Windows Analysis Report
jango.exe

Malicious sample detected (through community Yara rule)

System Summary

Source: jango.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.jango.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.373122947.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\Public\jango.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: jango.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: jango.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.jango.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.373122947.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\Public\jango.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: C:\Users\user\Desktop\jango.exe	Code function: 0_2_00007FF9A55C1029	0_2_00007FF9A55C1029
Source: C:\Users\user\Desktop\jango.exe	Code function: 0_2_00007FF9A55C1AF5	0_2_00007FF9A55C1AF5
Source: C:\Users\Public\jango.exe	Code function: 3_2_00007FF9A55D1029	3_2_00007FF9A55D1029
Source: C:\Users\Public\jango.exe	Code function: 3_2_00007FF9A55D1AF5	3_2_00007FF9A55D1AF5
Source: C:\Users\Public\jango.exe	Code function: 6_2_00007FF9A55A1029	6_2_00007FF9A55A1029
Source: C:\Users\Public\jango.exe	Code function: 6_2_00007FF9A55A1AF5	6_2_00007FF9A55A1AF5
Source: C:\Users\Public\jango.exe	Code function: 7_2_00007FF9A55B1029	7_2_00007FF9A55B1029
Source: C:\Users\Public\jango.exe	Code function: 7_2_00007FF9A55B1AF5	7_2_00007FF9A55B1AF5
Source: C:\Users\Public\jango.exe	Code function: 9_2_00007FF9A55A1029	9_2_00007FF9A55A1029
Source: C:\Users\Public\jango.exe	Code function: 9_2_00007FF9A55A1AF5	9_2_00007FF9A55A1AF5

Source: jango.exe, 00000000.00000002.639797220.0000000000439000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs jango.exe
Source: jango.exe, 00000003.00000002.416059414.000000000130C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs jango.exe
Source: jango.exe, 00000006.00000002.431296790.000000000147A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs jango.exe
Source: jango.exe, 00000007.00000002.505660923.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs jango.exe
Source: jango.exe, 00000009.00000002.631969642.0000000000908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs jango.exe

Source: jango.exe	ReversingLabs: Detection: 56%
Source: jango.exe	Virustotal: Detection: 60%

Source: C:\Users\user\Desktop\jango.exe

File read: C:\Users\user\Desktop\jango.exe

Source: jango.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\jango.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\jango.exe C:\Users\user\Desktop\jango.exe
Source: C:\Users\user\Desktop\jango.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "jango" /tr "C:\Users\Public\jango.exe
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\jango.exe "C:\Users\Public\jango.exe"
Source: unknown	Process created: C:\Users\Public\jango.exe "C:\Users\Public\jango.exe"
Source: unknown	Process created: C:\Users\Public\jango.exe C:\Users\Public\jango.exe
Source: unknown	Process created: C:\Users\Public\jango.exe C:\Users\Public\jango.exe
Source: C:\Users\user\Desktop\jango.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "jango" /tr "C:\Users\Public\jango.exe	Jump to behavior

Source: C:\Users\user\Desktop\jango.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: jango.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\Public\jango.exe

Source: C:\Users\user\Desktop\jango.exe

File created: C:\Users\Public\jango.exe

Source: C:\Users\user\Desktop\jango.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/4@37/7

Source: C:\Users\user\Desktop\jango.exe

File read: C:\Users\user\Desktop\desktop.ini

.NET source code contains potential unpacker

Source: jango.exe.0.dr, Stub/wdMu22PFfmKEXhEb.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: jango.exe.0.dr, Stub/wdMu22PFfmKEXhEb.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: jango.exe, Stub/wdMu22PFfmKEXhEb.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: jango.exe, Stub/wdMu22PFfmKEXhEb.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.0.jango.exe.30000.0.unpack, Stub/wdMu22PFfmKEXhEb.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.jango.exe.30000.0.unpack, Stub/wdMu22PFfmKEXhEb.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: jango.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\jango.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\Public\jango.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\Public\jango.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\Public\jango.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\Public\jango.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior

Source: jango.exe, u0039dVmlx8ErZMGGR8jZPwFeroSjEG7RjgvKMhTsWovd8rJHjaxBOMDiHl232UnH1o0Btv5LNDv4U.cs	Base64 encoded string: 'kEzhUiMz4egeuu2HGFdnj7P0c4sMCIN1yovMCFgizfkTuCQA5GUheC4M1tFzDjOM'
Source: jango.exe.0.dr, u0039dVmlx8ErZMGGR8jZPwFeroSjEG7RjgvKMhTsWovd8rJHjaxBOMDiHl232UnH1o0Btv5LNDv4U.cs	Base64 encoded string: 'kEzhUiMz4egeuu2HGFdnj7P0c4sMCIN1yovMCFgizfkTuCQA5GUheC4M1tFzDjOM'
Source: 0.0.jango.exe.30000.0.unpack, u0039dVmlx8ErZMGGR8jZPwFeroSjEG7RjgvKMhTsWovd8rJHjaxBOMDiHl232UnH1o0Btv5LNDv4U.cs	Base64 encoded string: 'kEzhUiMz4egeuu2HGFdnj7P0c4sMCIN1yovMCFgizfkTuCQA5GUheC4M1tFzDjOM'

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_01
Source: C:\Users\user\Desktop\jango.exe	Mutant created: \Sessions\1\BaseNamedObjects\WHltJHDucgJQY7NF

Source: jango.exe, Stub/TxlW2zEggC03cCPc.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: jango.exe, Stub/TxlW2zEggC03cCPc.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: jango.exe, Stub/u0033ESELlDGmCYl6Eas.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: jango.exe.0.dr, Stub/TxlW2zEggC03cCPc.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: jango.exe.0.dr, Stub/TxlW2zEggC03cCPc.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: jango.exe.0.dr, Stub/u0033ESELlDGmCYl6Eas.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.0.jango.exe.30000.0.unpack, Stub/TxlW2zEggC03cCPc.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.jango.exe.30000.0.unpack, Stub/TxlW2zEggC03cCPc.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Users\user\Desktop\jango.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: jango.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: jango.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: jango.exe, Stub/TxXKz7l7TMtreUav.cs	.Net Code: zqvaESzr8Hhulrl5 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: jango.exe, Stub/TxXKz7l7TMtreUav.cs	.Net Code: 7VrmeT8yupTNkBnt System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: jango.exe, Stub/TxXKz7l7TMtreUav.cs	.Net Code: 7VrmeT8yupTNkBnt
Source: jango.exe.0.dr, Stub/TxXKz7l7TMtreUav.cs	.Net Code: zqvaESzr8Hhulrl5 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: jango.exe.0.dr, Stub/TxXKz7l7TMtreUav.cs	.Net Code: 7VrmeT8yupTNkBnt System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: jango.exe.0.dr, Stub/TxXKz7l7TMtreUav.cs	.Net Code: 7VrmeT8yupTNkBnt
Source: 0.0.jango.exe.30000.0.unpack, Stub/TxXKz7l7TMtreUav.cs	.Net Code: zqvaESzr8Hhulrl5 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.jango.exe.30000.0.unpack, Stub/TxXKz7l7TMtreUav.cs	.Net Code: 7VrmeT8yupTNkBnt System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.jango.exe.30000.0.unpack, Stub/TxXKz7l7TMtreUav.cs	.Net Code: 7VrmeT8yupTNkBnt

.NET source code contains method to dynamically call methods (often used by packers)

Source: jango.exe, Stub/TxXKz7l7TMtreUav.cs	.Net Code: NewLateBinding.LateCall(V_1, null, "Invoke", V_9, null, null, null, true)
Source: jango.exe.0.dr, Stub/TxXKz7l7TMtreUav.cs	.Net Code: NewLateBinding.LateCall(V_1, null, "Invoke", V_9, null, null, null, true)
Source: 0.0.jango.exe.30000.0.unpack, Stub/TxXKz7l7TMtreUav.cs	.Net Code: NewLateBinding.LateCall(V_1, null, "Invoke", V_9, null, null, null, true)

