Windows
Analysis Report
GvJxEfWyS1.ps1
Overview
General Information
Sample name: | GvJxEfWyS1.ps1renamed because original name is a hash value |
Original sample name: | 41f746cfbfc418caee659826b7fc4728e1347014ea5f0c840728b30ba31b3c8b.ps1 |
Analysis ID: | 1517139 |
MD5: | 7cee317b8911c2bf3f013b44caac9e4e |
SHA1: | 91dac8bcdc075a226d21292563c5db084b826f80 |
SHA256: | 41f746cfbfc418caee659826b7fc4728e1347014ea5f0c840728b30ba31b3c8b |
Tags: | ps1vecotr-viewdns-netuser-JAMESWT_MHT |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- powershell.exe (PID: 6888 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noLogo -E xecutionPo licy unres tricted -f ile "C:\Us ers\user\D esktop\GvJ xEfWyS1.ps 1" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6916 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RegSvcs.exe (PID: 3300 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
Click to see the 6 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
Click to see the 5 entries |
System Summary |
---|
Source: | Author: frack113: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-24T19:20:02.897899+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:03.055016+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:16.309537+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:29.508594+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:32.895440+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:42.746601+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:53.398958+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:57.461284+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:58.414794+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:58.509419+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:58.604156+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:01.086561+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:02.893343+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:14.468164+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:27.554989+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:30.321634+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:32.899726+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:43.570050+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:45.929708+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:46.027566+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:52.558234+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:56.120661+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:56.244818+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:02.339361+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:02.913986+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:04.628138+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:11.150265+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:18.940931+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:22.389123+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:26.448896+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:27.445851+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:32.289633+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:32.891114+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:38.164741+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:38.164776+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:38.165159+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:51.243424+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:57.612973+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:02.900551+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:09.258597+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:14.313701+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:14.409315+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:14.788726+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:14.789658+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:14.789921+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:19.176603+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:30.054998+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:32.912145+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:33.577159+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:41.626485+0200 | 2852870 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-24T19:20:03.222875+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:16.311312+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:29.510762+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:42.748832+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:53.402168+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:57.466451+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:58.417090+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:58.511498+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:58.606163+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:01.088240+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:14.471577+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:27.556880+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:30.324508+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:43.572154+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:45.933945+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:46.029729+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:46.144476+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:46.352521+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:52.568975+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:56.122936+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:56.246761+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:02.350083+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:04.637850+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:11.152100+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:22.391080+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:26.451884+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:27.448028+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:32.291961+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:38.167244+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:38.172539+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:51.247747+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:57.618282+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:09.260961+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:14.316871+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:14.410697+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:14.617290+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:14.790363+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:14.795706+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:19.181221+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:30.059563+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:33.579356+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:41.630251+0200 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-24T19:20:02.897899+0200 | 2852874 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:32.895440+0200 | 2852874 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:02.893343+0200 | 2852874 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:32.899726+0200 | 2852874 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:02.913986+0200 | 2852874 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:32.891114+0200 | 2852874 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:02.900551+0200 | 2852874 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:32.912145+0200 | 2852874 | 1 | Malware Command and Control Activity Detected | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-24T19:21:52.383496+0200 | 2853193 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process Stats: |
Source: | Code function: | 0_2_00007FFD9B8AA0B2 | |
Source: | Code function: | 2_2_0292B2B8 | |
Source: | Code function: | 2_2_029281D8 | |
Source: | Code function: | 2_2_02925510 | |
Source: | Code function: | 2_2_0292BFF8 | |
Source: | Code function: | 2_2_02925DE0 | |
Source: | Code function: | 2_2_029251C8 | |
Source: | Code function: | 2_2_02920BA0 |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | Code function: | 2_2_02927DA1 |
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: |
Source: | Memory written: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 1 DLL Side-Loading | 212 Process Injection | 1 Disable or Modify Tools | OS Credential Dumping | 111 Security Software Discovery | Remote Services | 11 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 121 Virtualization/Sandbox Evasion | LSASS Memory | 2 Process Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 212 Process Injection | Security Account Manager | 121 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Software Packing | Cached Domain Credentials | 13 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
24% | ReversingLabs | Script-PowerShell.Backdoor.Xworm |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
vecotr.viewdns.net | 191.96.207.180 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
191.96.207.180 | vecotr.viewdns.net | Chile | 60458 | ASN-XTUDIONETES | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1517139 |
Start date and time: | 2024-09-24 19:18:38 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 55s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | GvJxEfWyS1.ps1renamed because original name is a hash value |
Original Sample Name: | 41f746cfbfc418caee659826b7fc4728e1347014ea5f0c840728b30ba31b3c8b.ps1 |
Detection: | MAL |
Classification: | mal100.troj.evad.winPS1@4/5@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target powershell.exe, PID 6888 because it is empty
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: GvJxEfWyS1.ps1
Time | Type | Description |
---|---|---|
13:19:33 | API Interceptor | |
