00.980653048 CET | 49982 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:53:00.980712891 CET | 443 | 49982 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:53:00.980803967 CET | 49982 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:53:00.981318951 CET | 49982 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:53:00.981374025 CET | 443 | 49982 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:53:00.981441021 CET | 49982 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:53:05.979597092 CET | 49983 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:53:05.979651928 CET | 443 | 49983 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:53:05.979773045 CET | 49983 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:53:05.980056047 CET | 49983 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:53:05.980063915 CET | 443 | 49983 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:53:05.992470026 CET | 443 | 49983 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:53:10.997555971 CET | 49984 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:53:10.997613907 CET | 443 | 49984 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:53:10.997697115 CET | 49984 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:53:10.997950077 CET | 49984 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:53:10.997965097 CET | 443 | 49984 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:53:10.998018026 CET | 443 | 49984 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:53:16.849551916 CET | 49985 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:53:16.849612951 CET | 443 | 49985 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:53:16.849701881 CET | 49985 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:53:16.849844933 CET | 49985 | 443 | 192.168.2.18 | 88.119.167.239 |
Mar 21, 2025 17:53:16.849858999 CET | 443 | 49985 | 88.119.167.239 | 192.168.2.18 |
Mar 21, 2025 17:53:16.849919081 CET | 443 | 49985 | 88.119.167.239 | 192.168.2.18 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 21, 2025 17:51:10.717336893 CET | 56118 | 53 | 192.168.2.18 | 1.1.1.1 |
Mar 21, 2025 17:51:10.822911978 CET | 53 | 56118 | 1.1.1.1 | 192.168.2.18 |
Mar 21, 2025 17:52:46.559330940 CET | 55408 | 53 | 192.168.2.18 | 1.1.1.1 |
Mar 21, 2025 17:52:46.846820116 CET | 53 | 55408 | 1.1.1.1 | 192.168.2.18 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 21, 2025 17:51:10.717336893 CET | 192.168.2.18 | 1.1.1.1 | 0xedbb | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false | |
Mar 21, 2025 17:52:46.559330940 CET | 192.168.2.18 | 1.1.1.1 | 0x702d | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 21, 2025 17:51:10.822911978 CET | 1.1.1.1 | 192.168.2.18 | 0xedbb | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false | |
Mar 21, 2025 17:52:46.846820116 CET | 1.1.1.1 | 192.168.2.18 | 0x702d | No error (0) | 45.61.169.127 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 12:51:09 |
Start date: | 21/03/2025 |
Path: | C:\Users\user\Desktop\socks.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff65bc20000 |
File size: | 13'725'696 bytes |
MD5 hash: | 9D126F26BC3FE620319944A6F64C6906 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 12:51:09 |
Start date: | 21/03/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7b8370000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 5 |
Start time: | 12:52:44 |
Start date: | 21/03/2025 |
Path: | C:\Users\user\Desktop\1https.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x130000 |
File size: | 17'320'960 bytes |
MD5 hash: | 3F6DD6C85F9E9A02FDEA20076F69B66D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | Go lang |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Target ID: | 7 |
Start time: | 12:52:51 |
Start date: | 21/03/2025 |
Path: | C:\Users\user\Desktop\2mtls.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xde0000 |
File size: | 15'661'568 bytes |
MD5 hash: | 17AF646CFBB7FCFE4F0F6DBCFC2E31DD |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | Go lang |
Yara matches: |
|
Reputation: | low |
Has exited: | false |