Source: jango.exe, Stub/TxXKz7l7TMtreUav.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'frtGIr1XzzGLRyjV', 'zqvaESzr8Hhulrl5', '3GnAcR2ROGbLOoSq', 'bdWBwmMn7rKoAKut', 'dOMXCJqpdBJioZ0h', '2Cw131G8gJXbTXj3', '0NT90kpZtvwdDP1Y', 'f3rvyt6RGydLhsXc'
Source: jango.exe, Stub/TxlW2zEggC03cCPc.cs	High entropy of concatenated method names: '.cctor', 'yCpHZQWwg2awwbIW', 'BN6Ol7TAnSFavunC', 'oZpOrqpbG6qKOeXA', 'rYCjJLcLqKN9ijgp', 'hsLO2zHfSaK3F3eR', 'Ll9WU5OLiVWjU0Z2', 'ezwYMf8SyDSDCsht', 'tl0wsgyMUgUO4Fhs', 'KYrT5FPjsjCzdjBz'
Source: jango.exe, Stub/wdMu22PFfmKEXhEb.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'Fi2lrgC8lX4PT6E2', 'TK4n2cnDmc0ydRvp', '4RwU31fqwdz0ZxAQ', 'LH8CbPTZjuzCPiSn', 'Y68f1HZdjNds1erj', 'vjdWys8kmLz9KUoK', 'cW58LTxtlRYQTrUS', '4zVQAoIuw3Dmuc1E'
Source: jango.exe, Stub/aFEL2vOaRPS3edJ6.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'yFRb0ZHa0P00LHsh', 'ONsLjfVpDt47yE24', 'edWzlhqfNupzahmP', 'S70XacZplrXptN35', '4GydiL2QluwRyZKM', 'gaHrzrnUK8Fu0YNd', 'GOT1JK9mHjfPERtq', 'noGgSaWbZroxxL7K'
Source: jango.exe, Stub/w1nZ4PWCUZwHil60SzE0C7t1G3LjGng2H1Ox1DniTDZzsaHoOURY2DaP733eByQLRUkRJe1Bq0.cs	High entropy of concatenated method names: '.ctor', 'wqsDUKlXJYQbyeQ6', 'tR7kTtsNeKyp7C5b', 'KQbraHvyuGPIa5zu', 'glMVFqkeQqCUQwVH', 'JihJASvo23RsICNt', 'verekihDbYdBRGnX', 'nBwRrMvnXgHIqJIy', 'G9UzX4Zp1KOCZ9cf', '1dBIC1ewSJ5gyTEn'
Source: jango.exe, Stub/qTGzZlHYZlmaUkbM.cs	High entropy of concatenated method names: '.ctor', 'HXXknsPVylxgmNLJ', 'FVNEbI7p8t7CW4QI', 'UPs7FEJEvgthRwGo', 'Oi1OJMJOKOGKIiIr', '2cWYp8nd1fDrBrFF', 'LtSu66PCzWHEAQAV', '1kXdnN26RNWDdmd6', 'a3PK5kZ1Tt1o8GCS', 'elspSyB8KAjwec7I'
Source: jango.exe, My/Voxy0FeZ2cxDnE2sZg1wGey6jIfkxHYKupFfAqtxQ7B9e28gRGW822vSRkQLGjWeTsEXu1q7Gd.cs	High entropy of concatenated method names: '.cctor', 'HZt88bHNVPpXZh4rJNSac1dk0QD9MPEJBt4OJh23Z7AvBMP1EksT097Gb9byBHFarM0o55HQZa', 'fk8JPrtm18jWJIBQbq3ZfM2TkQJiwpsdbLccvX0zXIKqwuwOd8ZcpesxaUNthowfVkF9N9o7ex', 'qG3SbFuAkZB5DsvInuiHHD74ezBC1UqqreLkQCefoi7no2yUmFPP69J3Rk4FCn6hHDRaiq4Ose', 'oGUwLNNZ1sdOKCWNUfgXtIMd8sn10jnZCoF6cQMbcXqAZjo3KcMNUUNd6sLbkdH9PzgNeY3r0D', '6AbKv3LnuCINwCnt', '3eVXh44oTeVhTCyH', 'EgOUbzsgOFfa91oj', 'gadndigxhOfTjmkm', '51m0gzRGcTBGzW24'
Source: jango.exe, Stub/u0033ESELlDGmCYl6Eas.cs	High entropy of concatenated method names: '.ctor', 'as6Gr2ZHEPxIrsOZ', '0mO2ITjQtVimk0eD', 'TOPXQvYuzZ0Oy6F1', 'LMpSGFBQnOgsJuZp', 'P44MOno3AsWiO1rP', 'cqCaT6HOqpP8FvKC', 'hLFfXYoA1zYXcQAr', 'yZmFybFsxWFV3fp4', '7ERPd6wGiC9cJnHm'
Source: jango.exe.0.dr, Stub/TxXKz7l7TMtreUav.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'frtGIr1XzzGLRyjV', 'zqvaESzr8Hhulrl5', '3GnAcR2ROGbLOoSq', 'bdWBwmMn7rKoAKut', 'dOMXCJqpdBJioZ0h', '2Cw131G8gJXbTXj3', '0NT90kpZtvwdDP1Y', 'f3rvyt6RGydLhsXc'
Source: jango.exe.0.dr, Stub/wdMu22PFfmKEXhEb.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'Fi2lrgC8lX4PT6E2', 'TK4n2cnDmc0ydRvp', '4RwU31fqwdz0ZxAQ', 'LH8CbPTZjuzCPiSn', 'Y68f1HZdjNds1erj', 'vjdWys8kmLz9KUoK', 'cW58LTxtlRYQTrUS', '4zVQAoIuw3Dmuc1E'
Source: jango.exe.0.dr, Stub/TxlW2zEggC03cCPc.cs	High entropy of concatenated method names: '.cctor', 'yCpHZQWwg2awwbIW', 'BN6Ol7TAnSFavunC', 'oZpOrqpbG6qKOeXA', 'rYCjJLcLqKN9ijgp', 'hsLO2zHfSaK3F3eR', 'Ll9WU5OLiVWjU0Z2', 'ezwYMf8SyDSDCsht', 'tl0wsgyMUgUO4Fhs', 'KYrT5FPjsjCzdjBz'
Source: jango.exe.0.dr, Stub/aFEL2vOaRPS3edJ6.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'yFRb0ZHa0P00LHsh', 'ONsLjfVpDt47yE24', 'edWzlhqfNupzahmP', 'S70XacZplrXptN35', '4GydiL2QluwRyZKM', 'gaHrzrnUK8Fu0YNd', 'GOT1JK9mHjfPERtq', 'noGgSaWbZroxxL7K'
Source: jango.exe.0.dr, Stub/w1nZ4PWCUZwHil60SzE0C7t1G3LjGng2H1Ox1DniTDZzsaHoOURY2DaP733eByQLRUkRJe1Bq0.cs	High entropy of concatenated method names: '.ctor', 'wqsDUKlXJYQbyeQ6', 'tR7kTtsNeKyp7C5b', 'KQbraHvyuGPIa5zu', 'glMVFqkeQqCUQwVH', 'JihJASvo23RsICNt', 'verekihDbYdBRGnX', 'nBwRrMvnXgHIqJIy', 'G9UzX4Zp1KOCZ9cf', '1dBIC1ewSJ5gyTEn'
Source: jango.exe.0.dr, My/Voxy0FeZ2cxDnE2sZg1wGey6jIfkxHYKupFfAqtxQ7B9e28gRGW822vSRkQLGjWeTsEXu1q7Gd.cs	High entropy of concatenated method names: '.cctor', 'HZt88bHNVPpXZh4rJNSac1dk0QD9MPEJBt4OJh23Z7AvBMP1EksT097Gb9byBHFarM0o55HQZa', 'fk8JPrtm18jWJIBQbq3ZfM2TkQJiwpsdbLccvX0zXIKqwuwOd8ZcpesxaUNthowfVkF9N9o7ex', 'qG3SbFuAkZB5DsvInuiHHD74ezBC1UqqreLkQCefoi7no2yUmFPP69J3Rk4FCn6hHDRaiq4Ose', 'oGUwLNNZ1sdOKCWNUfgXtIMd8sn10jnZCoF6cQMbcXqAZjo3KcMNUUNd6sLbkdH9PzgNeY3r0D', '6AbKv3LnuCINwCnt', '3eVXh44oTeVhTCyH', 'EgOUbzsgOFfa91oj', 'gadndigxhOfTjmkm', '51m0gzRGcTBGzW24'
Source: jango.exe.0.dr, Stub/qTGzZlHYZlmaUkbM.cs	High entropy of concatenated method names: '.ctor', 'HXXknsPVylxgmNLJ', 'FVNEbI7p8t7CW4QI', 'UPs7FEJEvgthRwGo', 'Oi1OJMJOKOGKIiIr', '2cWYp8nd1fDrBrFF', 'LtSu66PCzWHEAQAV', '1kXdnN26RNWDdmd6', 'a3PK5kZ1Tt1o8GCS', 'elspSyB8KAjwec7I'
Source: jango.exe.0.dr, Stub/u0033ESELlDGmCYl6Eas.cs	High entropy of concatenated method names: '.ctor', 'as6Gr2ZHEPxIrsOZ', '0mO2ITjQtVimk0eD', 'TOPXQvYuzZ0Oy6F1', 'LMpSGFBQnOgsJuZp', 'P44MOno3AsWiO1rP', 'cqCaT6HOqpP8FvKC', 'hLFfXYoA1zYXcQAr', 'yZmFybFsxWFV3fp4', '7ERPd6wGiC9cJnHm'
Source: 0.0.jango.exe.30000.0.unpack, Stub/TxXKz7l7TMtreUav.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'frtGIr1XzzGLRyjV', 'zqvaESzr8Hhulrl5', '3GnAcR2ROGbLOoSq', 'bdWBwmMn7rKoAKut', 'dOMXCJqpdBJioZ0h', '2Cw131G8gJXbTXj3', '0NT90kpZtvwdDP1Y', 'f3rvyt6RGydLhsXc'
Source: 0.0.jango.exe.30000.0.unpack, Stub/wdMu22PFfmKEXhEb.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'Fi2lrgC8lX4PT6E2', 'TK4n2cnDmc0ydRvp', '4RwU31fqwdz0ZxAQ', 'LH8CbPTZjuzCPiSn', 'Y68f1HZdjNds1erj', 'vjdWys8kmLz9KUoK', 'cW58LTxtlRYQTrUS', '4zVQAoIuw3Dmuc1E'
Source: 0.0.jango.exe.30000.0.unpack, Stub/TxlW2zEggC03cCPc.cs	High entropy of concatenated method names: '.cctor', 'yCpHZQWwg2awwbIW', 'BN6Ol7TAnSFavunC', 'oZpOrqpbG6qKOeXA', 'rYCjJLcLqKN9ijgp', 'hsLO2zHfSaK3F3eR', 'Ll9WU5OLiVWjU0Z2', 'ezwYMf8SyDSDCsht', 'tl0wsgyMUgUO4Fhs', 'KYrT5FPjsjCzdjBz'
Source: 0.0.jango.exe.30000.0.unpack, Stub/aFEL2vOaRPS3edJ6.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'yFRb0ZHa0P00LHsh', 'ONsLjfVpDt47yE24', 'edWzlhqfNupzahmP', 'S70XacZplrXptN35', '4GydiL2QluwRyZKM', 'gaHrzrnUK8Fu0YNd', 'GOT1JK9mHjfPERtq', 'noGgSaWbZroxxL7K'
Source: 0.0.jango.exe.30000.0.unpack, Stub/w1nZ4PWCUZwHil60SzE0C7t1G3LjGng2H1Ox1DniTDZzsaHoOURY2DaP733eByQLRUkRJe1Bq0.cs	High entropy of concatenated method names: '.ctor', 'wqsDUKlXJYQbyeQ6', 'tR7kTtsNeKyp7C5b', 'KQbraHvyuGPIa5zu', 'glMVFqkeQqCUQwVH', 'JihJASvo23RsICNt', 'verekihDbYdBRGnX', 'nBwRrMvnXgHIqJIy', 'G9UzX4Zp1KOCZ9cf', '1dBIC1ewSJ5gyTEn'
Source: 0.0.jango.exe.30000.0.unpack, Stub/u0033ESELlDGmCYl6Eas.cs	High entropy of concatenated method names: '.ctor', 'as6Gr2ZHEPxIrsOZ', '0mO2ITjQtVimk0eD', 'TOPXQvYuzZ0Oy6F1', 'LMpSGFBQnOgsJuZp', 'P44MOno3AsWiO1rP', 'cqCaT6HOqpP8FvKC', 'hLFfXYoA1zYXcQAr', 'yZmFybFsxWFV3fp4', '7ERPd6wGiC9cJnHm'
Source: 0.0.jango.exe.30000.0.unpack, Stub/qTGzZlHYZlmaUkbM.cs	High entropy of concatenated method names: '.ctor', 'HXXknsPVylxgmNLJ', 'FVNEbI7p8t7CW4QI', 'UPs7FEJEvgthRwGo', 'Oi1OJMJOKOGKIiIr', '2cWYp8nd1fDrBrFF', 'LtSu66PCzWHEAQAV', '1kXdnN26RNWDdmd6', 'a3PK5kZ1Tt1o8GCS', 'elspSyB8KAjwec7I'
Source: 0.0.jango.exe.30000.0.unpack, My/Voxy0FeZ2cxDnE2sZg1wGey6jIfkxHYKupFfAqtxQ7B9e28gRGW822vSRkQLGjWeTsEXu1q7Gd.cs	High entropy of concatenated method names: '.cctor', 'HZt88bHNVPpXZh4rJNSac1dk0QD9MPEJBt4OJh23Z7AvBMP1EksT097Gb9byBHFarM0o55HQZa', 'fk8JPrtm18jWJIBQbq3ZfM2TkQJiwpsdbLccvX0zXIKqwuwOd8ZcpesxaUNthowfVkF9N9o7ex', 'qG3SbFuAkZB5DsvInuiHHD74ezBC1UqqreLkQCefoi7no2yUmFPP69J3Rk4FCn6hHDRaiq4Ose', 'oGUwLNNZ1sdOKCWNUfgXtIMd8sn10jnZCoF6cQMbcXqAZjo3KcMNUUNd6sLbkdH9PzgNeY3r0D', '6AbKv3LnuCINwCnt', '3eVXh44oTeVhTCyH', 'EgOUbzsgOFfa91oj', 'gadndigxhOfTjmkm', '51m0gzRGcTBGzW24'