13:19:48 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
191.96.207.180 | Get hash | malicious | PureLog Stealer, XWorm | Browse | ||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | PureLog Stealer, XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | XWorm | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
vecotr.viewdns.net | Get hash | malicious | PureLog Stealer, XWorm | Browse |
| |
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | PureLog Stealer, XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ASN-XTUDIONETES | Get hash | malicious | PureLog Stealer, XWorm | Browse |
| |
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | PureLog Stealer, XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Okiru | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | FormBook, PureLog Stealer | Browse |
| ||
Get hash | malicious | FormBook, PureLog Stealer | Browse |
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Download File
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 64 |
Entropy (8bit): | 1.1628158735648508 |
Encrypted: | false |
SSDEEP: | 3:NlllulLhwlz:NllUO |
MD5: | F442CD24937ABD508058EA44FD91378E |
SHA1: | FDE63CECA441AA1C5C9C401498F9032A23B38085 |
SHA-256: | E2960AF08E2EE7C9C72EEA31DBBFE1B55B9BF84DE2DD7BB7204487E6AF37B8F6 |
SHA-512: | 927E2EEA0BB3FC3D3A0DA7F45644F594CE29F11D90A84B005D723500258DE9E8B3780EB87242F4C62B64B9FEEA1869FC16076FA3AC89EC34E0546CDE1BEF7631 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
Download File
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 6221 |
Entropy (8bit): | 3.7284070836475958 |
Encrypted: | false |
SSDEEP: | 48:vhi/tD2l5LPr3C4U28ujgukvhkvklCyw2mdfK3RlCBSogZol/K3RlDBSogZoh1:0Il533CxHudkvhkvCCtRK3RhHuK3RKHe |
MD5: | 2D15929AD0D83FA21C5351D7DF826E37 |
SHA1: | 4E35BB1554877F265D587A20985EEB437E3B457B |
SHA-256: | CDEF0B86567C53D7BDE89EFA92D532C68169CDF06500BC8872639ACAAEF6DE25 |
SHA-512: | 894BE044DBC91E31BAF42C98F3E87AD413B1E1D623511EEBEA5B23E3D781817C1FE374DC3BF474F198AC6B58E99F6E367ACE0A452AFC3FC1E3C32538EF363CDB |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K8EWC842OA6SYY98URXL.temp
Download File
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 6221 |
Entropy (8bit): | 3.7284070836475958 |
Encrypted: | false |
SSDEEP: | 48:vhi/tD2l5LPr3C4U28ujgukvhkvklCyw2mdfK3RlCBSogZol/K3RlDBSogZoh1:0Il533CxHudkvhkvCCtRK3RhHuK3RKHe |
MD5: | 2D15929AD0D83FA21C5351D7DF826E37 |
SHA1: | 4E35BB1554877F265D587A20985EEB437E3B457B |
SHA-256: | CDEF0B86567C53D7BDE89EFA92D532C68169CDF06500BC8872639ACAAEF6DE25 |
SHA-512: | 894BE044DBC91E31BAF42C98F3E87AD413B1E1D623511EEBEA5B23E3D781817C1FE374DC3BF474F198AC6B58E99F6E367ACE0A452AFC3FC1E3C32538EF363CDB |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 3.1248255692674873 |
TrID: | |
File name: | GvJxEfWyS1.ps1 |
File size: | 329'783 bytes |
MD5: | 7cee317b8911c2bf3f013b44caac9e4e |
SHA1: | 91dac8bcdc075a226d21292563c5db084b826f80 |
SHA256: | 41f746cfbfc418caee659826b7fc4728e1347014ea5f0c840728b30ba31b3c8b |
SHA512: | 42fe836bf246af4bcc2259dde43cfd29612cd6e320e87bd714c31d61faf8f9322effbe99bb76e55dd92044de6fab8d6a8cb3d5122277b4f981a8534bfe92a601 |
SSDEEP: | 3072:wL3D5WXtWVH44LhC8z60U4h3mShvTUfWwLC5ImBK5W9Fp81fABAUvetcTnZm:Q5W0H44LhC85TUOwqYyfbg |
TLSH: | F064CC898537FB85CC0228A61D2B39F078C86D5EA1F5C8F0AF379C1A25D50589FBDDA1 |
File Content Preview: | try..{....$cake = "4D_5A_90_00_03_00_00_00_04_00_00_00_FF_FF_00_00_B8_00_00_00_00_00_00_00_40_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_80_00_00_00_0E_1F_BA_0E_00_B4_09_CD_21_B8_01_4C_CD_21_54 |
Icon Hash: | 3270d6baae77db44 |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-24T19:20:02.878931+0200 | 2855924 | ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:02.897899+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:02.897899+0200 | 2852874 | ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:03.055016+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:03.222875+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:16.309537+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:16.311312+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:29.508594+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:29.510762+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:32.895440+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:32.895440+0200 | 2852874 | ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:42.746601+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:42.748832+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:53.398958+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:53.402168+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:57.461284+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:57.466451+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:58.414794+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:58.417090+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:58.509419+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:58.511498+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:20:58.604156+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:20:58.606163+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:01.086561+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:01.088240+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:02.893343+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:02.893343+0200 | 2852874 | ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:14.468164+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:14.471577+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:27.554989+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:27.556880+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:30.321634+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:30.324508+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:32.899726+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:32.899726+0200 | 2852874 | ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:43.570050+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:43.572154+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:45.929708+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:45.933945+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:46.027566+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:46.029729+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:46.144476+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:46.352521+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:52.383496+0200 | 2853193 | ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:52.558234+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:52.568975+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:56.120661+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:56.122936+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:21:56.244818+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:21:56.246761+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:02.339361+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:02.350083+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:02.913986+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:02.913986+0200 | 2852874 | ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:04.628138+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:04.637850+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:11.150265+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:11.152100+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:18.940931+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:22.389123+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:22.391080+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:26.448896+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:26.451884+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:27.445851+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:27.448028+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:32.289633+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:32.291961+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:32.891114+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:32.891114+0200 | 2852874 | ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:38.164741+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:38.164776+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:38.165159+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:38.167244+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:38.172539+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:51.243424+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:51.247747+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:22:57.612973+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:22:57.618282+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:02.900551+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:02.900551+0200 | 2852874 | ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:09.258597+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:09.260961+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:14.313701+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:14.316871+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:14.409315+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:14.410697+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:14.617290+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:14.788726+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:14.789658+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:14.789921+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:14.790363+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:14.795706+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:19.176603+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:19.181221+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:30.054998+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:30.059563+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:32.912145+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:32.912145+0200 | 2852874 | ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:33.577159+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:33.579356+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