Source: C:\Users\user\Desktop\jango.exe

File created: C:\Users\Public\jango.exe

Jump to dropped file

Source: C:\Users\user\Desktop\jango.exe

File created: C:\Users\Public\jango.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\jango.exe

File created: C:\Users\Public\jango.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\jango.exe

Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "jango" /tr "C:\Users\Public\jango.exe

Source: C:\Users\user\Desktop\jango.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jango.lnk

Source: C:\Users\user\Desktop\jango.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jango.lnk

Source: C:\Users\user\Desktop\jango.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jango			Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jango			Jump to behavior

Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\jango.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\jango.exe TID: 6944	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Users\Public\jango.exe TID: 3120	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\jango.exe TID: 5668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\jango.exe TID: 7148	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\jango.exe TID: 5124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\jango.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\Public\jango.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\jango.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\jango.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\jango.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\jango.exe

Process information queried: ProcessInformation

Source: C:\Users\Public\jango.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\jango.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\jango.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\jango.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\jango.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\jango.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\jango.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\jango.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\jango.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: jango.exe, 00000000.00000002.641775598.000000001B1E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: jango.exe, jango.exe.0.dr	Binary or memory string: zQEmuWQB71USZV1e

Source: C:\Users\user\Desktop\jango.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\jango.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\jango.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\jango.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\jango.exe

Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "jango" /tr "C:\Users\Public\jango.exe

Source: C:\Users\user\Desktop\jango.exe	Queries volume information: C:\Users\user\Desktop\jango.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jango.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\jango.exe	Queries volume information: C:\Users\Public\jango.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\jango.exe	Queries volume information: C:\Users\Public\jango.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\jango.exe	Queries volume information: C:\Users\Public\jango.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\jango.exe	Queries volume information: C:\Users\Public\jango.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\jango.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: jango.exe, type: SAMPLE
Source: Yara match	File source: 0.0.jango.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.373122947.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jango.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\jango.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: jango.exe, type: SAMPLE
Source: Yara match	File source: 0.0.jango.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.373122947.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jango.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\jango.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	111 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	21 Registry Run Keys / Startup Folder	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	2 Non-Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	3 Application Layer Protocol	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
jango.exe	57%	ReversingLabs	ByteCode-MSIL.Trojan.XWorm
jango.exe	60%	Virustotal		Browse
jango.exe	100%	Avira	TR/Spy.Gen
jango.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\jango.exe	100%	Avira	TR/Spy.Gen
C:\Users\Public\jango.exe	100%	Joe Sandbox ML
C:\Users\Public\jango.exe	57%	ReversingLabs	ByteCode-MSIL.Trojan.XWorm

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
0.tcp.in.ngrok.io	16%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pastebin.com	172.67.34.170	true	false		high
0.tcp.in.ngrok.io	3.6.30.85	true	false	16%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/jZsr13qA	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	jango.exe, 00000000.00000002.641205813.0000000002241000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pastebin.com	jango.exe, 00000000.00000002.641205813.0000000002306000.00000004.00000800.00020000.00000000.sdmp	false	high
https://pastebin.com	jango.exe, 00000000.00000002.641205813.00000000022FC000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.6.30.85	0.tcp.in.ngrok.io	United States	16509	AMAZON-02US	false
3.6.115.182	unknown	United States	16509	AMAZON-02US	false
3.6.122.107	unknown	United States	16509	AMAZON-02US	false
172.67.34.170	pastebin.com	United States	13335	CLOUDFLARENETUS	false
3.6.115.64	unknown	United States	16509	AMAZON-02US	false
3.6.98.232	unknown	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	876935
Start date and time:	2023-05-28 02:36:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	jango.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/4@37/7
EGA Information:	Successful, ratio: 20%
HDC Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 38 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Execution Graph export aborted for target jango.exe, PID 2960 because it is empty
Execution Graph export aborted for target jango.exe, PID 3576 because it is empty
Execution Graph export aborted for target jango.exe, PID 6956 because it is empty
Execution Graph export aborted for target jango.exe, PID 7132 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:37:08	Task Scheduler	Run new task: jango path: C:\Users\Public\jango.exe
02:37:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run jango C:\Users\Public\jango.exe
02:37:16	API Interceptor	21x Sleep call for process: jango.exe modified
02:37:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run jango C:\Users\Public\jango.exe
02:37:26	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jango.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3.6.30.85	cracksetup.exe	Get hash	malicious	Nanocore	Browse
	LocalStaFvjUblU.exe	Get hash	malicious	njRat	Browse
	ehqsU9jDFb.exe	Get hash	malicious	njRat	Browse
	EADSXus8Cw.exe	Get hash	malicious	njRat	Browse
	KPiASQ9E43.exe	Get hash	malicious	Njrat	Browse
	DDD24717592B5B34947AF56B9F84CD2CE01B0B2EFB62D.exe	Get hash	malicious	njRat	Browse
	cvh2bWXOjP.exe	Get hash	malicious	RedLine	Browse
3.6.115.182	RN2vknsx6G.exe	Get hash	malicious	RedLine	Browse	0.tcp.in.ngrok.io:17440/
3.6.122.107	RN2vknsx6G.exe	Get hash	malicious	RedLine	Browse	0.tcp.in.ngrok.io:17440/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	ap6B2upFrF.exe	Get hash	malicious	AsyncRAT, DcRat, StormKitty	Browse	104.20.67.143
	LauncherPC.exe	Get hash	malicious	Laplas Clipper, Vidar, Xmrig	Browse	172.67.34.170
	bMJI.exe	Get hash	malicious	Njrat	Browse	172.67.34.170
	file.exe	Get hash	malicious	MinerDownloader, RedLine, Vidar, Xmrig	Browse	104.20.67.143
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Xmrig	Browse	104.20.68.143
	ChatGPT-4_Online.exe	Get hash	malicious	DCRat	Browse	172.67.34.170
	bohoZFWgIt.exe	Get hash	malicious	DCRat	Browse	104.20.68.143
	parser.exe	Get hash	malicious	Amadey, Djvu, Fabookie, SmokeLoader, Xmrig	Browse	172.67.34.170
	file.exe	Get hash	malicious	MinerDownloader, RedLine, Xmrig	Browse	104.20.68.143
	Doc736388_pdf.js	Get hash	malicious	Unknown	Browse	104.20.68.143
	Doc736388_pdf.js	Get hash	malicious	Unknown	Browse	172.67.34.170
	CTT-MAIO.442-CN.25.msi	Get hash	malicious	VMdetect	Browse	104.20.68.143
	AppInstaller 10.9.exe	Get hash	malicious	Unknown	Browse	104.20.68.143
	AppInstaller 10.9.exe	Get hash	malicious	Unknown	Browse	104.20.67.143
	sdadwqeq.js	Get hash	malicious	Unknown	Browse	104.20.67.143
	sdadwqeq.js	Get hash	malicious	Unknown	Browse	104.20.67.143
	werwqrqrq.js	Get hash	malicious	Unknown	Browse	104.20.68.143
	werwqrqrq.js	Get hash	malicious	Unknown	Browse	104.20.67.143
	csrss.exe	Get hash	malicious	Njrat	Browse	172.67.34.170
	Dorksearchergoldcleaned.exe	Get hash	malicious	LimeRAT	Browse	104.20.68.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://dnzsmdndnrrhwhwuqhajwekqwmnsdmds.net/	Get hash	malicious	Unknown	Browse	13.48.56.233
	https://www--wellsfargo--com--2x49329d48d6c.wsipv6.com/	Get hash	malicious	Unknown	Browse	52.210.27.198
	hg7OY4V27j.exe	Get hash	malicious	Njrat	Browse	3.127.181.115
	https://smartchimp.com.au/rss/shalette.jones/3mail@b.c	Get hash	malicious	HTMLPhisher	Browse	52.92.17.97
	https://secs-typaueft-knoiabs.yolasite.com/	Get hash	malicious	Unknown	Browse	13.224.98.110
	https://galiciaoffice-1.heartdev.repl.co/	Get hash	malicious	Unknown	Browse	13.248.151.210
	http://mercedesvolvoferrari.net/	Get hash	malicious	HTMLPhisher	Browse	13.48.56.233
	https://dnzgrxrxdnasdsadqweuasdjalsawpeqaa.net/index.php	Get hash	malicious	Unknown	Browse	13.48.56.233
	2RIfrkwl8Q.elf	Get hash	malicious	Mirai, Moobot	Browse	108.151.215.98
	N30FLTPIjo.elf	Get hash	malicious	Mirai, Moobot	Browse	13.233.151.166
	ufrz7wcBDi.elf	Get hash	malicious	Mirai, Moobot	Browse	108.129.27.103
	6AU1Y1X4Oy.elf	Get hash	malicious	Mirai, Moobot	Browse	65.9.141.226
	tIf5bkDmaS.exe	Get hash	malicious	njRat	Browse	18.158.249.75
	y8vTlQJc3k.exe	Get hash	malicious	njRat	Browse	18.158.249.75
	https://clicks.aweber.com/y/ct/?l=uF.9An&m=iJtAzEaaLy9AqTX&b=I4gTS31dtQGPsGAgicrNUw#.aHR0cHM6Ly9zbWFydGNoaW1wLmNvbS5hdS9yc3MvYWVuZXVtYW4vYWVuZXVtYW5AbWFkLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	52.218.44.161
	ATT35778.HTM	Get hash	malicious	HTMLPhisher	Browse	76.76.21.241
	https://myalumni.mcgill.ca/redirect.aspx?linkID=805890&sendId=208699&eid=228301&gid=2&tokenUrl=https%3a%2f%2fvc0r0h.codesandbox.io/?mandate=ZW1pbHlfdGVsbEBtYW51bGlmZS5jb20=	Get hash	malicious	Unknown	Browse	13.226.150.23
	https://myalumni.mcgill.ca/redirect.aspx?linkID=805890&sendId=208699&eid=228301&gid=2&tokenUrl=https%3a%2f%2fgq3z96.codesandbox.io/?mandate=Y3N0c0Bldm9jYW5hZGEuY29t	Get hash	malicious	Unknown	Browse	13.226.150.45
	FpYvEAtlSE.elf	Get hash	malicious	Mirai	Browse	52.77.75.11
	Oea3YPoJ4F.elf	Get hash	malicious	Mirai	Browse	18.167.112.60

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	allah.bat	Get hash	malicious	Quasar	Browse	172.67.34.170
	ap6B2upFrF.exe	Get hash	malicious	AsyncRAT, DcRat, StormKitty	Browse	172.67.34.170
	quotation.pdf.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	172.67.34.170
	wDeGiI6U9u.exe	Get hash	malicious	Gurcu Stealer	Browse	172.67.34.170
	Dekont_20230509140935165.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	172.67.34.170
	DHL_Documents_8355916__524256.PDF(61kb).exe	Get hash	malicious	AgentTesla, zgRAT	Browse	172.67.34.170
	ZiraatBankasiSwiftMesaji26-05-2023.exe	Get hash	malicious	AgentTesla	Browse	172.67.34.170
	fattura_e_consegna_delle_informazioni_DHL.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	172.67.34.170
	Peg9Rc8yFK.exe	Get hash	malicious	Quasar	Browse	172.67.34.170
	UPDATED_PI.pdf_(2).exe	Get hash	malicious	AgentTesla	Browse	172.67.34.170
	PO451033201.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	172.67.34.170
	gE3qA0IdI3.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	172.67.34.170
	SecuriteInfo.com.Win32.MalwareX-gen.17658.11235.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	172.67.34.170
	qT4VNvfY3r.exe	Get hash	malicious	LummaC Stealer, SmokeLoader	Browse	172.67.34.170
	Bank_Form_Document.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	172.67.34.170
	https://demuseasia.com/MjI4NTUwNFU0MTM4OGw=	Get hash	malicious	Unknown	Browse	172.67.34.170
	KwW85078PI.exe	Get hash	malicious	Axlocker	Browse	172.67.34.170
	Sniepriu.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.34.170
	zIJElVbBti.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	172.67.34.170
	Obeoyfng.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.34.170

Dropped Files

⊘No context

Created / dropped Files

C:\Users\Public\jango.exe

Process:	C:\Users\user\Desktop\jango.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	5.860660081133286
Encrypted:	false
SSDEEP:	1536:K7c2/5rEItNHHc7lwKDjXgebhO+YZbWwAXWvO3kP0y:K7c2/5rncxFHXgebhOdZbWXWvO3ksy
MD5:	C81E5ECD50FDA5D5162CE5C920BFAD15
SHA1:	7B8929CF91B1CEC30CA058117A2FADE8D853CEF6
SHA-256:	02AA8D694FCB141522227F5890D5750D3759AA3ED20D6FD6D124D867DB894186
SHA-512:	0BCE58D5D1CE40B1983CA2817CAC5B64BE87C72DA46714482E010B8C7A25AE2C0C86548174AFEF0C0855825FBBA98A62D8634CF89F29CEAF90D4EF16ACFCE7D0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\jango.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\jango.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 57%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....qd................................. ........@.. .......................@............@.................................P...K............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........Z..........&.....................................................(.....r...p. .(T...(.....r#..p. .....s.........s.........s.........s..........rE..p. .x!..rg..p. 3D...r...p. .~Z..r...p. ~....r...p. ,-....((....rp..p. .....r...p. .R.."(....+.&(....&+..+5sX... .... .'..oY...(,...~....-.(C...(9...~....oZ...&.-..rj..p.r...p. S....r...p.r...p.r...p. x....r...p. .U.."(D...+.:.t....(@...+..r...p. .e[..r...p. o[...r...p. p{..r...p.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jango.exe.log

Process:	C:\Users\Public\jango.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.374391981354885
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhap+92n4MNQpN9tv:ML9E4KrgKDE4KGKN08AKh6+84xpNT
MD5:	C8A62E39DE7A3F805D39384E8BABB1E0
SHA1:	B32B1257401F17A2D1D5D3CC1D8C1E072E3FEE31
SHA-256:	A7BC127854C5327ABD50C86000BF10586B556A5E085BB23523B07A15DD4C5383
SHA-512:	7DB2825131F5CDA6AF33A179D9F7CD0A206FF34AE50D6E66DE9E99BE2CD1CB985B88C00F0EDE72BBC4467E7E42B5DC6132403AA2EC1A0A7A6D11766C438B10C3
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Log.tmp

Process:	C:\Users\user\Desktop\jango.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	3.7189532820450215
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsrzj4Xn:EFYJKDoWrYXn
MD5:	DB00A144B8FE7D08CC7B44480B19B2B4
SHA1:	3E272505722EC3879412CF70D3C500D79B89FDEA
SHA-256:	6BDA88D34F06476BBC45249DEDCC105C56278C5732B0D4E4BA083D281E245126
SHA-512:	18BD2256A04F3298CA70EF165F74D957FC99DD3C8F0D15389E1B9AAFDD9C9ED7AD55B7713302C411151FB5532DAA42855DEDF53E191395F417191E393A31E472
Malicious:	false
Reputation:	low
Preview:	....### explorer ###..[WIN][WIN]r

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jango.lnk

Process:	C:\Users\user\Desktop\jango.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun May 28 08:37:07 2023, mtime=Sun May 28 08:37:10 2023, atime=Sun May 28 08:37:10 2023, length=52224, window=hide
Category:	dropped
Size (bytes):	969
Entropy (8bit):	4.638218066234478
Encrypted:	false
SSDEEP:	12:8GF4FL20UXv6CHqXiXgACmMyNbQkjA+Wmp+EeQzgkNvu+hPhT4t2Y+xIBjKZm:8GF4FzUZNhAxenvRJh7aB6m
MD5:	D2AF92964FDF3168C8CA26C5EDE3720B
SHA1:	BC3757B0182A7B71C33023512D1B7652CE507A4C
SHA-256:	389F0F4BDAD775C0AF2CFC24B726EB5365A01385056287516C576121E4A56EEE
SHA-512:	B44F5C86CCEEC551E32AA4997B75627F427FD281424B6C1EBE941419603D6DD56CAF80CB35C2F7D84A57F8B9655C3CD78511644E22439371E761D03F3A0067EC
Malicious:	false
Preview:	L..................F.... .....N.G...;...G...;...G................................P.O. .:i.....+00.../C:\...................x.1......Ng...Users.d......L...V.L....................:......B..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....\|.1......Nlv..Public..f......L..V.L....................<......o2.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....\.2......V.L .jango.exe.D......V.L.V.L....@V.....................I..j.a.n.g.o...e.x.e.......H...............-.......G.............t......C:\Users\Public\jango.exe..(.....\.....\.....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.j.a.n.g.o...e.x.e.............!............v...cM.jVD.Es.!...`.......X.......632922...........!a..%.H.VZAj...M0...........W...!a..%.H.VZAj...M0...........W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K..@.A..7sFJ............