2024-09-24T19:23:41.626485+0200 | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 1 | 191.96.207.180 | 50000 | 192.168.2.4 | 49730 | TCP |
2024-09-24T19:23:41.630251+0200 | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 1 | 192.168.2.4 | 49730 | 191.96.207.180 | 50000 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 24, 2024 19:19:49.309956074 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:19:49.315283060 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:19:49.315373898 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:19:49.482865095 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:19:49.692908049 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:19:49.724298954 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:19:49.724344969 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:02.878931046 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:02.884051085 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:02.897898912 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:02.942919970 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:03.055016041 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:03.099200964 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:03.222875118 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:03.276057005 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:16.100122929 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:16.131674051 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:16.309536934 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:16.311311960 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:16.316488981 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:29.334016085 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:29.339200974 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:29.508594036 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:29.510761976 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:29.515670061 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:32.895440102 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:32.942889929 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:42.568135023 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:42.573328018 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:42.746601105 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:42.748831987 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:42.753742933 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:53.224598885 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:53.229576111 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:53.398957968 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:53.402168036 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:53.407021999 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:57.286943913 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:57.291922092 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:57.461283922 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:57.466450930 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:57.471323013 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:58.240181923 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:58.245101929 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:58.256033897 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:58.260936975 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:58.349453926 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:58.354365110 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:58.414793968 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:58.417089939 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:58.421889067 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:58.509418964 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:58.511497974 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:58.516587973 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:58.604156017 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:20:58.606163025 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:20:58.611073017 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:00.912002087 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:00.916929960 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:01.086560965 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:01.088239908 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:01.093074083 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:02.893342972 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:02.942910910 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:14.147440910 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:14.299743891 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:14.468163967 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:14.471576929 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:14.476506948 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:27.380673885 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:27.385847092 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:27.554989100 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:27.556879997 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:27.561739922 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:30.147229910 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:30.152126074 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:30.321634054 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:30.324507952 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:30.329840899 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:32.899725914 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:32.942955017 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:43.380654097 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:43.385766983 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:43.570050001 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:43.572154045 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:43.577188969 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:45.740076065 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:45.745217085 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:45.786948919 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:45.792435884 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:45.802571058 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:45.807555914 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:45.818465948 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:45.823391914 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:45.929708004 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:45.933944941 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:45.938884020 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:46.027565956 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:46.029728889 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:46.034563065 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:46.142451048 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:46.144475937 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:46.349517107 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:46.352520943 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:46.357454062 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:52.383496046 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:52.388720989 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:52.558233976 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:52.568974972 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:52.573951006 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:55.943350077 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:55.948422909 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:56.068275928 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:56.073533058 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:56.120661020 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:56.122936010 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:56.127779961 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:56.244817972 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:21:56.246761084 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:21:56.251919031 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:02.161876917 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:02.167937994 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:02.339360952 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:02.350083113 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:02.354861975 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:02.913985968 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:02.958513975 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:04.255922079 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:04.450105906 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:04.628138065 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:04.637850046 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:04.655674934 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:10.974451065 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:10.980886936 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:11.150264978 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:11.152100086 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:11.157147884 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:17.068283081 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:17.410545111 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:17.748002052 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:18.474489927 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:18.772656918 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:18.775325060 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:18.775414944 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:18.775439024 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:18.940931082 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:18.946384907 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:18.952760935 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:21.927484035 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:22.209439993 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:22.389122963 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:22.391079903 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:22.404474020 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:26.271640062 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:26.276828051 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:26.448895931 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:26.451884031 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:26.456758022 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:27.271425009 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:27.276555061 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:27.445851088 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:27.448028088 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:27.453020096 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:32.115010023 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:32.120223045 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:32.289633036 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:32.291960955 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:32.296928883 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:32.891113997 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:32.975533962 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:37.818177938 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:37.823314905 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:37.833822966 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:37.838766098 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:38.164741039 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:38.164776087 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:38.164850950 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:38.165158987 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:38.165294886 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:38.167243958 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:38.172488928 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:38.172538996 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:38.177439928 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:51.068162918 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:51.073148966 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:51.243423939 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:51.247746944 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:51.252722025 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:57.433222055 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:57.438250065 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:57.612972975 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:22:57.618282080 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:22:57.623172045 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:02.900551081 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:02.942893982 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:09.084018946 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:09.089071035 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:09.258596897 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:09.260961056 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:09.265798092 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.130762100 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:14.135828018 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.177700996 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:14.182641029 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.240242958 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:14.245287895 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.313700914 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.316870928 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:14.321913004 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.396297932 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:14.401276112 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.409315109 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.410696983 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:14.617290020 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:14.788666964 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.788726091 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.789658070 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.789921045 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.790133953 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:14.790363073 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:14.791762114 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.795208931 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:14.795706034 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:14.800626993 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:18.818134069 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:18.824938059 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:19.176603079 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:19.181221008 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:19.192198992 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:29.646691084 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:29.865014076 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:29.886060953 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:29.886081934 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:30.054997921 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:30.059562922 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:30.064393044 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:32.912144899 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:32.958498955 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:33.224380016 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:33.257854939 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:33.577158928 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:33.579355955 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:33.584253073 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:41.451445103 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:41.456404924 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:41.626485109 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Sep 24, 2024 19:23:41.630250931 CEST | 49730 | 50000 | 192.168.2.4 | 191.96.207.180 |
Sep 24, 2024 19:23:41.635236025 CEST | 50000 | 49730 | 191.96.207.180 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 24, 2024 19:19:49.233422995 CEST | 53211 | 53 | 192.168.2.4 | 1.1.1.1 |
Sep 24, 2024 19:19:49.252233028 CEST | 53 | 53211 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 24, 2024 19:19:49.233422995 CEST | 192.168.2.4 | 1.1.1.1 | 0xf03e | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 24, 2024 19:19:49.252233028 CEST | 1.1.1.1 | 192.168.2.4 | 0xf03e | No error (0) | 191.96.207.180 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 13:19:31 |
Start date: | 24/09/2024 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff788560000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 1 |
Start time: | 13:19:31 |
Start date: | 24/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 13:19:45 |
Start date: | 24/09/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6a0000 |
File size: | 45'984 bytes |
MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | false |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B971715 Relevance: 1.0, Instructions: 997COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B97251D Relevance: .5, Instructions: 519COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B971215 Relevance: .5, Instructions: 491COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B971286 Relevance: .4, Instructions: 441COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B97269E Relevance: .1, Instructions: 79COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B971966 Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B8AC0F5 Relevance: .0, Instructions: 50COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B8A39B5 Relevance: .0, Instructions: 49COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B8AC165 Relevance: .0, Instructions: 47COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B8AC110 Relevance: .0, Instructions: 39COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B8AC1A8 Relevance: .0, Instructions: 25COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B8AC935 Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B8AA0B2 Relevance: .5, Instructions: 527COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 13.4% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 65 |
Total number of Limit Nodes: | 5 |
Graph
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BCD400 Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BCD3FB Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|