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.860660081133286
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	jango.exe
File size:	52224
MD5:	c81e5ecd50fda5d5162ce5c920bfad15
SHA1:	7b8929cf91b1cec30ca058117a2fade8d853cef6
SHA256:	02aa8d694fcb141522227f5890d5750d3759aa3ed20d6fd6d124d867db894186
SHA512:	0bce58d5d1ce40b1983ca2817cac5b64be87c72da46714482e010b8c7a25ae2c0c86548174afef0c0855825fbba98a62d8634cf89f29ceaf90d4ef16acfce7d0
SSDEEP:	1536:K7c2/5rEItNHHc7lwKDjXgebhO+YZbWwAXWvO3kP0y:K7c2/5rncxFHXgebhOdZbWXWvO3ksy
TLSH:	5D336B6CB7E14135D1FF6BB56CB6B226D735A3174913872F38D900DA2623A9CCA007E6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....qd................................. ........@.. .......................@............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40e09e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6471D1C6 [Sat May 27 09:47:50 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe050	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x4c6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc0a4	0xc200	False	0.5760107925257731	data	5.966728890995258	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x4c6	0x600	False	0.3723958333333333	data	3.6932198257026454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x100a0	0x23c	data
RT_MANIFEST	0x102dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 28, 2023 02:37:11.258579016 CEST	49721	443	192.168.2.5	172.67.34.170
May 28, 2023 02:37:11.258662939 CEST	443	49721	172.67.34.170	192.168.2.5
May 28, 2023 02:37:11.258785963 CEST	49721	443	192.168.2.5	172.67.34.170
May 28, 2023 02:37:11.281801939 CEST	49721	443	192.168.2.5	172.67.34.170
May 28, 2023 02:37:11.281874895 CEST	443	49721	172.67.34.170	192.168.2.5
May 28, 2023 02:37:11.338058949 CEST	443	49721	172.67.34.170	192.168.2.5
May 28, 2023 02:37:11.338351011 CEST	49721	443	192.168.2.5	172.67.34.170
May 28, 2023 02:37:11.342880964 CEST	49721	443	192.168.2.5	172.67.34.170
May 28, 2023 02:37:11.342915058 CEST	443	49721	172.67.34.170	192.168.2.5
May 28, 2023 02:37:11.343264103 CEST	443	49721	172.67.34.170	192.168.2.5
May 28, 2023 02:37:11.387365103 CEST	49721	443	192.168.2.5	172.67.34.170
May 28, 2023 02:37:11.557549953 CEST	49721	443	192.168.2.5	172.67.34.170
May 28, 2023 02:37:11.600313902 CEST	443	49721	172.67.34.170	192.168.2.5
May 28, 2023 02:37:11.737963915 CEST	443	49721	172.67.34.170	192.168.2.5
May 28, 2023 02:37:11.738318920 CEST	443	49721	172.67.34.170	192.168.2.5
May 28, 2023 02:37:11.738468885 CEST	49721	443	192.168.2.5	172.67.34.170
May 28, 2023 02:37:11.746597052 CEST	49721	443	192.168.2.5	172.67.34.170
May 28, 2023 02:37:15.097285986 CEST	49722	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:15.245146990 CEST	19633	49722	3.6.30.85	192.168.2.5
May 28, 2023 02:37:15.747095108 CEST	49722	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:15.898403883 CEST	19633	49722	3.6.30.85	192.168.2.5
May 28, 2023 02:37:16.403444052 CEST	49722	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:16.551621914 CEST	19633	49722	3.6.30.85	192.168.2.5
May 28, 2023 02:37:16.700459003 CEST	49723	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:16.848072052 CEST	19633	49723	3.6.30.85	192.168.2.5
May 28, 2023 02:37:17.356592894 CEST	49723	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:17.505129099 CEST	19633	49723	3.6.30.85	192.168.2.5
May 28, 2023 02:37:18.012845039 CEST	49723	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:18.160440922 CEST	19633	49723	3.6.30.85	192.168.2.5
May 28, 2023 02:37:18.871542931 CEST	49724	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:19.018238068 CEST	19633	49724	3.6.30.85	192.168.2.5
May 28, 2023 02:37:19.528630972 CEST	49724	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:19.675120115 CEST	19633	49724	3.6.30.85	192.168.2.5
May 28, 2023 02:37:20.310244083 CEST	49724	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:20.456868887 CEST	19633	49724	3.6.30.85	192.168.2.5
May 28, 2023 02:37:25.177723885 CEST	49725	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:37:25.325246096 CEST	19633	49725	3.6.98.232	192.168.2.5
May 28, 2023 02:37:25.826124907 CEST	49725	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:37:25.973740101 CEST	19633	49725	3.6.98.232	192.168.2.5
May 28, 2023 02:37:26.482397079 CEST	49725	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:37:26.629761934 CEST	19633	49725	3.6.98.232	192.168.2.5
May 28, 2023 02:37:26.836822987 CEST	49726	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:26.983297110 CEST	19633	49726	3.6.30.85	192.168.2.5
May 28, 2023 02:37:27.498024940 CEST	49726	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:27.644473076 CEST	19633	49726	3.6.30.85	192.168.2.5
May 28, 2023 02:37:28.154366970 CEST	49726	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:28.300839901 CEST	19633	49726	3.6.30.85	192.168.2.5
May 28, 2023 02:37:28.479214907 CEST	49727	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:37:28.625823021 CEST	19633	49727	3.6.98.232	192.168.2.5
May 28, 2023 02:37:29.138835907 CEST	49727	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:37:29.285613060 CEST	19633	49727	3.6.98.232	192.168.2.5
May 28, 2023 02:37:29.795207977 CEST	49727	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:37:29.945208073 CEST	19633	49727	3.6.98.232	192.168.2.5
May 28, 2023 02:37:30.099139929 CEST	49728	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:30.246069908 CEST	19633	49728	3.6.30.85	192.168.2.5
May 28, 2023 02:37:30.748380899 CEST	49728	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:30.895426989 CEST	19633	49728	3.6.30.85	192.168.2.5
May 28, 2023 02:37:31.404612064 CEST	49728	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:31.552023888 CEST	19633	49728	3.6.30.85	192.168.2.5
May 28, 2023 02:37:35.010090113 CEST	49729	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:35.157059908 CEST	19633	49729	3.6.30.85	192.168.2.5
May 28, 2023 02:37:35.670780897 CEST	49729	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:35.817781925 CEST	19633	49729	3.6.30.85	192.168.2.5
May 28, 2023 02:37:36.326950073 CEST	49729	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:36.473773003 CEST	19633	49729	3.6.30.85	192.168.2.5
May 28, 2023 02:37:36.614166975 CEST	49730	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:36.761260033 CEST	19633	49730	3.6.30.85	192.168.2.5
May 28, 2023 02:37:37.264492989 CEST	49730	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:37.411603928 CEST	19633	49730	3.6.30.85	192.168.2.5
May 28, 2023 02:37:37.920851946 CEST	49730	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:38.068130970 CEST	19633	49730	3.6.30.85	192.168.2.5
May 28, 2023 02:37:43.025927067 CEST	49731	19633	192.168.2.5	3.6.115.182
May 28, 2023 02:37:43.173337936 CEST	19633	49731	3.6.115.182	192.168.2.5
May 28, 2023 02:37:43.686965942 CEST	49731	19633	192.168.2.5	3.6.115.182
May 28, 2023 02:37:43.834502935 CEST	19633	49731	3.6.115.182	192.168.2.5
May 28, 2023 02:37:44.343337059 CEST	49731	19633	192.168.2.5	3.6.115.182
May 28, 2023 02:37:44.490936995 CEST	19633	49731	3.6.115.182	192.168.2.5
May 28, 2023 02:37:44.637707949 CEST	49732	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:37:44.784900904 CEST	19633	49732	3.6.98.232	192.168.2.5
May 28, 2023 02:37:45.296478987 CEST	49732	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:37:45.443784952 CEST	19633	49732	3.6.98.232	192.168.2.5
May 28, 2023 02:37:45.952730894 CEST	49732	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:37:46.100029945 CEST	19633	49732	3.6.98.232	192.168.2.5
May 28, 2023 02:37:46.242317915 CEST	49733	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:46.389925957 CEST	19633	49733	3.6.30.85	192.168.2.5
May 28, 2023 02:37:46.890449047 CEST	49733	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:48.536684036 CEST	19633	49733	3.6.30.85	192.168.2.5
May 28, 2023 02:37:49.046740055 CEST	49733	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:49.194235086 CEST	19633	49733	3.6.30.85	192.168.2.5
May 28, 2023 02:37:53.627674103 CEST	49734	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:53.775465965 CEST	19633	49734	3.6.30.85	192.168.2.5
May 28, 2023 02:37:54.281608105 CEST	49734	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:54.429503918 CEST	19633	49734	3.6.30.85	192.168.2.5
May 28, 2023 02:37:54.937881947 CEST	49734	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:37:55.085612059 CEST	19633	49734	3.6.30.85	192.168.2.5
May 28, 2023 02:37:55.598202944 CEST	49736	19633	192.168.2.5	3.6.115.182
May 28, 2023 02:37:55.748488903 CEST	19633	49736	3.6.115.182	192.168.2.5
May 28, 2023 02:37:56.266181946 CEST	49736	19633	192.168.2.5	3.6.115.182
May 28, 2023 02:37:56.412923098 CEST	19633	49736	3.6.115.182	192.168.2.5
May 28, 2023 02:37:56.922426939 CEST	49736	19633	192.168.2.5	3.6.115.182
May 28, 2023 02:37:57.069132090 CEST	19633	49736	3.6.115.182	192.168.2.5
May 28, 2023 02:38:01.314528942 CEST	49737	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:01.461361885 CEST	19633	49737	3.6.30.85	192.168.2.5
May 28, 2023 02:38:01.969700098 CEST	49737	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:02.116434097 CEST	19633	49737	3.6.30.85	192.168.2.5
May 28, 2023 02:38:02.625987053 CEST	49737	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:02.772747040 CEST	19633	49737	3.6.30.85	192.168.2.5
May 28, 2023 02:38:02.923073053 CEST	49738	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:03.070107937 CEST	19633	49738	3.6.115.64	192.168.2.5
May 28, 2023 02:38:03.579396009 CEST	49738	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:03.726557970 CEST	19633	49738	3.6.115.64	192.168.2.5
May 28, 2023 02:38:04.235611916 CEST	49738	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:04.382757902 CEST	19633	49738	3.6.115.64	192.168.2.5
May 28, 2023 02:38:04.511495113 CEST	49739	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:04.658509016 CEST	19633	49739	3.6.30.85	192.168.2.5
May 28, 2023 02:38:05.173114061 CEST	49739	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:05.320163012 CEST	19633	49739	3.6.30.85	192.168.2.5
May 28, 2023 02:38:05.829432011 CEST	49739	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:05.976555109 CEST	19633	49739	3.6.30.85	192.168.2.5
May 28, 2023 02:38:06.128752947 CEST	49740	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:06.275918007 CEST	19633	49740	3.6.30.85	192.168.2.5
May 28, 2023 02:38:06.782716036 CEST	49740	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:06.929919958 CEST	19633	49740	3.6.30.85	192.168.2.5
May 28, 2023 02:38:07.438960075 CEST	49740	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:07.586091042 CEST	19633	49740	3.6.30.85	192.168.2.5
May 28, 2023 02:38:07.728776932 CEST	49741	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:38:07.875655890 CEST	19633	49741	3.6.98.232	192.168.2.5
May 28, 2023 02:38:08.380451918 CEST	49741	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:38:08.527587891 CEST	19633	49741	3.6.98.232	192.168.2.5
May 28, 2023 02:38:09.032808065 CEST	49741	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:38:09.179979086 CEST	19633	49741	3.6.98.232	192.168.2.5
May 28, 2023 02:38:12.643940926 CEST	49742	19633	192.168.2.5	3.6.115.182
May 28, 2023 02:38:12.791904926 CEST	19633	49742	3.6.115.182	192.168.2.5
May 28, 2023 02:38:13.298789024 CEST	49742	19633	192.168.2.5	3.6.115.182
May 28, 2023 02:38:13.446257114 CEST	19633	49742	3.6.115.182	192.168.2.5
May 28, 2023 02:38:13.970738888 CEST	49742	19633	192.168.2.5	3.6.115.182
May 28, 2023 02:38:14.118016958 CEST	19633	49742	3.6.115.182	192.168.2.5
May 28, 2023 02:38:17.668950081 CEST	49743	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:17.816446066 CEST	19633	49743	3.6.30.85	192.168.2.5
May 28, 2023 02:38:18.330497980 CEST	49743	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:18.478022099 CEST	19633	49743	3.6.30.85	192.168.2.5
May 28, 2023 02:38:18.986854076 CEST	49743	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:19.134543896 CEST	19633	49743	3.6.30.85	192.168.2.5
May 28, 2023 02:38:19.299890041 CEST	49744	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:19.447869062 CEST	19633	49744	3.6.30.85	192.168.2.5
May 28, 2023 02:38:19.955818892 CEST	49744	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:20.103851080 CEST	19633	49744	3.6.30.85	192.168.2.5
May 28, 2023 02:38:20.612052917 CEST	49744	19633	192.168.2.5	3.6.30.85
May 28, 2023 02:38:20.760418892 CEST	19633	49744	3.6.30.85	192.168.2.5
May 28, 2023 02:38:24.075433016 CEST	49745	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:38:24.222718954 CEST	19633	49745	3.6.98.232	192.168.2.5
May 28, 2023 02:38:24.726977110 CEST	49745	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:38:24.874185085 CEST	19633	49745	3.6.98.232	192.168.2.5
May 28, 2023 02:38:25.374394894 CEST	49745	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:38:25.522058010 CEST	19633	49745	3.6.98.232	192.168.2.5
May 28, 2023 02:38:25.657434940 CEST	49746	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:25.804722071 CEST	19633	49746	3.6.115.64	192.168.2.5
May 28, 2023 02:38:26.318207026 CEST	49746	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:26.465708017 CEST	19633	49746	3.6.115.64	192.168.2.5
May 28, 2023 02:38:26.988208055 CEST	49746	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:27.135691881 CEST	19633	49746	3.6.115.64	192.168.2.5
May 28, 2023 02:38:27.314811945 CEST	49747	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:27.461239100 CEST	19633	49747	3.6.115.64	192.168.2.5
May 28, 2023 02:38:27.969352007 CEST	49747	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:28.115792036 CEST	19633	49747	3.6.115.64	192.168.2.5
May 28, 2023 02:38:28.624783993 CEST	49747	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:28.771209955 CEST	19633	49747	3.6.115.64	192.168.2.5
May 28, 2023 02:38:32.248198986 CEST	49748	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:32.395009041 CEST	19633	49748	3.6.115.64	192.168.2.5
May 28, 2023 02:38:32.902540922 CEST	49748	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:33.049424887 CEST	19633	49748	3.6.115.64	192.168.2.5
May 28, 2023 02:38:33.559962988 CEST	49748	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:33.706893921 CEST	19633	49748	3.6.115.64	192.168.2.5
May 28, 2023 02:38:33.850270987 CEST	49749	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:33.996798038 CEST	19633	49749	3.6.115.64	192.168.2.5
May 28, 2023 02:38:34.512028933 CEST	49749	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:34.658479929 CEST	19633	49749	3.6.115.64	192.168.2.5
May 28, 2023 02:38:35.168458939 CEST	49749	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:35.314876080 CEST	19633	49749	3.6.115.64	192.168.2.5
May 28, 2023 02:38:38.911722898 CEST	49750	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:38:39.058516026 CEST	19633	49750	3.6.98.232	192.168.2.5
May 28, 2023 02:38:39.560115099 CEST	49750	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:38:39.706862926 CEST	19633	49750	3.6.98.232	192.168.2.5
May 28, 2023 02:38:40.215809107 CEST	49750	19633	192.168.2.5	3.6.98.232
May 28, 2023 02:38:40.362531900 CEST	19633	49750	3.6.98.232	192.168.2.5
May 28, 2023 02:38:44.237306118 CEST	49751	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:44.384092093 CEST	19633	49751	3.6.115.64	192.168.2.5
May 28, 2023 02:38:44.887969971 CEST	49751	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:45.034626961 CEST	19633	49751	3.6.115.64	192.168.2.5
May 28, 2023 02:38:45.544281006 CEST	49751	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:45.691154957 CEST	19633	49751	3.6.115.64	192.168.2.5
May 28, 2023 02:38:45.836178064 CEST	49752	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:45.982594013 CEST	19633	49752	3.6.115.64	192.168.2.5
May 28, 2023 02:38:46.497436047 CEST	49752	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:46.644015074 CEST	19633	49752	3.6.115.64	192.168.2.5
May 28, 2023 02:38:47.153785944 CEST	49752	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:47.300164938 CEST	19633	49752	3.6.115.64	192.168.2.5
May 28, 2023 02:38:47.432097912 CEST	49753	19633	192.168.2.5	3.6.122.107
May 28, 2023 02:38:47.578839064 CEST	19633	49753	3.6.122.107	192.168.2.5
May 28, 2023 02:38:48.091487885 CEST	49753	19633	192.168.2.5	3.6.122.107
May 28, 2023 02:38:48.238325119 CEST	19633	49753	3.6.122.107	192.168.2.5
May 28, 2023 02:38:48.747652054 CEST	49753	19633	192.168.2.5	3.6.122.107
May 28, 2023 02:38:48.894172907 CEST	19633	49753	3.6.122.107	192.168.2.5
May 28, 2023 02:38:53.286106110 CEST	49754	19633	192.168.2.5	3.6.122.107
May 28, 2023 02:38:53.433610916 CEST	19633	49754	3.6.122.107	192.168.2.5
May 28, 2023 02:38:54.138772011 CEST	49754	19633	192.168.2.5	3.6.122.107
May 28, 2023 02:38:54.286401033 CEST	19633	49754	3.6.122.107	192.168.2.5
May 28, 2023 02:38:54.795139074 CEST	49754	19633	192.168.2.5	3.6.122.107
May 28, 2023 02:38:54.942537069 CEST	19633	49754	3.6.122.107	192.168.2.5
May 28, 2023 02:38:55.117973089 CEST	49755	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:55.263935089 CEST	19633	49755	3.6.115.64	192.168.2.5
May 28, 2023 02:38:55.779486895 CEST	49755	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:55.925589085 CEST	19633	49755	3.6.115.64	192.168.2.5
May 28, 2023 02:38:56.435802937 CEST	49755	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:38:56.581983089 CEST	19633	49755	3.6.115.64	192.168.2.5
May 28, 2023 02:39:00.170706034 CEST	49756	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:39:00.317711115 CEST	19633	49756	3.6.115.64	192.168.2.5
May 28, 2023 02:39:00.826725006 CEST	49756	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:39:00.973714113 CEST	19633	49756	3.6.115.64	192.168.2.5
May 28, 2023 02:39:01.483150005 CEST	49756	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:39:01.630197048 CEST	19633	49756	3.6.115.64	192.168.2.5
May 28, 2023 02:39:01.767811060 CEST	49757	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:39:01.914962053 CEST	19633	49757	3.6.115.64	192.168.2.5
May 28, 2023 02:39:02.420713902 CEST	49757	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:39:02.567764044 CEST	19633	49757	3.6.115.64	192.168.2.5
May 28, 2023 02:39:03.077056885 CEST	49757	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:39:03.224575043 CEST	19633	49757	3.6.115.64	192.168.2.5
May 28, 2023 02:39:10.109649897 CEST	49758	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:39:10.256009102 CEST	19633	49758	3.6.115.64	192.168.2.5
May 28, 2023 02:39:10.779946089 CEST	49758	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:39:10.926518917 CEST	19633	49758	3.6.115.64	192.168.2.5
May 28, 2023 02:39:11.546399117 CEST	49758	19633	192.168.2.5	3.6.115.64
May 28, 2023 02:39:11.692593098 CEST	19633	49758	3.6.115.64	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 28, 2023 02:37:11.214557886 CEST	61452	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:11.240665913 CEST	53	61452	8.8.8.8	192.168.2.5
May 28, 2023 02:37:15.065180063 CEST	65323	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:15.091980934 CEST	53	65323	8.8.8.8	192.168.2.5
May 28, 2023 02:37:16.684528112 CEST	51484	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:16.699400902 CEST	53	51484	8.8.8.8	192.168.2.5
May 28, 2023 02:37:18.681440115 CEST	63446	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:18.717134953 CEST	53	63446	8.8.8.8	192.168.2.5
May 28, 2023 02:37:25.129283905 CEST	56751	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:25.175338984 CEST	53	56751	8.8.8.8	192.168.2.5
May 28, 2023 02:37:26.805531025 CEST	55039	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:26.833374023 CEST	53	55039	8.8.8.8	192.168.2.5
May 28, 2023 02:37:28.439970016 CEST	60975	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:28.469187021 CEST	53	60975	8.8.8.8	192.168.2.5
May 28, 2023 02:37:30.068753004 CEST	59220	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:30.097670078 CEST	53	59220	8.8.8.8	192.168.2.5
May 28, 2023 02:37:34.987512112 CEST	55068	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:35.008835077 CEST	53	55068	8.8.8.8	192.168.2.5
May 28, 2023 02:37:36.597054958 CEST	56682	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:36.611414909 CEST	53	56682	8.8.8.8	192.168.2.5
May 28, 2023 02:37:43.002919912 CEST	58532	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:43.024866104 CEST	53	58532	8.8.8.8	192.168.2.5
May 28, 2023 02:37:44.615221024 CEST	62659	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:44.636091948 CEST	53	62659	8.8.8.8	192.168.2.5
May 28, 2023 02:37:46.211803913 CEST	58581	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:46.240569115 CEST	53	58581	8.8.8.8	192.168.2.5
May 28, 2023 02:37:53.594909906 CEST	56263	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:53.623619080 CEST	53	56263	8.8.8.8	192.168.2.5
May 28, 2023 02:37:55.575706959 CEST	56687	53	192.168.2.5	8.8.8.8
May 28, 2023 02:37:55.596112967 CEST	53	56687	8.8.8.8	192.168.2.5
May 28, 2023 02:38:01.289494038 CEST	64419	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:01.309165001 CEST	53	64419	8.8.8.8	192.168.2.5
May 28, 2023 02:38:02.897015095 CEST	52688	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:02.919218063 CEST	53	52688	8.8.8.8	192.168.2.5
May 28, 2023 02:38:04.494837999 CEST	61344	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:04.509617090 CEST	53	61344	8.8.8.8	192.168.2.5
May 28, 2023 02:38:06.096405983 CEST	53972	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:06.124767065 CEST	53	53972	8.8.8.8	192.168.2.5
May 28, 2023 02:38:07.698357105 CEST	64932	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:07.726929903 CEST	53	64932	8.8.8.8	192.168.2.5
May 28, 2023 02:38:12.627775908 CEST	58472	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:12.642714024 CEST	53	58472	8.8.8.8	192.168.2.5
May 28, 2023 02:38:17.638019085 CEST	60177	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:17.667330027 CEST	53	60177	8.8.8.8	192.168.2.5
May 28, 2023 02:38:19.272417068 CEST	60284	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:19.295516968 CEST	53	60284	8.8.8.8	192.168.2.5
May 28, 2023 02:38:24.053095102 CEST	60019	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:24.073513031 CEST	53	60019	8.8.8.8	192.168.2.5
May 28, 2023 02:38:25.635863066 CEST	50902	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:25.655822992 CEST	53	50902	8.8.8.8	192.168.2.5
May 28, 2023 02:38:27.277374983 CEST	53823	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:27.313344002 CEST	53	53823	8.8.8.8	192.168.2.5
May 28, 2023 02:38:32.225725889 CEST	49769	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:32.246100903 CEST	53	49769	8.8.8.8	192.168.2.5
May 28, 2023 02:38:33.825591087 CEST	49579	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:33.848961115 CEST	53	49579	8.8.8.8	192.168.2.5
May 28, 2023 02:38:38.880816936 CEST	53555	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:38.910556078 CEST	53	53555	8.8.8.8	192.168.2.5
May 28, 2023 02:38:44.205729008 CEST	61293	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:44.234205961 CEST	53	61293	8.8.8.8	192.168.2.5
May 28, 2023 02:38:45.813411951 CEST	50086	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:45.833396912 CEST	53	50086	8.8.8.8	192.168.2.5
May 28, 2023 02:38:47.408828020 CEST	52188	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:47.430206060 CEST	53	52188	8.8.8.8	192.168.2.5
May 28, 2023 02:38:53.261418104 CEST	54585	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:53.281160116 CEST	53	54585	8.8.8.8	192.168.2.5
May 28, 2023 02:38:55.082707882 CEST	52100	53	192.168.2.5	8.8.8.8
May 28, 2023 02:38:55.116307974 CEST	53	52100	8.8.8.8	192.168.2.5
May 28, 2023 02:39:00.149355888 CEST	60908	53	192.168.2.5	8.8.8.8
May 28, 2023 02:39:00.169478893 CEST	53	60908	8.8.8.8	192.168.2.5
May 28, 2023 02:39:01.742073059 CEST	58623	53	192.168.2.5	8.8.8.8
May 28, 2023 02:39:01.765650034 CEST	53	58623	8.8.8.8	192.168.2.5
May 28, 2023 02:39:10.079174042 CEST	65493	53	192.168.2.5	8.8.8.8
May 28, 2023 02:39:10.107728004 CEST	53	65493	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 28, 2023 02:37:11.214557886 CEST	192.168.2.5	8.8.8.8	0xb36b	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:15.065180063 CEST	192.168.2.5	8.8.8.8	0xae17	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:16.684528112 CEST	192.168.2.5	8.8.8.8	0x319a	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:18.681440115 CEST	192.168.2.5	8.8.8.8	0x39ae	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:25.129283905 CEST	192.168.2.5	8.8.8.8	0xc606	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:26.805531025 CEST	192.168.2.5	8.8.8.8	0x5fe5	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:28.439970016 CEST	192.168.2.5	8.8.8.8	0xfafc	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:30.068753004 CEST	192.168.2.5	8.8.8.8	0x884d	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:34.987512112 CEST	192.168.2.5	8.8.8.8	0xd0db	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:36.597054958 CEST	192.168.2.5	8.8.8.8	0x2f15	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:43.002919912 CEST	192.168.2.5	8.8.8.8	0xdb47	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:44.615221024 CEST	192.168.2.5	8.8.8.8	0x48fe	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:46.211803913 CEST	192.168.2.5	8.8.8.8	0xe220	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:53.594909906 CEST	192.168.2.5	8.8.8.8	0xc943	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:55.575706959 CEST	192.168.2.5	8.8.8.8	0x77d1	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:01.289494038 CEST	192.168.2.5	8.8.8.8	0x4422	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:02.897015095 CEST	192.168.2.5	8.8.8.8	0xe51e	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:04.494837999 CEST	192.168.2.5	8.8.8.8	0x8e7e	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:06.096405983 CEST	192.168.2.5	8.8.8.8	0x45ac	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:07.698357105 CEST	192.168.2.5	8.8.8.8	0x1692	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:12.627775908 CEST	192.168.2.5	8.8.8.8	0xcee2	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:17.638019085 CEST	192.168.2.5	8.8.8.8	0xff63	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:19.272417068 CEST	192.168.2.5	8.8.8.8	0xc1d	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:24.053095102 CEST	192.168.2.5	8.8.8.8	0x8296	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:25.635863066 CEST	192.168.2.5	8.8.8.8	0x3313	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:27.277374983 CEST	192.168.2.5	8.8.8.8	0x4efd	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:32.225725889 CEST	192.168.2.5	8.8.8.8	0xa9ea	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:33.825591087 CEST	192.168.2.5	8.8.8.8	0xa4a4	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:38.880816936 CEST	192.168.2.5	8.8.8.8	0x47db	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:44.205729008 CEST	192.168.2.5	8.8.8.8	0xeb2e	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:45.813411951 CEST	192.168.2.5	8.8.8.8	0x4eb5	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:47.408828020 CEST	192.168.2.5	8.8.8.8	0x87b1	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:53.261418104 CEST	192.168.2.5	8.8.8.8	0x2d0f	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:55.082707882 CEST	192.168.2.5	8.8.8.8	0x99cc	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:39:00.149355888 CEST	192.168.2.5	8.8.8.8	0x7d10	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:39:01.742073059 CEST	192.168.2.5	8.8.8.8	0x508c	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
May 28, 2023 02:39:10.079174042 CEST	192.168.2.5	8.8.8.8	0xeb28	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 28, 2023 02:37:11.240665913 CEST	8.8.8.8	192.168.2.5	0xb36b	No error (0)	pastebin.com	172.67.34.170	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:11.240665913 CEST	8.8.8.8	192.168.2.5	0xb36b	No error (0)	pastebin.com	104.20.68.143	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:11.240665913 CEST	8.8.8.8	192.168.2.5	0xb36b	No error (0)	pastebin.com	104.20.67.143	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:15.091980934 CEST	8.8.8.8	192.168.2.5	0xae17	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:16.699400902 CEST	8.8.8.8	192.168.2.5	0x319a	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:18.717134953 CEST	8.8.8.8	192.168.2.5	0x39ae	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:25.175338984 CEST	8.8.8.8	192.168.2.5	0xc606	No error (0)	0.tcp.in.ngrok.io	3.6.98.232	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:26.833374023 CEST	8.8.8.8	192.168.2.5	0x5fe5	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:28.469187021 CEST	8.8.8.8	192.168.2.5	0xfafc	No error (0)	0.tcp.in.ngrok.io	3.6.98.232	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:30.097670078 CEST	8.8.8.8	192.168.2.5	0x884d	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:35.008835077 CEST	8.8.8.8	192.168.2.5	0xd0db	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:36.611414909 CEST	8.8.8.8	192.168.2.5	0x2f15	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:43.024866104 CEST	8.8.8.8	192.168.2.5	0xdb47	No error (0)	0.tcp.in.ngrok.io	3.6.115.182	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:44.636091948 CEST	8.8.8.8	192.168.2.5	0x48fe	No error (0)	0.tcp.in.ngrok.io	3.6.98.232	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:46.240569115 CEST	8.8.8.8	192.168.2.5	0xe220	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:53.623619080 CEST	8.8.8.8	192.168.2.5	0xc943	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:37:55.596112967 CEST	8.8.8.8	192.168.2.5	0x77d1	No error (0)	0.tcp.in.ngrok.io	3.6.115.182	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:01.309165001 CEST	8.8.8.8	192.168.2.5	0x4422	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:02.919218063 CEST	8.8.8.8	192.168.2.5	0xe51e	No error (0)	0.tcp.in.ngrok.io	3.6.115.64	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:04.509617090 CEST	8.8.8.8	192.168.2.5	0x8e7e	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:06.124767065 CEST	8.8.8.8	192.168.2.5	0x45ac	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:07.726929903 CEST	8.8.8.8	192.168.2.5	0x1692	No error (0)	0.tcp.in.ngrok.io	3.6.98.232	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:12.642714024 CEST	8.8.8.8	192.168.2.5	0xcee2	No error (0)	0.tcp.in.ngrok.io	3.6.115.182	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:17.667330027 CEST	8.8.8.8	192.168.2.5	0xff63	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:19.295516968 CEST	8.8.8.8	192.168.2.5	0xc1d	No error (0)	0.tcp.in.ngrok.io	3.6.30.85	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:24.073513031 CEST	8.8.8.8	192.168.2.5	0x8296	No error (0)	0.tcp.in.ngrok.io	3.6.98.232	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:25.655822992 CEST	8.8.8.8	192.168.2.5	0x3313	No error (0)	0.tcp.in.ngrok.io	3.6.115.64	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:27.313344002 CEST	8.8.8.8	192.168.2.5	0x4efd	No error (0)	0.tcp.in.ngrok.io	3.6.115.64	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:32.246100903 CEST	8.8.8.8	192.168.2.5	0xa9ea	No error (0)	0.tcp.in.ngrok.io	3.6.115.64	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:33.848961115 CEST	8.8.8.8	192.168.2.5	0xa4a4	No error (0)	0.tcp.in.ngrok.io	3.6.115.64	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:38.910556078 CEST	8.8.8.8	192.168.2.5	0x47db	No error (0)	0.tcp.in.ngrok.io	3.6.98.232	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:44.234205961 CEST	8.8.8.8	192.168.2.5	0xeb2e	No error (0)	0.tcp.in.ngrok.io	3.6.115.64	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:45.833396912 CEST	8.8.8.8	192.168.2.5	0x4eb5	No error (0)	0.tcp.in.ngrok.io	3.6.115.64	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:47.430206060 CEST	8.8.8.8	192.168.2.5	0x87b1	No error (0)	0.tcp.in.ngrok.io	3.6.122.107	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:53.281160116 CEST	8.8.8.8	192.168.2.5	0x2d0f	No error (0)	0.tcp.in.ngrok.io	3.6.122.107	A (IP address)	IN (0x0001)	false
May 28, 2023 02:38:55.116307974 CEST	8.8.8.8	192.168.2.5	0x99cc	No error (0)	0.tcp.in.ngrok.io	3.6.115.64	A (IP address)	IN (0x0001)	false
May 28, 2023 02:39:00.169478893 CEST	8.8.8.8	192.168.2.5	0x7d10	No error (0)	0.tcp.in.ngrok.io	3.6.115.64	A (IP address)	IN (0x0001)	false
May 28, 2023 02:39:01.765650034 CEST	8.8.8.8	192.168.2.5	0x508c	No error (0)	0.tcp.in.ngrok.io	3.6.115.64	A (IP address)	IN (0x0001)	false
May 28, 2023 02:39:10.107728004 CEST	8.8.8.8	192.168.2.5	0xeb28	No error (0)	0.tcp.in.ngrok.io	3.6.115.64	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49721	172.67.34.170	443	C:\Users\user\Desktop\jango.exe

Timestamp	Direction	Data
2023-05-28 00:37:11 UTC	OUT	GET /raw/jZsr13qA HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2023-05-28 00:37:11 UTC	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 00:37:11 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Sun, 28 May 2023 00:37:11 GMT Server: cloudflare CF-RAY: 7ce26d7b3a4b18e0-FRA
2023-05-28 00:37:11 UTC	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 69 6e 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 39 36 33 33 0d 0a Data Ascii: 170.tcp.in.ngrok.io:19633
2023-05-28 00:37:11 UTC	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: jango.exePID: 5428, Parent PID: 3324

General

Target ID:	0
Start time:	02:37:03
Start date:	28/05/2023
Path:	C:\Users\user\Desktop\jango.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\jango.exe
Imagebase:	0x30000
File size:	52224 bytes
MD5 hash:	C81E5ECD50FDA5D5162CE5C920BFAD15
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.373122947.0000000000032000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.373122947.0000000000032000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exePID: 748, Parent PID: 5428

General

Target ID:	1
Start time:	02:37:08
Start date:	28/05/2023
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "jango" /tr "C:\Users\Public\jango.exe
Imagebase:	0x7ff6aabe0000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exePID: 6984, Parent PID: 748

General

Target ID:	2
Start time:	02:37:08
Start date:	28/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: jango.exePID: 7132, Parent PID: 3324

General

Target ID:	3
Start time:	02:37:17
Start date:	28/05/2023
Path:	C:\Users\Public\jango.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\jango.exe"
Imagebase:	0xe80000
File size:	52224 bytes
MD5 hash:	C81E5ECD50FDA5D5162CE5C920BFAD15
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\jango.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\jango.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 57%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: jango.exePID: 2960, Parent PID: 3324

General

Target ID:	6
Start time:	02:37:26
Start date:	28/05/2023
Path:	C:\Users\Public\jango.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\jango.exe"
Imagebase:	0xf60000
File size:	52224 bytes
MD5 hash:	C81E5ECD50FDA5D5162CE5C920BFAD15
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: jango.exePID: 6956, Parent PID: 1084

General

Target ID:	7
Start time:	02:38:01
Start date:	28/05/2023
Path:	C:\Users\Public\jango.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\jango.exe
Imagebase:	0x4f0000
File size:	52224 bytes
MD5 hash:	C81E5ECD50FDA5D5162CE5C920BFAD15
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: jango.exePID: 3576, Parent PID: 1084

General

Target ID:	9
Start time:	02:39:00
Start date:	28/05/2023
Path:	C:\Users\Public\jango.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\jango.exe
Imagebase:	0x4b0000
File size:	52224 bytes
MD5 hash:	C81E5ECD50FDA5D5162CE5C920BFAD15
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low